Navigating The Microsoft-Led Transition to GDAP
Step-by-step instructions for identifying if you've been migrated, why it's happening, and how to restore full functionality to your environment.
Transitioning to Granular Delegated Admin Privileges (GDAP) is crucial as Microsoft phases out Delegated Admin Privileges (DAP) by the end of the October 2023. This change is necessary for ensuring uninterrupted functionality within your Rewst environment.
As Microsoft progresses in its shift from DAP to GDAP, tenants may find themselves automatically converted to GDAP in a restricted, nearly read-only state. As of now, 80% of Microsoft tenants have already experienced this migration.
If you encounter error messages implying insufficient permissions, or no access, you may have been forcefully migrated to GDAP. An example error message might look something like:
"error": {
"response": {
"code": 400,
"message": "Insufficient privileges to complete the operation.",
"errorName": "BadRequest",
"isRetryable": false
}
}
The Microsoft-led transition automatically establishes a GDAP relationship with eight default roles and assigns them to predefined CSP security groups. After 30 days, DAP is terminated. For more details, consult the Microsoft GDAP Microsoft-led Transition Guide.
To confirm this is in fact the issue you are experiencing you can perform the following steps:
- 1.
- 2.Navigate to the admin relationship section.
- 3.Check for an admin relationship prefixed with MLT_ followed by a GUID.
Indication: The "MLT_" prefix indicates a read-only state due to forced migration.
- 1.You'll need to redo your migration to GDAP.
- 2.You can use available migration tools like the CIPP Migration Wizard during Microsoft's transitionary phase. After that, you will need to manually move your tenants one by one.
- 3.
Automated GDAP migration is only available until November 1st. Post-deadline, manual setup will take approximately 15-20 minutes per tenant, where the process will involve opening a customized URL as the global administrator for each client.
If Rewst was functioning correctly post-GDAP migration but is now experiencing errors, the likely cause is the retirement of your DAP relationships by Microsoft.
To diagnose missing roles, run the CSP/CPV Permission Checker crate against one of the clients experiencing issues.
If your GDAP migration was done automatically using something like the CIPP Migration Wizard, your environment is likely set up following best practices, including unique security groups with role-specific permissions. In the CIPP example, these groups would all follow a naming convention like M365 GDAP {Role Name}. However, if you migrated using a different method but still have security groups organized per permission set, you can adopt this to your necessary groups.
- 1.
- 2.Search for Groups: If you used CIPP, type M365 to find groups named M365 GDAP {Role Name}. (For manual setups, locate the relevant security group by its custom name.)
- 3.Modify Group Members: Click on the desired group, go to Members, then click Add a Member. Select the Rewst Service Account and confirm changes.
- Propagation Time: Changes may take up to an hour to become active in the Rewst environment.
- Quick Refresh: Click the blue shield icon next to the client's name on the Graph/CSP/Exchange Integration page in Rewst to expedite propagation.