GDAP was new to everyone, so people made a lot of mistakes during implementation. Here’s a list of all the common mistakes I’ve seen people make.
There should be a witty joke abput permissions here but neither I nor ChatGPT could think of anything decent
DO NOT
Include Global Administrator in your relationship invite
If your relationship contains the Global Administrator role (sometimes named Company Administrator), you will not be able to auto extend the relationship.
Include the “No no” roles
- Directory Synchronization Accounts (d29b2b05-8046-44ba-8758-1e26182fcf32)
- Partner Tier1 Support (4ba39ca4-527c-499a-b93d-d9b492c50246)
- Partner Tier2 Support (e00e864a-17c5-4a4b-9c06-f5b95a8d5bd8)
Map relationships/roles to AdminAgents or other Partner Center related groups
AdminAgents used to give you Global Administrator through DAP, you nested everyone in AdminAgents because it was a necessity.
You have options now. You don’t have to give everyone Global Administrator so don’t.
Over-assign roles to a user
If you’re thinking, “I’ll just assign literally every role so that I’ll effectively have Global Admin”. Don’t do it. The mechanism that translates your assigned GDAP roles to effective permissions in the customer tenant can’t handle too many overlapping roles. Stuff will break, in funny ways. One common symptom is that you’ll be able to list users in the Entra portal but not search them.
Map multiple roles to one group
Best practice is to map one role to one group. You can then nest a role-assignable group in the relevant GDAP role groups. For example you could create a role-assignable group named “Support Engineer tier 1” and nest them in the GDAP groups you created for “User Administrator” and “Global Reader”.
Chaos
Don’t assign roles willy nilly. Think about them, create sets of roles that are appropriate to have for your engineers. The more you keep to a standard set the more flexible you are to make changes down the line. Don’t leave relationships around for customers that left you.
Don’t make a mess of it. Keep your relationships under control. More than a few people I’ve run into have a half dozen relationships with each tenant, and none of them are functioning correctly.
So what DO i do?
Read my next blog to find out!
I’m working on a GDAP diagnosis script that will tell you everything wrong with your current setup. It includes the mistakes listed here and a few more things.
After that I should (finally) be finishing a script to bulk remap ALL your relationships.