Skip to the main content.

5 min read

What is GDAP and How Does BEMO Apply it?

Featured Image

If you're looking for a way to protect your assets without sacrificing control, you're in the right place. GDAP, or Granular Delegated Admin Privileges, is a selective access method that allows you to grant selective role-based access to users, providing just the right level of access within your employees and to your cybersecurity partner. 

But how is it different from Delegated Administration Privileges (DAP), you may ask?

Well, with DAP, external companies have global administration (GA) access, meaning that if even just one user suffers a security violation, they can potentially put all of your assets at risk.

GDAP, on the other hand is more granular as its name suggests, which grants external companies to gain access on various levels, allowing only the necessary access for one person and one role for a limited time - all of which you set with full control.

This is an added layer of security that limits the potential impact of any security breaches, making it a safer option for businesses looking to delegate admin privileges.

The decision to switch from Delegated Administration Privileges (DAP) to GDAP is driven by our commitment to protect your data. By implementing GDAP, we are strengthening our enterprise security and compliance measures, which in turn benefits you.

It allows us to offer services and support to customers who have regulatory needs that require least-privileged access to partners.

gdap azure active directory features

Think of GDAP as a bouncer at a fancy club. The bouncer only lets in people who are on the guest list and only to a specific area, they won't let everyone in to the VIP section just because (which was what DAP used to do). GDAP only lets authorized personnel access specific resources, and only for a limited amount of time, ensuring that businesses' data and assets remain secure.

gdap security groups

Not only will you control and organize who has what level of access to your company's sensitive information, but you can also have better visibility as to who is working on what, or compare permissions across different teams or employees depending on their roles and tasks.


How BEMO Goes Above and Beyond to Apply GDAP

Migrating to GDAP is a Microsoft requirement, however BEMO met the deadline way ahead of schedule because it was something we were already thinking about (how it's risky and unnecessary for us to have such unlimited access to our customer data). We finished months ahead of the deadline because we understand that businesses of any size should be working towards a Zero-Trust framework for security, and GDAP follows that framework.

However, we couldn't stop there. When it comes to cybersecurity one must always  be one step ahead of the game. This is why BEMO created an app for our customers which adds just-in-time (JIT) access on top of GDAP.

In a just-in-time access system, users are not given permanent access to resources. Instead, they are granted access for a specified duration of time, which is usually limited to the minimum amount of time required to perform the specific task. This way we make sure that both you and us can be as secure as possible.

gdap microsoft

Let's use another fun example to illustrate how JIT by BEMO works with GDAP. Imagine you're hosting a party, and you need some help setting up. You hire a catering team to help you out, but you're a little nervous about giving them full access to your house.

With GDAP, you can limit their access to only the necessary areas and only for a specific amount of time. Such as a four hour access to the living room and kitchen.

This way, you can still get the help you need, but you don't have to worry about them snooping around your bedroom, going through your personal belongings, or opening the front door to a potentially dangerous stranger.


Types of Admin Roles or Relationships

GDAP is here to stay, so you must understand it and know how to take the most advantage of it. At BEMO we have several roles built by Azure Active Directory (AAD) that can be assigned to each customer relationship according to your needs. Hover over the images to check every role's description in depth: 

Global Admin (GA)

Is a user who has full access to all aspects of an organization's Microsoft 365 environment. They can manage user accounts, applications, security settings, and more. This should be carefully managed, since the main concept around GDAP is limiting the amount of users with this type of access. Grant GA only when it's absolutely necessary.


Service Support Admin (SECA)

This role is responsible for troubleshooting technical issues. They can manage support tickets and troubleshoot issues. If an employee is having trouble accessing a critical business application, a Service Support Admin would investigate the issue, identify the root cause, and work to resolve it, ensuring that any data accessed during the troubleshooting process is protected. Additionally, the Service Support Admin may act as a liaison between the organization and Microsoft support personnel to escalate issues and ensure timely resolution.


Global Reader (GR)

This role can view information about users, applications, security settings, and more, but they cannot make changes to any of these settings. A Global Reader might be an auditor who needs to review an organization's M365 environment to ensure that it is in compliance.

GR (1)

Intune Admin (MDM)

This role has access to Microsoft Intune, a mobile device management solution. They can manage mobile devices and apps, configure policies and profiles, and monitor device compliance. This user would be responsible for managing a fleet of company-owned mobile devices, ensuring that they are secure.

MDM (1)

Password Admin (PWD)

Has the ability to reset passwords for other users in an organization's Microsoft 365 environment. They can also manage password policies and settings. You would grant this permission to someone helping users who have forgotten their passwords for example.


Each role provides specific access and capabilities, which makes it easier for businesses to delegate tasks to external companies without granting them full access to their assets if they are not strictly required to complete the task at hand. 

This means that if your company needs help with a specific service, BEMO can request access approval to a particular role for a limited time. After that time, the permission is automatically revoked, keeping your data safe and sound.

Frequently asked questions about GDAP

There are so many features to unlock when it comes to Granular Delegated Admin Privileges; in this section we will cover some of the most common questions we receive. But feel free to contact our team if you're interested in having BEMO as your partner to handle and guide you on this

How do the GDAP relationships work?

You can create the GDAP relationship of your liking and organize them in security groups, setting for how long you want it to be active (up to 2 years). Keep in mind that it cannot be permanent and will not auto renew; you must request it again. Also, this permission can be revoked at anytime before its "expiration date" if you need to.

Once the relationship expires will subscriptions be affected?

The expiration only affects the access each user has, any existing subscriptions and company internal data are not changed or deleted. A notification email will always be sent to you and your partner before the expiration date.


Does BEMO have access to all of my organization's data within the GDAP environment?

BEMO takes data protection and privacy very seriously. We will only access your information to the extent necessary to provide the services you have engaged us to perform. That's why with GDAP you are in full control of granting, denying, or revoking permissions.

The only way for us to see all your organization's information would be through a Global Admin or Global Reader role. In the latter case we cannot modify any data, only view it.

BEMO is committed to protecting the confidentiality, integrity, and availability of your information, and we take all necessary steps to ensure that your information is not disclosed or accessed by unauthorized parties.

Checkout Microsoft GDAP role guidance to see real life examples of least privileged roles by task.


How does BEMO ensure the security of my data within the GDAP environment?

BEMO takes a multi-layered approach to security in the GDAP environment. We use advanced security measures such as encryption, access controls, and monitoring to protect your data from unauthorized access, use, and disclosure. Additionally, we implement strict security policies and procedures to ensure that our personnel follow industry best practices for handling sensitive information.

What types of information does BEMO collect through GDAP access, and how is it used?

BEMO collects only the information necessary to provide the services you have engaged us to perform. This may include user account information, application configurations, security settings, and other data related to your Microsoft 365 environment. We use this information only for the purposes of delivering our services, and we do not share it with third parties except as necessary to provide our services.

Have more questions on this? Contact our awesome team!

Schedule A Meeting

Leave us a comment!