Understanding GDAP Predefined Roles: Complete Guide to Azure Entra Permissions for Partner Administration

When setting up Granular Delegated Admin Privileges (GDAP) relationships with customer tenants, Cloud Factory partners must request appropriate Azure Entra roles. Microsoft provides 13 predefined roles specifically designed for partner management scenarios. Understanding what each role can do is critical for implementing least-privilege access while maintaining operational effectiveness.

What Are GDAP Predefined Roles?

GDAP replaces the legacy Delegated Admin Privileges (DAP) with a modern, granular permission model. Instead of granting Global Administrator access to customer tenants, you request specific roles that align with your operational needs. The 13 predefined roles cover common partner scenarios: from user management to license administration to security operations.

The 13 GDAP Predefined Roles

1. Global Reader

What it does: Read-only access to everything a Global Administrator can see, but cannot make changes.

Use case: Audit, compliance reporting, and visibility into customer environment configuration.

Key permissions: - Read all directory settings, users, groups, and roles
- View tenant configuration and policies
- Access audit logs and reports

Best for: Compliance officers, auditors, and read-only monitoring roles.

2. Security Reader

What it does: View security information and risk reports across Microsoft 365.

Use case: Monitor security posture, threat detection, and incident reports.

Key permissions: - Read security alerts in Microsoft Defender
- Access risk detections and risky user reports
- View Azure AD security configuration

Best for: Security monitoring and threat assessment without remediation ability.

3. User Administrator

What it does: Full management of user accounts and groups (except password resets for admins).

Use case: Onboarding, offboarding, user lifecycle management, and group administration.

Key permissions: - Create, update, and delete users and groups
- Manage group membership
- Reset passwords for non-admin users
- Manage user licenses (with License Administrator)

Best for: HR-connected operations, employee lifecycle management.

4. Helpdesk Administrator

What it does: Limited user management focusing on password resets and support.

Use case: Tier-1/Tier-2 support teams providing password assistance.

Key permissions: - Reset passwords for non-administrators
- Invalidate refresh tokens (force sign-out)
- View limited user information

Best for: Support desk teams handling password resets only.

5. License Administrator

What it does: Manage product licenses on users and groups.

Use case: License assignment, compliance, and cost optimization.

Key permissions: - Assign, remove, and modify user licenses
- Manage group-based licensing
- View license usage reports and compliance data

Best for: IT asset management, licensing operations, and cost control.

6. Application Administrator

What it does: Create and manage all app registrations and enterprise apps (full control).

Use case: SaaS integration, custom applications, and identity federation.

Key permissions: - Create and delete app registrations
- Manage application proxy settings
- Configure enterprise app integrations
- Update application permissions and consent policies

Best for: Integration engineers, identity architects, app deployment teams.

7. Cloud Application Administrator

What it does: Manage cloud apps and app registrations (excludes App Proxy).

Use case: SaaS deployment and cloud application management without on-premises proxy.

Key permissions: - Create and manage app registrations
- Configure cloud enterprise apps
- Manage delegated and application permissions
- Cannot manage application proxy

Best for: SaaS-first environments where on-premises app proxy is not needed.

8. Directory Readers

What it does: Read basic directory information for applications and guests.

Use case: Service principals and applications that need directory visibility.

Key permissions: - Read user, group, and organizational unit information
- View basic directory properties
- Intended for applications, not human users

Best for: Service account permissions, application integrations requiring directory read.

9. Directory Writers

What it does: Read and write basic directory information for applications.

Use case: Automated provisioning and directory sync tools.

Key permissions: - Read and write user, group, and organizational properties
- Intended for applications and service accounts
- Supports provisioning workflows

Best for: Azure AD Connect, provisioning agents, and sync tools.

10. Privileged Role Administrator

What it does: Manage role assignments and Privileged Identity Management (PIM).

Use case: Administrative access control and just-in-time privilege elevation.

Key permissions: - Assign roles to users and groups
- Manage PIM settings and approvals
- Activate privileged access
- View and manage role permissions

Best for: Identity governance, administrative access control, compliance frameworks.

11. Privileged Authentication Administrator

What it does: View and reset authentication methods for any user (admin or non-admin).

Use case: MFA troubleshooting, password reset for all users including admins.

Key permissions: - View and reset authentication method information
- Force sign-out by invalidating refresh tokens
- Reset passwords for all users (including other admins)
- Manage MFA settings

Best for: Authentication support teams, helpdesk requiring broad password reset authority.

12. Domain Name Administrator

What it does: Manage domain names in both cloud and on-premises directories.

Use case: Domain verification, DNS management, and multi-tenant domain operations.

Key permissions: - Add and remove domains
- Manage domain properties and verification
- Configure domain federation settings

Best for: IT operations managing multiple customer domains, Azure AD Connect environments.

13. Service Support Administrator

What it does: Read service health and manage support tickets.

Use case: Monitoring tenant health status and managing Microsoft support requests.

Key permissions: - View Azure and Microsoft 365 service health
- Create and manage support tickets
- View service incidents and advisories

Best for: Operations teams handling support coordination and service health monitoring.

Mapping Roles to Common Partner Scenarios

Scenario 1: New Hire Onboarding

Roles needed: User Administrator, License Administrator

Why: Create users, manage group membership, assign licenses—everything needed for employee provisioning.

Scenario 2: Support Desk Operations

Roles needed: Helpdesk Administrator, Privileged Authentication Administrator (if admin password resets needed)

Why: Handle password resets and basic user lookups without full user management capabilities.

Scenario 3: Application Integration (SaaS)

Roles needed: Cloud Application Administrator, Directory Readers

Why: Register apps, configure integrations, and allow apps to read directory for provisioning.

Scenario 4: Security & Compliance

Roles needed: Global Reader, Security Reader, Privileged Role Administrator

Why: Monitor security posture, view all configurations, and manage administrative access without making changes.

Scenario 5: Multi-Tenant Operations

Roles needed: Global Reader, License Administrator, Domain Name Administrator, Service Support Administrator

Why: Manage licenses across customers, handle domains, and monitor service health.

Why Granular Roles Matter for GDAP

The shift from DAP to GDAP is fundamental: instead of granting broad Global Administrator access, you request only what you need. This approach:

1. Reduces risk: Limited permissions mean less potential damage from compromised accounts
2. Improves audit trails: Specific roles make it easier to track who did what
3. Enables customer confidence: Tenants feel safer with least-privilege access
4. Simplifies delegation: Each team member gets exactly what they need

Best Practices for Requesting GDAP Roles

1. Start with Minimal Permissions

Request the smallest set of roles necessary for your use case. You can always add more later, but over-provisioning creates security debt.

2. Separate Duties

Assign different roles to different people:
- User management to HR-connected staff
- Security monitoring to security team
- Support to helpdesk
- License management to procurement/IT operations

3. Document Your Requests

For each customer, document why you're requesting each role. This helps during audits and when onboarding new team members.

4. Monitor and Review

Regularly audit who has which roles and confirm they're still actively using them. Remove roles that are no longer needed.

5. Use PIM for Elevated Roles

For highly sensitive roles like Privileged Role Administrator, consider using Privileged Identity Management (PIM) to require approval for activation rather than standing assignments.

TL;DR

- GDAP provides 13 predefined roles tailored for partner management scenarios
- Global Reader = read-only access to everything
- User/License/Domain Administrators = operational management roles
- Application/Cloud Application Administrators = integration and SaaS management
- Security/Privileged Role/Helpdesk Administrators = support and security operations
- Directory Readers/Writers = service account and application permissions
- Request roles using least-privilege principle: Only ask for what you need
- Separate duties: Different team members handle different functions
- Regular review: Audit permissions quarterly and remove unused roles
- Use PIM: Consider just-in-time elevation for highly sensitive roles

Next Steps: Review Cloud Factory's GDAP request workflow and map your team's functions to the appropriate predefined roles. Start with minimal permissions and expand as needed.