Get a FREE Report of the Software Running in Your Environment - Including Risks & Countries of Origin
Back to Blogs Back to Press Releases
ThreatLocker blog - Defining GDAP

Defining GDAP 

Table of Contents

Learn how Granular Delegated Admin Privileges (GDAP) can help improve administrative privilege security at your organization.Administrative privileges are crucial in maintaining the integrity and security of an organization's data and systems. However, the conventional approach to admin privileges often entails granting broad and sweeping access, which can introduce significant risks.   

Microsoft is addressing this challenge by transitioning its Delegated Admin Privileges (DAP) authentication control to Granular Delegated Admin Privileges (GDAP). This advancement of DAP promises enhanced control, security, and efficiency in privilege management.

What Are Admin Privileges? 

Before diving into the intricacies of Microsoft GDAP, it is important to understand the importance of administrative privileges.  

A user with administrative privileges has more extensive abilities to make changes across a computer or network compared to a standard user. Here are some key things an admin user can do that the average user typically cannot: 

  • Install new software and hardware: Admins can add or remove any program, driver, or system components. Average users usually would have restrictions. 
  • Access all files: Administrative accounts have permissions that allow them to modify or delete any files, even sensitive system ones. 
  • Enable/disable services: Most background services handling automated tasks like security scanning require admin rights to stop or pause. Average users can't control them. 
  • Create other accounts and groups: Adding new accounts or setting permissions is reserved for administrators. 
  • Change security settings and policies: Settings that manage firewall rules, password policies, encryption levels, and more can only be altered with administrative access. 

The elevated capabilities of privileged admin accounts allow them to create much more risk if compromised or misused. It is essential that these accounts are carefully controlled and constantly monitored.  

The Risks of Providing Broad Admin Privileges  

Admin privileges play a vital role in an organization, but there is such a thing as being overprivileged. Giving users more comprehensive administrative access than is required for their jobs makes them overprivileged. Organizations may sacrifice security for efficiency and provide standard users more access than they need.  

However, overprovisioning admin access drastically increases exposure. Some of the risks of providing users broad admin privileges include: 

  • Insider threats: Having unnecessary admin rights means disgruntled employees can more easily access, modify, or delete sensitive data maliciously. As discussed before, insider threats are a significant source of data breaches. 
  • Elevated access: If a standard user account has admin abilities, a cybercriminal who compromises that account can gain elevated access to systems and data, making their attack all the more costly.  
  • Malware attacks: Malware can operate in different ways, though they all share the same malicious intent to steal your data and carry out other nefarious behaviors. Malware can be used to gain admin privileges through a compromised account to ensure the effects of the theft and destruction are much broader. 
  • Detection: Malicious actions and abnormal behavior can more easily be overlooked when more accounts have admin privileges.  
  • Limiting access: When admin rights are widespread, restricting access to only necessary data or systems becomes more difficult. This can lead to users having permissions they don't need, which further compounds these issues.

Enacting the Principle of Least Privilege 

One of the best ways organizations can combat the above risks is to follow the principle of least privilege (POLP). POLP is a concept in computer security that limits users' access rights to only what is strictly required to do their jobs. 

This cybersecurity best practice can restrict access to high-value data and assets while reducing their attack surface. Microsoft's DAP to GDAP transition is a move to provide their partners with least-privileged access following the Zero Trust cybersecurity protocol. 

Microsoft's Move to Granular Delegated Admin Privileges (GDAP) 

Microsoft's Delegated Administration Privileges (DAP) was an earlier model that enabled the delegation of limited administrative permissions. Officially, Microsoft describes the DAP Monitoring Tool as: 

"The DAP monitoring tool captures how partner agents access customer tenants across all their tenants through DAP. 

Partners' Admin agents can use the DAP monitoring tool to audit DAP with their customers. Partners can then review usage data and remove DAP connections that aren't in use. This self-serve removal capability helps to improve security by controlling access."

DAP provided some delegation without full admin rights and enabled convenient preset roles. But it was far from a perfect solution. DAP lacked granularity and the ability to create specific individual permissions. The rigid roles did not offer customization and still had privilege creep risks.  

DAP set the stage for GDAP, which better aligns with Zero Trust and least privilege access principles. Microsoft explains that "Granular delegated admin permissions (GDAP) give partners access to their customers' workloads in a more granular and time-bound way, which can help to address customer security concerns." 

Customers who want to provide least-privileged access to partners can benefit from the transition from DAP to GDAP. 

The Benefits of GDAP 

Microsoft's Granular Delegated Administration Privileges model brings significant improvements over DAP. Below are the benefits of GDAP. 

Improved Security 

The most apparent benefit of GDAP is its ability to improve the security of partners and their tenets. Unlike its predecessor, the GDAP feature allows administrators to grant admin permissions at a fine-grained level. Admins can be given access only to specific tasks or resources, reducing the risk of unauthorized access. 

It also empowers organizations to adhere to the principle of least privilege by providing users only the necessary permissions to perform specific tasks. This minimizes the potential for misuse or accidental changes that could compromise security. 

Enhanced Compliance 

Simply put, DAPs often need more granularity to meet compliance requirements. Granular admin permissions help organizations meet compliance requirements by ensuring only authorized personnel can access and modify sensitive data. 

These strict permissions are also beneficial for monitoring and auditing admin activities. It is easier to see who performed specific actions and when. 

Improved Operational Efficiency 

Continuously granting permissions can be time-consuming. Organizations must ensure users have the correct permissions to do their jobs, but nothing more. Granular permissions allow admins to assign access at this specific level.  

 

This ensures average users can work efficiently and each admin can focus on their designated tasks rather than providing permissions throughout the day. At the same time, these controls can also help reduce the risk of accidental errors. This can result in smoother operations across the board. 

Reduced Administrative Overhead 

Finally, GDAP can simplify the often complicated task of managing permissions. Rather than broad roles, admins create and assign custom permissions for specific tasks and users, allowing the solution to be flexible. 

The ease of use (without sacrificing security) is also beneficial during the onboarding and offboarding process. It is easier to manage access when a user joins an organization or leaves. Permissions can be granted or removed quickly to ensure accounts have sufficient access.  

GDAP Implementation 

The GDAP timeline began on May 22, 2023, with the expectation that it would be completed swiftly. However, delays pushed the GDAP timeline out for a few months. 

June that year saw a blackout, and the transition resumed in July. The Microsoft GDAP deadline was set for July 2023. By this time, organizations would have to create a GDAP relationship or participate in the Microsoft-led transition, and the DAP relationship would be removed. 

GDAP partners have already transitioned to the solution. Microsoft eased the change by offering a simple three-step process: 

  1. Microsoft automatically creates a GDAP relationship with eight default roles. 
  2. Roles are automatically assigned to predefined Cloud Solution Provider (CSP) security groups. 
  3. After 30 days, DAP was removed. 

What Microsoft GDAP Teaches Us 

The advanced security and compliance of Microsoft's GDAP showcase a shift to stricter access control, specifically the principle of least-privileged access and zero-trust cybersecurity. 

Zero Trust is an inherently skeptical approach to security that originated in 2010 thanks to Forrester's John Kindervag's Zero Trust model. It prevents communications, actions, and access to everyone and everything unless they are specifically authorized. 

Organizations that do not use Microsoft GDAP should consider adopting a Zero Trust model as part of their cybersecurity efforts. ThreatLocker's priorities align with the tenets of this model, proactively defending your organization with default deny solutions.  

Take Control of Your Cybersecurity with a Free Trial from ThreatLocker