March 2, 2023
Better security with Theta as your CSP Partner
Theta has implemented Microsoft’s new Granular Delegated Admin Privileges (GDAP) across all Cloud Solution Provider (CSP) customers. This replaces the near Global Admin permissions granted to all our consultants with the outgoing non-granular (DAP) partner access.
What is GDAP?
Granular Delegated Admin Privileges is a least privilege access model for partners to manage their CSP customers.
It permits Microsoft partners to request only the specific Azure Active Directory roles (permissions) they need to manage the Microsoft solutions they support for the customer.
For example, where Theta only supports your Dynamics 365 Business Central solution, we would request just four roles:
• Dynamics 365 Administrator (management of the Business Central solution).
• Power Platform Administrator (where Power Apps, or Power Automate integrations are required).
• Power BI Administrator (to extend reporting features where required into Power BI).
• Service Support Administrator (allows Theta to raise technical support issues on your behalf directly with Microsoft using our Premier Support Agreement).
This means we no longer have the near Global Admin permissions across your entire Microsoft tenant, reducing potential security risks from a bad actor.
How does Theta control who has access to their CSP customers via GDAP?
As a Microsoft partner, all our consultants must authenticate using Multi-Factor Authentication (MFA), and this significantly reduces risk of their user account being compromised.
In addition, we have two extra protocols to improve security and control who has access to our CSP customers:
- The first is that none of our consultants use their standard Theta account.
- Each consultant allowed access to our CSP customers has a separate, dedicated, user account for this purpose.
- This reduces risks should their normal Theta account be compromised.
- Secondly, consultants must request access to a customer using their dedicated CSP user account.
- Their access is limited to a maximum of 8 hours per session.
- The access the consultants are given is specific to the role they perform.
- A Dynamics 365 consultant only has access with the permissions they require, and they do not have the permissions a consultant managing Office 365 would have.
How does this impact me?
Where Theta had existing DAP relationships, we have seamlessly migrated these to GDAP with the least privilege roles we believe were required to provide continued support.
These new GDAP relationships have a finite duration of 2 years, at which point they expire and must be renewed.
A Global Admin can see the the relationships you have with all partners in your Microsoft 365 admin center - partner relationships.
If I have Conditional Access policies blocking external users, does that impact partner’s access?
Yes, Conditional Access policies can block external users, but Microsoft have recently released a new feature to allow access for partners (Microsoft describe this as Service provider users).
Theta can assist reviewing and re-configuring Conditional Access so that they do not block our access to provide support.
Can I revoke a partner’s access?
Yes, a Global Admin may at any time revoke a partners legacy DAP, or new GDAP relationship with a partner.
You’ll find this in your Microsoft 365 admin center - partner relationships.
What happens when GDAP relationship expires?
Notification emails leading up to expiry are sent to Global Admins for the customer at 30 days, 7 days, and 1 day before expiry.
A further email is sent when the relationship has expired.
Each GDAP relationship has a finite duration, and upon expiry must be renewed.
Renewals currently follow this process:
- Theta must generate a new GDAP relationship request with the appropriate least privilege roles required.
- The unique URL / link this generates must be sent to the customer for them to approve.
- A Global Admin for the customer uses the link provided and logs in to review and approve it.
What about our responsibility to secure our Azure tenant?
We advise you (the Customer) to ensure your user's accounts follow appropriate security best practices.
In the event of a third-party Customer account (such as Microsoft Azure, Amazon Web Services, Google Cloud Platform, or other) being compromised - whether by the Customer's action or omission, such as by way of example, a failure to adequately protect and secure the environment, including (but not limited to) ensuring multifactor authentication is enabled, the Customer shall be solely responsible for any (and all) charges, losses and liabilities arising.