GDAP - Strengthening your Microsoft Cloud Security

By Amanda Wagner | Associate Cloud FinOps Consultant, Trace3 Cloud Solutions 
&  Jon Oates | Cloud FinOps Consultant, Trace3 Cloud Solutions

In recent blogs from the Cloud FinOps team, we've focused on specific cloud services and how to save costs by taking advantage of different options. We're taking a different tack and diving into a more technical topic in today's blog, to allow you to improve your security in the Microsoft cloud environment.

In today's digital landscape, security is a top priority for businesses leveraging cloud services. Recognizing this need, Microsoft has developed a game-changing solution for partner channel security called Granular Delegated Admin Privileges (GDAP).  

Imagine having the power to delegate administrative tasks within your cloud environment with precision and control. That's exactly what GDAP brings to the table. It's a framework designed by Microsoft that allows partner organizations to assign specific administrative privileges to individuals or groups, rather than granting them broad and potentially risky control. Microsoft developed GDAP in response to the limitations of the traditional model of Delegated Admin Privileges (DAP). We all know that feeling of giving someone access to everything just to accomplish a specific task. It's like handing over the keys to your entire house for fixing a leaky faucet. GDAP was created to address this issue, offering a more granular approach to delegation, ensuring that individuals only have the permissions necessary for their assigned tasks.

Let's take a closer look at how the linking process works with GDAP. Instead of granting sweeping permissions at the tenant level, GDAP enables us to establish links between administrators and the resources they manage. It's like giving someone a key to a specific room rather than the whole house.

GDAP Tenant Relationships

Every individual GDAP link has its own security group that can be assigned to further partition permissions at the partner level. To establish a link, administrators are assigned a role that aligns precisely with their responsibilities. This can be a built-in role, or a custom role tailored to their needs. By associating the role with the appropriate scope, administrators gain access to the specific resources they need while remaining restricted from others.




Why GDAP is such an important shift from the legacy model of DAP

Reduced attack surface: With GDAP, we can minimize the attack surface by limiting administrative access only to what is necessary. This prevents potential attackers from gaining unauthorized access to critical systems and data. Least privilege principle: GDAP aligns perfectly with the principle of least privilege. This reduces the risk of accidental or intentional misuse of privileges, minimizing the potential impact of security breaches.

Enhanced compliance: Compliance with industry regulations and data protection standards is a must for businesses today. GDAP makes it easier to demonstrate compliance by providing a clear audit trail of who has access to specific resources and what actions they can perform.

Streamlined administration: GDAP simplifies the administrative overhead associated with managing permissions. Instead of wrestling with complex and extensive permission assignments, administrators can focus on defining roles and linking them to the appropriate scopes.

Containment of potential threats: With GDAP, we minimize the potential damage caused by compromised accounts or malicious insiders. By confining administrative privileges to specific scopes, we prevent potential threats from spreading throughout our cloud environment.

Monitoring and auditing capabilities: GDAP offers comprehensive monitoring and auditing capabilities, keeping a watchful eye on administrative activities. This helps us detect any unauthorized actions, identify security gaps, and ensure compliance. Think of it as having security cameras installed in every room, providing peace of mind and evidence if anything goes wrong.

Bottom Line:   Microsoft's Granular Delegated Admin Privileges (GDAP) greatly improves the way we delegate administrative tasks in the cloud. By providing precise control and minimizing risks, GDAP enhances cloud security for businesses of all sizes. Embracing GDAP means embracing a more tailored, secure, and efficient approach to Partner-Channel administrative access. Unlock the full potential of cloud services while keeping digital assets safe and sound.

To learn more about Trace3's Cloud FinOps solutions, click here

Wagner, AmandaAmanda Wagner is a Cloud FinOps Consultant at Trace3, who brings her energy and previous experiences as an educator to guide her customers on their cloud journey. Drawing from said educational expertise, Amanda is motivated by the mission to serve her customers and help them continue to build on their knowledge of cloud management. In her time with Trace3, she has earned her FinOps Certified Practitioner and Cloud Health AWS Administrator Certifications. Amanda lives in Tampa with her husband, Matthew and dog, Penny. She enjoys tending to her caterpillar habitat, where she raises caterpillars until they hatch into Monarch butterflies and can be released.

Oates, JonJon Oates is a seasoned professional in the tech industry, currently serving as the Operations Manager for the Trace3 Cloud FinOps Consulting Team. With a wealth of knowledge and expertise in Microsoft licensing and Azure Cloud, Jon brings a unique skill set to his role. Beyond his professional achievements, Jon’s delightful quirk is his affinity for whipped cream in his coffee. Through his years of experience and dedication, Jon continues to make significant contributions to the field, driving innovation and operational excellence in cloud computing alongside his team.
Back to Blog