Microsoft’s Granular Delegated Admin Privileges (GDAP) is a way of assigning specific administrative permissions to individuals or groups within an organization through Microsoft Azure. This approach enables a more refined level of control over the actions that can be taken by different personnel. It lowers the risk of unintended, unauthorized, or unidentified changes while reducing entitlement risks to companies supported by Managed Service Providers (MSPs).
GDAP allows administrators to be allocated permissions for specific tasks or areas, such as managing user accounts, configuring network settings, or accessing sensitive data. This provides Administrators with a legitimate need for particular privileges to have access to them, without the need to grant full administrative privileges (keys to the kingdom). In SMBs and especially in MSP environments, this is important to minimize the risk of data breaches and other security incidents from lax privilege management.
Impact Summary: Highly Important to SMBs and MSPs
Shared credentials are a critical security risk to any organization. Prior to GDAP, many businesses would share the default domain administrator account with all engineers. This led to unnecessary risks from unidentified critical changes that could not be tracked back to a single admin. It also led to exposures when employees left the company since changing the passwords on these accounts was often skipped over.
For MSPs, it was sometimes worse. In security minded MSPs, each company enjoyed its own default domain administrator account. And yet, sometimes those passwords were predictable if unique amongst companies. The worst MSPs might use the same domain admin password on all client accounts. One simple breach in one account could domino into multiple other accounts. It’s been a challenge and and time consuming to address across the IT industry for 2+ decades.
GDAP Conclusions
GDAP enhances simplicity, supportability, and accountability to administering information technology systems, servers, and networks. It should be adopted by all IT organizations.
Having fine-grain control over critical administrative privileges is an enormous benefit. Providing entitlements to perform specific services to engineers without giving the master password to control everything (a Break Glass account), seriously improves security.
GDAP can still be poorly setup up, so make sure to ask your MSP what their process and policy is around its adoption. Work together to define an acceptable amount of risk for your organization. You’ll be very happy you did the work upfront, as the benefits will last a long, long time.
Pro Tip:
CyberHoot subscribers can assign an optional program containing 6 How-To videos about GDAP, how to set it up, and even migrate from DAP controls, inside your MSP. Search for GDAP in the Program Library.
Secure your business with CyberHoot Today!!!
For more info, watch this 15 min video on GDAP
Sources:
Microsoft: Introduction to granular delegated admin privileges (GDAP)
T-Minus365: YouTube video.
Additional Reading:
Microsoft: GDAP Frequently Asked Questions
CyberHoot does have some other resources available for your use. Below are links to all of our resources, feel free to check them out whenever you like:
- Blog
- Cybrary (Cyber Library)
- Infographics
- Newsletters
- Press Releases
- Instructional Videos (HowTo) – very helpful for our Super Users!
Note: If you’d like to subscribe to our newsletter, visit any link above (besides infographics) and enter your email address on the right-hand side of the page, and click ‘Send Me Newsletters’.