GDAP Setup for Business Central Made Simple: Secure Admin Relationships Without the Risks

I recently got asked how to remove Admin Relationships by a customer, but since the BLOG a couple of requests have come in about how to add the Admin Relationships. You always sort of assume that everyone knows about the more obvious things, but it turns out there are still partners out there that are having to resort to various tacticts to administer the enviornment such as:

• Purchasing an extra license and creating a username and password to get access, effectively costing the customer extra per month.

• Sharing username and password for a user to get access that way, which off course is really not a good idea.

• I have even seen some partners using the external accountant licenses to get access to the customer environment, which is not really what the licenses are supposed to be used for.

This is not necessary, and you can do this with GDAP (Granular Delegated Admin Privileges) on Business Central SAAS.

Previously, Microsoft partners who wanted to administer a customer's Business Central environment had to be granted full admin access to the customer's tenant. This meant elevated privileges across the entire environment, which posed security and compliance risks.

Now, with GDAP (Granular Delegated Admin Privileges), partners can be granted targeted access—for example, just to Business Central—without needing full tenant-wide admin rights. This enables least-privileged access, improving both security and operational control.

Here is now you can do that.

Pre-Requisites

In order to setup a GDAP relationship as a Microsoft partner, with your customer, you obviously need to be a registered Microsoft partner, that goes without saying. Next you need to setup the relationship, and off course the customer needs to accept the relationship. That’s it.

Off course, not just any employee of a partner, would be able to create this relationship. You would need to be assigned a specific Microsoft Entra Role in order to be able to setup the relationship. You would need either of the following roles:

• Global Administrator

• Cloud Application Administrator

And with these things in place we can just create the relationship.

Setup Steps

Log into the Microsoft Partner Center

Using your credentials, log into the Microsoft Partner Center. https://partner.microsoft.com/en-US/dashboard I have a partner account that I have been using for many years to train partners and show how to setup these relationships, so I can walk you through the process here. This is what you will see once you have logged in.

Once you have logged in, click on the Customers button to access your existing Customers, and to setup new GDAP relationships.

Learn about the Customers in Partner Center

When the Customers screen opens, you will see the following:

On the left in the menu you will see the following options:

• Customer List: This is where you will see a list of your existing customers that you sell CSP licenses to. Here you can invite customers to establish a Customer relationship with you, that will allow you to purchase licenses for them. You can update customer billing and contact information and do some other administrative tasks.

• Administer: Here you can setup your GDAP relationships, and launch the customer’s admin center if you have existing DAP or GDAP relationships, as well as provide support and troubleshoot issues in the Customer’s environment.

• Indirect Provider: Here you can view a list of indirect providers you’re assiciated with, and understand which customers are linked through which providers.

• Expiring Granular Relationships: View a list of relationships that are about to expire, and renew or reinitiate GDAP requests to maintain access. Unlike the previous DAP relationships that was not limited, GDAP relationships can only be created up to a maximum duration of two years.

Customers and GDAP

Something that we need to discuss and that is important to understand is that it is possible to setup a GDAP relationship to a customer, even though you are not the partner selling the licenses. There are for instance customers that has muliple partners involved in their Business Central implementation, each looking after different aspects of their implementation, or looking after branches in different countries etc. Sometimes the support partner and the licensing partner is actually just different, or you may have one partner looking after Business Central and another partner looking after only their ISV solution.

Whatever the reason, to setup a GDAP relationship, you just click on the Administer option in the menu.

Administering GDAP relationships

Let us take a look at how to create a GDAP relationship with a new Customer, once you have clicked on Administer in the menu, you will see the following screen that shows all your existing GDAP relationships that has been established.

Near the top of the list you will see an option to Request admin relationship. This is where you will setup a new Admin Relationship. Click on this option to setup GDAP relationship with the Customer. (Please note that this will only deal with GDAP, and not establish a reseller relationship, where you can sell licenses to the Customer, this is done in the Customer List menu option, and is not the focus of this article.

Once you’ve clicked on Request admin relationship, the following screen you need to fill in as follows:

This will generate an email that you can copy and send to your Customer, this will contain a link that the customer can click on to approve the relationship, we will see the email in the following screenshot. Let’s discuss what we have filled out in this window.

In the Admin relationship name section we have to name the relationship. Please note that whatever name you use here, the Customer will be able to see, so please be aware of that. Also you cannot use the same name more than once, the system will check that the name you use is available. You can see this in the screenshot above.

In the Duration in days field you can say how long you would like to establish this relationship for, you cannot enter a vaue more than 730 in this field, because 2 years is the maximum term you can chooose. (I only entered 365 here, as this is a CDX environment, it will probably expire long before the GDAP relationship expires.)

Next you need to choose the Required Microsoft Entra Roles for the relationship. The roles that you pick here will determine what you are allowed to do on the Customer’s Microsoft cloud tenant. For a list of roles please visit https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference for more detailed information. Here you will find a list of all the roles and what each role allows you to do. You can use this list to determine what Roles to choose.

Business Central partners will find that there are two permissions that specifically mention Dynamics. Those are the Dynamics 365 Administrator and the Dynamics 365 Business Central Administrator. While the first of the two is a broader Dynamics related permission, the second is focused specifically on Business Central. You can learn more about each one in the following two links:

• Dynamics 365 Administrator: https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference#dynamics-365-administrator

• Dynamics 365 Business Central Administrator: https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference#dynamics-365-business-central-administrator

Here I have chosen two permissions in my example, the first is the Dynamics 365 Business Central Administrator, which will allow me to administer Business Central, and the second is the License administrator so I can assign Licenses to the users. (Please note that if your Customer has other Microsoft subscriptions, and they have another provider managing that, they may not want to give you permission to assign licenses to users, or may even choose to perform this task themselves, each scenario may be different.)

The final option on the screen is the Auto Extend, where you can choose if you want to automatically extend the GDAP permissions whent hey expire for an additional 6 months. This will continue until either the relationship is maually terminated, or the Auto Extend is manually disabled.

The highest permission that you can choose is Global Administrator, which g ives full access to all administrative features across Microsoft services. If you have chosen this Microsoft Entra Role in the previous step, please note that you will not be able to choose the Auto Extend option for security reasons.

That is it, you have now fille in the request form, to complete the request, click on Finalize request.

Finalize request

Once you have completed the form, and clicked on Finalize request, follow the instructions on the screen, and copy the message and mail to your Customer. All they need to do to complete the request, is to click on the link, and confirm that they give you access. (Off course the person that completed the request on the Customer side, needs to have the correct permissions. Either Global Administrator or Priviledge Role Administrator Roles will be able to complete the request on the Customer side)

Once the mail has been sent to the Customer, and they have completed the instructions on their side, the relationship will be established.

Assign Admin Relationships to Groups

The final part of completing the setup is assigning the GDAP permission that you have created to a Security Group in your Entra. Below you will see an example of how this could possibly be setup. If you don’t want all of your employees to have access to everything on a Customer site, you can setup different Security Groups in Azure, then assign the different groups only the permissions that they would require, and assign the users only to the Groups they should have access to.

In the example below, we have split the permissions into two groups. The one group will only ever have access to Business Central on all Customer sites, and the other group will only have access to administrative tasks related to asssigning licenses to users. You could also for instance create an Azure group per Customer you have, and only employees that are allowed to work with that specific customer will have access to that Customer’s GDAP relationships when assigned to that group. You would need to decide how to best administer this according to your needs.

To get to the setup of the Security Groups of a GDAP relationship follow these steps:

1. In Partner Center click on Customers.

2. Then select Administer from the left menu.

3. Click on the Customer name on the right screen and a list of relationships that have been established will appear.

4. Select the GDAP relationship that you wish to assign to a Security Group, and click on it. A window will appear with details about the GDAP relationship.

5. Towards the bottom of the details you will see Security Groups with an option to Add Security Groups. This is where you can assign the Security Groups to the GDAP relationship. (If no groups are assigned, no one will be able to administer the Customer using GDAP)

Next Steps

All that remains is to administer your relationships on a regular basis, remove customers you no longer need a relationship with, ensure you keep an eye on expiring relationships, and renew then if the auto renew option was not available (such as if you selected Global Administrator), or if the Customer did nog agree to auto renew.

Now that we have shown you how to setup the GDAP relationship, the only thing that remains is how to use the relationship to administer different aspects of the Customer’s Tenant. However I will do that in a different BLOG, as it will probably be nearly as long as this BLOG.

Conclusion

Setting up GDAP relationships is not just a best practice—it’s essential for secure, scalable, and compliant administration of your customers’ Business Central environments. By moving away from risky workarounds like shared credentials or unnecessary license purchases, partners can now offer targeted support with the right level of access. With just a few steps in Partner Center, and the right Microsoft Entra roles in place, you can establish a professional and secure admin relationship that respects both your customer’s boundaries and Microsoft’s security standards. If you haven’t already, it’s time to make GDAP your default approach.