Granular Delegated Admin Privileges (GDAP)
Concerns over Privileged Identity Management
Are you concerned about the security of your organization’s data and network? Do you want to minimize the risk of data breaches and other security incidents caused by lax privilege management? Are you looking for a solution that provides fine-grain control over administrative privileges without giving away the master password? If so, then read on to learn how Microsoft’s Granular Delegated Admin Privileges (GDAP) can enhance simplicity, supportability, and accountability to administering information technology systems, servers, and networks. This article will answer questions such as: What is GDAP? How does GDAP enhance security? And where can I learn more about GDAP?
What is GDAP?
Microsoft’s Granular Delegated Admin Privileges (GDAP) is a way of assigning specific administrative permissions to individuals or groups within an organization through Microsoft Azure. This approach enables a more refined level of control over the actions that can be taken by different personnel. It lowers the risk of unintended, unauthorized, or unidentified changes while reducing entitlement risks to companies supported by Managed Service Providers (MSPs).
How Can GDAP Help?
GDAP allows administrators to be allocated permissions for specific tasks or areas, such as managing user accounts, configuring network settings, or accessing sensitive data. This provides Administrators with a legitimate need for particular privileges to have access to them, without the need to grant full administrative privileges (keys to the kingdom). In SMB and especially in MSP environments, this is important to minimize the risk of data breaches and other security incidents from lax or weak Privilege Identity Management (“PIM”).
What Is the Impact to the SMBs and MSPs?
Shared credentials are a critical security risk to any organization. Prior to GDAP, many businesses would share the default domain administrator account with all engineers. This led to unnecessary risks from unidentified critical changes that could not be tracked back to a single admin. It also led to exposure when employees left the company since changing the password on these highly privileged accounts was sometimes missed.
For MSPs, it was sometimes worse. In security minded MSPs, each company enjoyed its own default domain administrator account. And yet, sometimes those passwords were predictable if unique amongst companies. The worst MSPs might use the same domain admin password on all client accounts. One simple breach in one account could domino into multiple other accounts. It’s been a challenge and and time consuming to address across the IT industry for 2+ decades.
What to Keep In Mind When Deploying GDAP
- Identify the roles and permissions needed: Determine the roles and permissions required for your GDAP implementation. Identify the tasks that your delegated admins need to perform and map them to specific Azure AD roles.
- Create custom roles: If the built-in roles don’t meet your needs, you can create custom roles using Azure RBAC. Make sure to follow the principle of least privilege and assign only the necessary permissions.
- Assign roles: Assign roles to the delegated admins using Azure AD. You can assign roles directly to users, groups, or service principals.
- Set up MFA: Enable multi-factor authentication (MFA) for all accounts with delegated admin privileges to ensure the security of your Azure resources.
- Implement a review process: Implement a review process to periodically check the permissions assigned to delegated admins. This helps ensure that their permissions are still appropriate and haven’t changed over time.
- Train your delegated admins: Provide training to your delegated admins on how to properly use their assigned roles and permissions. Make sure they understand their responsibilities and the potential risks involved.
GDAP Conclusions
GDAP enhances simplicity, supportability, and accountability to administering information technology systems, servers, and networks. It should be adopted by all IT organizations.
Having fine-grain control over critical administrative privileges is an enormous benefit. Providing entitlements to perform specific services to engineers without giving the master password to control everything (a Break Glass account), seriously improves security.
GDAP can still be poorly setup up, so make sure to ask your MSP what their process and policy is around its adoption. Work together to define an acceptable amount of risk for your organization. You’ll be very happy you did the work upfront, as the benefits will last a long, long time.
Where can I Learn More?
CyberHoot subscribers can assign an optional program containing 6 How-To videos about GDAP, how to set it up, and even migrate from DAP controls, inside your MSP. Search for GDAP in the Program Library.
Watch a High-Level Explanation of GDAP
Cybersecurity Made easy for MSPs with CyberHoot
Fully automated security and compliance training services are available to MSPs using CyberHoot. Our SaaS product offerings help you build a robust, compliance-driven cybersecurity program that stand up to hacker attacks and compliance requirements. Your CyberHoot platform has modules for Governance Policy, Awareness Training, Product Training, Innovative Phish Testing, Automation, and Dark Web Reporting, at a single, all-in-one per user price for your clients to consume.
CyberHoot’s Innovative Phish Testing module is unique in our approach, deviating from the traditional punishment model for those who fall prey to phishing attacks. Instead, we offer your clients an educate-and-reward system that delivers superior results making it highly appealing as a resale or white label service.
