# Role assignment and GDAP configuration

### GDAP role assignment for CSP products purchased for self-use

When ordering CSP products for your own use through the Marketplace, SoftwareOne requires specific [Granular Delegated Admin Privileges (GDAP)](https://docs.platform.softwareone.com/extensions/microsoft-cloud-solution-provider/granular-delegated-admin-privileges-gdap) to effectively provision or manage these products in your Microsoft tenant.

The following table outlines the GDAP roles that SoftwareOne requires to establish a relationship. It also describes what each role enables.

**Service** - Microsoft Azure

<table><thead><tr><th width="282">Role name</th><th>Description</th></tr></thead><tbody><tr><td>Directory reader​</td><td>Can read basic directory information.</td></tr><tr><td>Global reader</td><td>Can read everything that a Global Administrator can, but cannot update anything.</td></tr><tr><td>Service support administrator​</td><td>Can read service health information and manage support tickets.</td></tr><tr><td>Billing administrator</td><td>Performs common billing-related tasks, like updating payment information.</td></tr><tr><td>Cloud application administrator</td><td>Creates and manages all aspects of enterprise applications and application registrations.</td></tr></tbody></table>

**Service** - Microsoft 365 Business, Enterprise, & Apps (Charity, Commercial, and Education)

<table><thead><tr><th width="280">Role name</th><th>Description</th></tr></thead><tbody><tr><td>Attack simulation administrator</td><td>Can create and manage all aspects of attack simulation campaigns.</td></tr><tr><td>Authentication administrator​</td><td>Can access to view, set and reset authentication method information for any non-admin user.</td></tr><tr><td>Billing administrator</td><td>Performs common billing-related tasks like updating payment information.</td></tr><tr><td>Compliance administrator</td><td>Can read and manage compliance configuration and reports in Microsoft Entra ID and Microsoft 365.</td></tr><tr><td>Directory readers ​</td><td>Can read basic directory information. Commonly used to grant directory read access to applications and guests.</td></tr><tr><td>Domain name administrator ​</td><td>Manages domain names in cloud and on-premises.</td></tr><tr><td>Exchange administrator ​</td><td>Manages all aspects of the Exchange product.</td></tr><tr><td>Global reader ​</td><td>Can read everything that a Global Administrator can, but not update anything.</td></tr><tr><td>Groups administrator ​</td><td>Can create and manage groups, create and manage group settings like naming and expiration policies. Can also view group activity and audit reports.</td></tr><tr><td>Hybrid identity administrator ​</td><td>Manages Active Directory to Microsoft Entra cloud provisioning, Microsoft Entra Connect, pass-through authentication (PTA), password hash synchronization (PHS), seamless single sign-on (seamless SSO), and federation settings. Does not have access to manage Microsoft Entra Connect Health.</td></tr><tr><td>Intune administrator ​</td><td>Manages all aspects of the Intune product.</td></tr><tr><td>License administrator</td><td>Manages product licenses on users and groups.</td></tr><tr><td>Network administrator</td><td>Manages network locations and reviews enterprise network design insights for Microsoft 365 Software as a Service applications.</td></tr><tr><td>Fabric administrator (PowerBI) ​</td><td>Manages all aspects of the Fabric and Power BI products.</td></tr><tr><td>Power platform administrator</td><td>Can create and manage all aspects of Microsoft Dynamics 365, Power Apps and Power Automate.</td></tr><tr><td>Security administrator ​</td><td>Can read security information and reports, and manage configuration in Microsoft Entra ID and Office 365.</td></tr><tr><td>Service support administrator ​</td><td>Can read service health information and manage support tickets.</td></tr><tr><td>SharePoint administrator ​</td><td>Manages all aspects of the SharePoint service.</td></tr><tr><td>Skype for business administrator</td><td>Manages all aspects of the Skype for Business product.</td></tr><tr><td>Teams administrator</td><td>Manages the Microsoft Teams service.</td></tr><tr><td>User administrator</td><td>Manages all aspects of users and groups, including resetting passwords for limited admins.</td></tr><tr><td>Windows 365 administrator</td><td>Can create and manage security groups but does not have administrator rights over Microsoft 365 groups.</td></tr><tr><td>Cloud application administrator</td><td>Creates and manages all aspects of enterprise applications and application registrations.</td></tr><tr><td>Conditional access administrator </td><td>Manages Conditional Access capabilities.</td></tr></tbody></table>

**Service** - Microsoft Dynamics 365 (Charity, Commercial, and Education)

<table><thead><tr><th width="282">Role name</th><th>Description</th></tr></thead><tbody><tr><td>Authentication administrator​</td><td>Can access to view, set and reset authentication method information for any non-admin user.</td></tr><tr><td>Billing administrator</td><td>Performs common billing-related tasks like updating payment information.</td></tr><tr><td>Directory readers ​</td><td>Can read basic directory information. Commonly used to grant directory read access to applications and guests.</td></tr><tr><td>Global reader</td><td>Can read everything that a Global Administrator can, but not update anything.</td></tr><tr><td>Groups administrator ​</td><td>Creates and manages groups and creates and manages group settings like naming and expiration policies. Can also view group activity and audit reports.</td></tr><tr><td>License administrator</td><td>Manages product licenses on users and groups.</td></tr><tr><td>Fabric administrator (PowerBI) ​</td><td>Manages all aspects of the Fabric and Power BI products.</td></tr><tr><td>Power platform administrator​</td><td>Can create and manage all aspects of Microsoft Dynamics 365, Power Apps and Power Automate.</td></tr><tr><td>Service support administrator ​</td><td>Can read service health information and manage support tickets.</td></tr><tr><td>User administrator</td><td>Manages all aspects of users and groups, including resetting passwords for limited admins.</td></tr><tr><td>Cloud application administrator</td><td>Grants the ability to create and manage all aspects of enterprise applications and application registrations.</td></tr><tr><td>Dynamics 365 administrator​</td><td>Manages all aspects of the Dynamics 365 product.</td></tr></tbody></table>

### GDAP role assignment for CSP products purchased for resale

If you are a SoftwareOne Partner purchasing [CSP products for resale](https://docs.platform.softwareone.com/marketplace-platform/getting-started/marketplace-for-partners/how-to-order-products-for-resale), your customers must approve a GDAP relationship request that includes the roles listed in the following table:

{% hint style="info" %}
These roles are not dependent on individual services, such as Azure or Dynamics, and apply to all CSP products purchased for resale.
{% endhint %}

<table><thead><tr><th width="279">Role</th><th>Description</th></tr></thead><tbody><tr><td>Global reader </td><td>Can read everything that a Global Administrator can, but cannot update anything.</td></tr><tr><td>Billing administrator </td><td>Can perform billing-related tasks, such as updating payment information.</td></tr><tr><td>Directory writers </td><td>Can read basic directory information. Commonly used to grant directory read access to applications and guests.</td></tr><tr><td>Cloud application administrator </td><td>Can create and manage all aspects of enterprise applications and application registrations.</td></tr><tr><td>License administrator </td><td>Manages product licenses for users and groups.</td></tr><tr><td>Service support administrator</td><td>Can read service health information and manage support tickets.</td></tr></tbody></table>

To learn more about GDAP and its importance, see [Granular Delegated Admin Privileges](https://docs.platform.softwareone.com/extensions/microsoft-cloud-solution-provider/granular-delegated-admin-privileges-gdap).

### GDAP configuration

The GDAP admin relationship is established with the following configuration:

<table><thead><tr><th width="288">Property</th><th>Value</th></tr></thead><tbody><tr><td>displayName</td><td>Microsoft Tenant Name + 'admin relationship'</td></tr><tr><td>duration</td><td>P2Y</td></tr><tr><td>autoExtendDuration</td><td>180 days</td></tr></tbody></table>

Once the GDAP relationship is in place, its duration is set to 2 years by default. When the relationship is about to expire, it's automatically extended for an additional 180 days.&#x20;