# Role assignment and GDAP configuration

### GDAP role assignment for CSP products purchased for self-use

When ordering CSP products for your own use through the Marketplace, SoftwareOne requires specific [Granular Delegated Admin Privileges (GDAP)](https://docs.platform.softwareone.com/extensions/microsoft-cloud-solution-provider/granular-delegated-admin-privileges-gdap) to effectively provision or manage these products in your Microsoft tenant.

The following table outlines the GDAP roles that SoftwareOne requires to establish a relationship. It also describes what each role enables.

**Service** - Microsoft Azure

<table><thead><tr><th width="282">Role name</th><th>Description</th></tr></thead><tbody><tr><td>Directory reader​</td><td>Can read basic directory information.</td></tr><tr><td>Global reader</td><td>Can read everything that a Global Administrator can, but cannot update anything.</td></tr><tr><td>Service support administrator​</td><td>Can read service health information and manage support tickets.</td></tr><tr><td>Billing administrator</td><td>Performs common billing-related tasks, like updating payment information.</td></tr><tr><td>Cloud application administrator</td><td>Creates and manages all aspects of enterprise applications and application registrations.</td></tr></tbody></table>

**Service** - Microsoft 365 Business, Enterprise, & Apps (Charity, Commercial, and Education)

<table><thead><tr><th width="280">Role name</th><th>Description</th></tr></thead><tbody><tr><td>Attack simulation administrator</td><td>Can create and manage all aspects of attack simulation campaigns.</td></tr><tr><td>Authentication administrator​</td><td>Can access to view, set and reset authentication method information for any non-admin user.</td></tr><tr><td>Billing administrator</td><td>Performs common billing-related tasks like updating payment information.</td></tr><tr><td>Compliance administrator</td><td>Can read and manage compliance configuration and reports in Microsoft Entra ID and Microsoft 365.</td></tr><tr><td>Directory readers ​</td><td>Can read basic directory information. Commonly used to grant directory read access to applications and guests.</td></tr><tr><td>Domain name administrator ​</td><td>Manages domain names in cloud and on-premises.</td></tr><tr><td>Exchange administrator ​</td><td>Manages all aspects of the Exchange product.</td></tr><tr><td>Global reader ​</td><td>Can read everything that a Global Administrator can, but not update anything.</td></tr><tr><td>Groups administrator ​</td><td>Can create and manage groups, create and manage group settings like naming and expiration policies. Can also view group activity and audit reports.</td></tr><tr><td>Hybrid identity administrator ​</td><td>Manages Active Directory to Microsoft Entra cloud provisioning, Microsoft Entra Connect, pass-through authentication (PTA), password hash synchronization (PHS), seamless single sign-on (seamless SSO), and federation settings. Does not have access to manage Microsoft Entra Connect Health.</td></tr><tr><td>Intune administrator ​</td><td>Manages all aspects of the Intune product.</td></tr><tr><td>License administrator</td><td>Manages product licenses on users and groups.</td></tr><tr><td>Network administrator</td><td>Manages network locations and reviews enterprise network design insights for Microsoft 365 Software as a Service applications.</td></tr><tr><td>Fabric administrator (PowerBI) ​</td><td>Manages all aspects of the Fabric and Power BI products.</td></tr><tr><td>Power platform administrator</td><td>Can create and manage all aspects of Microsoft Dynamics 365, Power Apps and Power Automate.</td></tr><tr><td>Security administrator ​</td><td>Can read security information and reports, and manage configuration in Microsoft Entra ID and Office 365.</td></tr><tr><td>Service support administrator ​</td><td>Can read service health information and manage support tickets.</td></tr><tr><td>SharePoint administrator ​</td><td>Manages all aspects of the SharePoint service.</td></tr><tr><td>Skype for business administrator</td><td>Manages all aspects of the Skype for Business product.</td></tr><tr><td>Teams administrator</td><td>Manages the Microsoft Teams service.</td></tr><tr><td>User administrator</td><td>Manages all aspects of users and groups, including resetting passwords for limited admins.</td></tr><tr><td>Windows 365 administrator</td><td>Can create and manage security groups but does not have administrator rights over Microsoft 365 groups.</td></tr><tr><td>Cloud application administrator</td><td>Creates and manages all aspects of enterprise applications and application registrations.</td></tr><tr><td>Conditional access administrator </td><td>Manages Conditional Access capabilities.</td></tr></tbody></table>

**Service** - Microsoft Dynamics 365 (Charity, Commercial, and Education)

<table><thead><tr><th width="282">Role name</th><th>Description</th></tr></thead><tbody><tr><td>Authentication administrator​</td><td>Can access to view, set and reset authentication method information for any non-admin user.</td></tr><tr><td>Billing administrator</td><td>Performs common billing-related tasks like updating payment information.</td></tr><tr><td>Directory readers ​</td><td>Can read basic directory information. Commonly used to grant directory read access to applications and guests.</td></tr><tr><td>Global reader</td><td>Can read everything that a Global Administrator can, but not update anything.</td></tr><tr><td>Groups administrator ​</td><td>Creates and manages groups and creates and manages group settings like naming and expiration policies. Can also view group activity and audit reports.</td></tr><tr><td>License administrator</td><td>Manages product licenses on users and groups.</td></tr><tr><td>Fabric administrator (PowerBI) ​</td><td>Manages all aspects of the Fabric and Power BI products.</td></tr><tr><td>Power platform administrator​</td><td>Can create and manage all aspects of Microsoft Dynamics 365, Power Apps and Power Automate.</td></tr><tr><td>Service support administrator ​</td><td>Can read service health information and manage support tickets.</td></tr><tr><td>User administrator</td><td>Manages all aspects of users and groups, including resetting passwords for limited admins.</td></tr><tr><td>Cloud application administrator</td><td>Grants the ability to create and manage all aspects of enterprise applications and application registrations.</td></tr><tr><td>Dynamics 365 administrator​</td><td>Manages all aspects of the Dynamics 365 product.</td></tr></tbody></table>

### GDAP role assignment for CSP products purchased for resale

If you are a SoftwareOne Partner purchasing [CSP products for resale](https://docs.platform.softwareone.com/marketplace-platform/getting-started/marketplace-for-partners/how-to-order-products-for-resale), your customers must approve a GDAP relationship request that includes the roles listed in the following table:

{% hint style="info" %}
These roles are not dependent on individual services, such as Azure or Dynamics, and apply to all CSP products purchased for resale.
{% endhint %}

<table><thead><tr><th width="279">Role</th><th>Description</th></tr></thead><tbody><tr><td>Global reader </td><td>Can read everything that a Global Administrator can, but cannot update anything.</td></tr><tr><td>Billing administrator </td><td>Can perform billing-related tasks, such as updating payment information.</td></tr><tr><td>Directory writers </td><td>Can read basic directory information. Commonly used to grant directory read access to applications and guests.</td></tr><tr><td>Cloud application administrator </td><td>Can create and manage all aspects of enterprise applications and application registrations.</td></tr><tr><td>License administrator </td><td>Manages product licenses for users and groups.</td></tr><tr><td>Service support administrator</td><td>Can read service health information and manage support tickets.</td></tr></tbody></table>

To learn more about GDAP and its importance, see [Granular Delegated Admin Privileges](https://docs.platform.softwareone.com/extensions/microsoft-cloud-solution-provider/granular-delegated-admin-privileges-gdap).

### GDAP configuration

The GDAP admin relationship is established with the following configuration:

<table><thead><tr><th width="288">Property</th><th>Value</th></tr></thead><tbody><tr><td>displayName</td><td>Microsoft Tenant Name + 'admin relationship'</td></tr><tr><td>duration</td><td>P2Y</td></tr><tr><td>autoExtendDuration</td><td>180 days</td></tr></tbody></table>

Once the GDAP relationship is in place, its duration is set to 2 years by default. When the relationship is about to expire, it's automatically extended for an additional 180 days.&#x20;


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.platform.softwareone.com/extensions/microsoft-cloud-solution-provider/granular-delegated-admin-privileges-gdap/role-assignment-and-gdap-configuration.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.