Multi-Tenant Delegated Administration
Retiring per-client admin accounts in favor of CSP/GDAP delegated access, with the group plumbing automated through Microsoft Graph.
context
An MSP administering Microsoft 365 for a portfolio of client organizations. The inherited access model was the industry's old default: a separate admin account living inside each client tenant, one per client, each with its own credentials and its own lifecycle nobody fully owned.
problem
Per-client admin accounts are credential sprawl with a blast radius. Every account is standing privileged access that has to be secured, rotated, and - the part that actually goes wrong - deprovisioned when a technician leaves. Microsoft's answer is GDAP: time-bound, role-scoped delegated access from the partner tenant into client tenants. Getting there meant enrolling as a CSP Indirect Reseller and migrating every client relationship onto delegated access without interrupting the technicians' daily work.
constraints
GDAP is deliberately restrictive, and the restrictions shape the design. Delegated roles must be granted through role-assignable security groups in the partner tenant, which have their own creation requirements. Relationships expire by design, so renewal has to be automated or access quietly dies. Consent is per-client, so the rollout had to scale across the portfolio rather than be hand-built per tenant. And least privilege was the point of the exercise: broad standing roles would have recreated the original problem in new clothes.
approach
Enrolled the company as a Microsoft CSP Indirect Reseller and established GDAP relationships across 10+ client M365 tenants using M365 Lighthouse bulk templates, so the same role design rolled out uniformly instead of drifting per client. The role-assignable security group creation - the fiddly, repetitive part - was automated through Microsoft Graph, as was GDAP relationship auto-extension, so delegated access renews on schedule instead of expiring by surprise. Technicians moved to single-identity access: one account in the partner tenant, MFA-protected, with role-scoped reach into client tenants.
outcome
Per-client admin accounts replaced with single-identity delegated access across the managed portfolio. One identity to secure per technician, roles scoped to what the work requires, relationships that renew automatically, and offboarding that actually offboards - disable one account, and access to every client tenant goes with it.