Microsoft pauses delayed partner ecosystem security update to count its money

Microsoft's delayed effort to ensure its partners don't enjoy unduly privileged access to their clients' systems will run for just nine days before pausing for a month.

Partners of the Redmond-based software colossus have historically relied on "delegated admin privileges" (DAP) to manage and monitor clients' systems and software purchases.

In the wake of criminal attacks on managed services providers and the software they use to tend their clients, Microsoft decided DAP privileges offered dangerously extensive access.

The company therefore created granular delegated admin privileges (GDAP).

As the name implies, GDAP limits the resources and permissions partners enjoy when driving their customers' systems. It also adds zero-trust principles to further reduce the likelihood that an attack on a partner will mean pain for end customers. Partners and Microsoft customers alike were told they would need to stop using DAPs and instead move to GDAPs.

So far, so sensible.

But also a little controversial, because partners can create GDAP profiles in customers' Active Directory implementations – customers don't need to give permission for the creation of GDAP profiles, but do need to sign them off.

The move from DAP to GDAP has been slow. Microsoft set October 31, 2022, as the date on which it would discontinue the software that automates DAP to GDAP migrations, then moved that date to March 1, 2023. Those delays came after Redmondt's initial ambition was for DAP to die by the end of 2022.

• Microsoft warns partners to revoke unused authorizations that drive your software
• Microsoft partners balk at new licensing scheme, dent growth
• Microsoft fumbles zero trust upgrade for some Asian customers
• Microsoft extends deadline for partners to improve their clients' security with unauthorised Azure AD tweaks

A March 15 2023 missive from Microsoft to partners offered an update on the move from DAP to GDAP, which will commence on May 22.

"For relationships that have been transitioned from DAP to GDAP, we'll proceed to remove the corresponding DAP relationships 30 days later," the post states, before adding "However, we'll pause the transition for the month of June 2023 to support the Microsoft fiscal year closure."

Microsoft's fiscal year ends on June 30. Late in a fiscal year, businesses usually scramble to bring in every cent of revenue it's possible to find.

The June pause of GDAP migrations therefore suggests the company has made its own concerns a higher priority than this transition.

For those few days in May, then later in July, Microsoft will make the following changes:

1. Directory readers – can read basic directory information; commonly used to grant directory read access to applications and guests
2. Directory writers – can read and write basic directory information; for granting access to applications, not intended for users
3. License administrator – can manage product licenses on users and groups
4. Service support administrator – can read service health information and manage support tickets
5. User administrator – can manage all aspects of users and groups, including resetting passwords for limited admins
6. Privileged role administrator – can manage role assignments in Azure AD and all aspects of Privileged Identity Management (PIM)
7. Helpdesk administrator – can reset passwords for non-administrators and Helpdesk administrators
8. Privileged authentication administrator – can access view, set, and reset authentication method information for any user (admin or non-admin)

The changes listed above should improve security, an outcome Microsoft champions – except, seemingly, in June while it counts its cash. ®