What are Azure Lighthouse and Granular Delegated Admin Permissions (GDAP)

Firstly let us ask the question what are Azure Lighthouse and GDAP?

Azure Lighthouse

Azure Lighthouse enables either managed service providers or 3rd party support staff, management in the Azure tenants of any clients they are supporting and gives enhanced governance across resources deployed in an Azure tenant, higher automation and scalability.

This still allows the clients to retain/maintain control over who has access to their tenant, which resources they can access and what actions can be taken in their tenant.

This can be achieved via taking into account these four principals:

  • Partner with confidence – Manage your service providers across all clouds e.g. (AWS (Amazon Web Services), Azure, GCP (Google Cloud Platform))
  • Take control – Assign precise permissions to each provider with RBAC (Role-Based Access Control)
  • Stay Secure – Enable just-enough and just-in-time access for providers with PIM and Azure Multi-Factor Authentication (MFA)
  • Be Informed – Access on-demand auditing and reporting across all service provider actions


GDAP is a security feature that provides Microsoft partners with least-privileged access following the Zero Trust cybersecurity protocol. This is done by allowing partners time-bound access to client workloads in either a Production or Development environment.

GDAP will eventually replace DAP (Delegated Admin Privileges) as the primary method to configure delegated access for customer tenants.

Partners’ access can be partitioned by clients meaning that by default partners no longer have access to all client tenants and their associated subscriptions. Instead partners managing a client’s Azure tenant are members of a separate security group, which in turn is a member of the Admin agent group, which then grants owner role-based access control (RBAC) access to whichever Azure subscription they need to manage for that client.

GDAP permissions are assigned based on the workloads that are included in the supported service and a full list of the AD roles that can be assigned are found here – https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference

These roles are then granted by using Privileged Identity Management (PIM).

About the author