Enable GDAP relationship between customer tenant and Crayon

Granular Delegated Admin Privileges (GDAP) grants CSP partners least-privileged access to their customer's workloads. This access is used by Crayon to provide you with support and guidance on your Microsoft subscriptions and services.

Some functionality in Cloud-iQ may also be limited without an active GDAP relationship between Crayon and the cloud account.

Enable GDAP via Cloud-iQ

To establish a GDAP relationship between an existing cloud account and Crayon, follow these steps in Cloud-iQ:

1. In the main menu, select Manage -> Microsoft CSP
2. Click on the desired cloud account's name from the list
3. On the cloud account's page, go to the Details tab
4. Scroll down to the Delegated Admin Privileges (GDAP) section, click Load More
5. Forward the GDAP Authorization link to a Global Administrator user in the tenant
6. The Global Admin user accepts the GDAP relationship with the link provided in the previous step

About Crayon's default GDAP

Crayon's default GDAP relationship consists of the following roles:

• Global Reader
  • Allows read-only access to settings and administrative information across Microsoft 365 services.
  • Global Reader is the read-only counterpart to Global Administrator.
• Service Support Administrator
  • Can read service health information and manage support tickets.

The GDAP relationship automatically expires after 730 days. After the GDAP expires, it must be manually renewed.