With GDAP, you consent to the Neo app on behalf of your customers — no admin action needed in each tenant. Once connected, Neo operates in the tenant through app-only access, the same as Direct Consent for day-to-day automations. One difference today: resetting an admin’s password requires the optional Privileged Authentication Administrator grant (see Recommended roles) — ordinary-user resets work either way.
How it works
- Your MSP has an existing GDAP relationship with a customer tenant that includes a role able to grant app permissions and assign roles — Privileged Role Administrator, Global Administrator, or Partner Tier2 Support (included in Microsoft Lighthouse’s default relationships). Cloud Application Administrator alone is not enough
- In the Neo Dashboard, you configure which permission categories Neo should request (e.g., User Management, Security, Email) — see M365 Permissions
- You use your GDAP access to consent the Neo app in the customer tenant — no customer admin involvement needed
- Neo grants only the permissions matching your selected categories — nothing more
Prerequisites
Before connecting customer tenants via GDAP, ensure:- You have active GDAP relationships with your customer tenants in Partner Center. If you don’t have GDAP set up yet, follow Microsoft’s GDAP guide first.
- Your GDAP relationships include the right roles — Privileged Role Administrator (so Neo can provision; Global Administrator or Partner Tier2 Support work too, and Lighthouse default relationships already include Tier2) and Exchange Administrator, plus optionally Privileged Authentication Administrator. That’s the whole set — see Recommended roles for why it’s so short.
- You have admin access to your MSP’s partner tenant (the Entra ID tenant enrolled in CSP).
Recommended roles
Neo acts in each customer tenant app-only — through its own application, using the Microsoft Graph permissions you pick in your M365 permission profile. So the GDAP relationship only needs the roles Neo uses to set that up, plus the ones it assigns to its own app. Keep it minimal:Required
| Role | Why Neo needs it |
|---|---|
| Privileged Role Administrator | During setup, Neo uses it to grant its app the Graph permissions you selected and to assign the role(s) below. Global Administrator or the legacy Partner Tier2 Support role also works (Lighthouse default relationships include Tier2) — Cloud Application Administrator alone cannot grant Graph app roles. |
| Exchange Administrator | Neo assigns this to its own app so it can manage Exchange (shared mailboxes, forwarding, delegation) — app-only Exchange access requires the role assigned directly to the app. |
Optional
| Role | Enable it for |
|---|---|
| Privileged Authentication Administrator | Resetting admin passwords and MFA / revoking sessions for admin accounts. Ordinary-user resets don’t need it — leave it off unless you want Neo to act on privileged accounts. |
You don’t need to add User Administrator, License Administrator, Groups Administrator, Intune Administrator, or Conditional Access Administrator to the relationship. Neo does user, license, group, device, and Conditional Access work through the application permissions in your permission profile — granted to Neo’s app during setup — not through those directory roles. The roles above are the whole least-privilege setup.
Connecting customer tenants via GDAP
Setup lives under Integrations → GDAP in the Neo Dashboard, which walks you through it as a checklist. Work top to bottom:Connect GDAP
Click Connect and sign in with your Secure App Model service account. Check Consent on behalf of your organization (this needs a Global Administrator) so Neo can act through your GDAP relationships. If that box is missed, the checklist flags it — just Reconnect.
Grant the Partner Center permission
A Global Administrator grants Neo the Partner Center permission: use Copy consent link, open it as a Global Admin, approve, then Recheck. This lets Neo tell which of your customers are CSP-reachable.
Choose permission categories
Set the default permission categories Neo requests in each tenant (User Management, Security, Email, …) — see M365 Permissions. You can override them per company later.
Map customer tenants
Click Find tenants from GDAP to review the customer tenants Neo discovered from your relationships and apply the matches. This grows the pool of companies eligible to connect.
Disconnecting a company
Disconnecting removes Neo’s app from the customer tenant and revokes Neo’s access.Open the company in End Companies
Navigate to
https://dashboard.neoagent.io/end-companies and select the company.When a GDAP relationship lapses
A lapsed or expired GDAP relationship does not cut off Neo’s existing access — Neo keeps operating in already-connected tenants. A lapse only stops connecting new customers and adding permissions to connected ones. To fully remove Neo’s access from a tenant, disconnect the company while the relationship is still active.GDAP vs Direct Consent
| GDAP | Direct Consent | |
|---|---|---|
| Who consents | MSP admin, using GDAP access — no customer involvement | A tenant admin in each customer tenant |
| CSP enrollment required | Yes | No |
| Adding permissions later | Automatic — no customer action needed | Customer admin must re-approve |
| Best for | MSPs managing many tenants — onboard customers without waiting for their admin | Individual tenants, or non-CSP scenarios |
Troubleshooting
Consent fails for a customer tenant
Consent fails for a customer tenant
- Verify the GDAP relationship is Active in Partner Center
- Ensure your GDAP relationship includes a role that can grant app permissions and assign roles — Privileged Role Administrator, Global Administrator, or Partner Tier2 Support (Cloud Application Administrator alone is not enough)
- Check that the GDAP relationship hasn’t expired (maximum duration is 730 days)
Neo can't perform actions after GDAP consent
Neo can't perform actions after GDAP consent
- Verify the GDAP relationship includes the required operational roles (e.g., Exchange Administrator for mailbox operations)
- Check the company permissions in the Neo Dashboard — missing roles will show as unavailable operations
GDAP relationship expired
GDAP relationship expired
GDAP relationships have a maximum duration of 730 days. An expired relationship does not remove Neo’s existing access — connected tenants keep working — but it blocks connecting new customers and adding permissions. Create a new relationship in Partner Center with the same roles, then reconnect via the Neo Dashboard. To remove Neo’s access from a tenant entirely, disconnect the company.
