Skip to main content
GDAP (Granular Delegated Admin Privileges) lets MSPs consent to the Neo app across customer tenants centrally, without requiring an admin in each customer tenant to complete the consent flow manually.
With GDAP, you consent to the Neo app on behalf of your customers — no admin action needed in each tenant. Once connected, Neo operates in the tenant through app-only access, the same as Direct Consent for day-to-day automations. One difference today: resetting an admin’s password requires the optional Privileged Authentication Administrator grant (see Recommended roles) — ordinary-user resets work either way.

How it works

  1. Your MSP has an existing GDAP relationship with a customer tenant that includes a role able to grant app permissions and assign roles — Privileged Role Administrator, Global Administrator, or Partner Tier2 Support (included in Microsoft Lighthouse’s default relationships). Cloud Application Administrator alone is not enough
  2. In the Neo Dashboard, you configure which permission categories Neo should request (e.g., User Management, Security, Email) — see M365 Permissions
  3. You use your GDAP access to consent the Neo app in the customer tenant — no customer admin involvement needed
  4. Neo grants only the permissions matching your selected categories — nothing more

Prerequisites

Before connecting customer tenants via GDAP, ensure:
  1. You have active GDAP relationships with your customer tenants in Partner Center. If you don’t have GDAP set up yet, follow Microsoft’s GDAP guide first.
  2. Your GDAP relationships include the right rolesPrivileged Role Administrator (so Neo can provision; Global Administrator or Partner Tier2 Support work too, and Lighthouse default relationships already include Tier2) and Exchange Administrator, plus optionally Privileged Authentication Administrator. That’s the whole set — see Recommended roles for why it’s so short.
  3. You have admin access to your MSP’s partner tenant (the Entra ID tenant enrolled in CSP).

Neo acts in each customer tenant app-only — through its own application, using the Microsoft Graph permissions you pick in your M365 permission profile. So the GDAP relationship only needs the roles Neo uses to set that up, plus the ones it assigns to its own app. Keep it minimal:

Required

RoleWhy Neo needs it
Privileged Role AdministratorDuring setup, Neo uses it to grant its app the Graph permissions you selected and to assign the role(s) below. Global Administrator or the legacy Partner Tier2 Support role also works (Lighthouse default relationships include Tier2) — Cloud Application Administrator alone cannot grant Graph app roles.
Exchange AdministratorNeo assigns this to its own app so it can manage Exchange (shared mailboxes, forwarding, delegation) — app-only Exchange access requires the role assigned directly to the app.

Optional

RoleEnable it for
Privileged Authentication AdministratorResetting admin passwords and MFA / revoking sessions for admin accounts. Ordinary-user resets don’t need it — leave it off unless you want Neo to act on privileged accounts.
You don’t need to add User Administrator, License Administrator, Groups Administrator, Intune Administrator, or Conditional Access Administrator to the relationship. Neo does user, license, group, device, and Conditional Access work through the application permissions in your permission profile — granted to Neo’s app during setup — not through those directory roles. The roles above are the whole least-privilege setup.

Connecting customer tenants via GDAP

Setup lives under Integrations → GDAP in the Neo Dashboard, which walks you through it as a checklist. Work top to bottom:
1

Connect GDAP

Click Connect and sign in with your Secure App Model service account. Check Consent on behalf of your organization (this needs a Global Administrator) so Neo can act through your GDAP relationships. If that box is missed, the checklist flags it — just Reconnect.
2

Grant the Partner Center permission

A Global Administrator grants Neo the Partner Center permission: use Copy consent link, open it as a Global Admin, approve, then Recheck. This lets Neo tell which of your customers are CSP-reachable.
3

Choose permission categories

Set the default permission categories Neo requests in each tenant (User Management, Security, Email, …) — see M365 Permissions. You can override them per company later.
4

Map customer tenants

Click Find tenants from GDAP to review the customer tenants Neo discovered from your relationships and apply the matches. This grows the pool of companies eligible to connect.
5

Provision

Click Connect all eligible to provision every tenant-mapped company at once, or connect one at a time from End Companies (Connect via GDAP on a company). Watch live per-company progress in the provisioning-run panel.
Once a company is connected, its M365 Access shows “via GDAP”. To remove Neo’s access later, disconnect the company.

Disconnecting a company

Disconnecting removes Neo’s app from the customer tenant and revokes Neo’s access.
1

Open the company in End Companies

Navigate to https://dashboard.neoagent.io/end-companies and select the company.
2

Disconnect

Click Disconnect. Neo removes the Neo Azure Automations app from the customer tenant and marks the company as not connected.
Disconnecting needs an active GDAP relationship — that’s how Neo reaches the tenant to remove the app. If the relationship has lapsed, reconnect GDAP first and then disconnect, or have an admin remove the Neo Azure Automations app in the customer tenant manually.

When a GDAP relationship lapses

A lapsed or expired GDAP relationship does not cut off Neo’s existing access — Neo keeps operating in already-connected tenants. A lapse only stops connecting new customers and adding permissions to connected ones. To fully remove Neo’s access from a tenant, disconnect the company while the relationship is still active.
GDAPDirect Consent
Who consentsMSP admin, using GDAP access — no customer involvementA tenant admin in each customer tenant
CSP enrollment requiredYesNo
Adding permissions laterAutomatic — no customer action neededCustomer admin must re-approve
Best forMSPs managing many tenants — onboard customers without waiting for their adminIndividual tenants, or non-CSP scenarios

Troubleshooting

GDAP relationships have a maximum duration of 730 days. An expired relationship does not remove Neo’s existing access — connected tenants keep working — but it blocks connecting new customers and adding permissions. Create a new relationship in Partner Center with the same roles, then reconnect via the Neo Dashboard. To remove Neo’s access from a tenant entirely, disconnect the company.