> ## Documentation Index
> Fetch the complete documentation index at: https://docs.neoagent.io/llms.txt
> Use this file to discover all available pages before exploring further.

# GDAP

> Use GDAP to connect customer tenants to Neo without requiring each customer's admin

GDAP (Granular Delegated Admin Privileges) lets MSPs consent to the Neo app across customer tenants centrally, without requiring an admin in each customer tenant to complete the consent flow manually.

<Info>
  With GDAP, you consent to the Neo app on behalf of your customers — no admin action needed in each tenant. Once connected, Neo operates in the tenant through app-only access, the same as [Direct Consent](/integrations/m365/cloud) for day-to-day automations. One difference today: resetting an **admin's** password requires the optional **Privileged Authentication Administrator** grant (see [Recommended roles](#recommended-roles)) — ordinary-user resets work either way.
</Info>

***

## How it works

1. Your MSP has an existing **GDAP relationship** with a customer tenant that includes a role able to grant app permissions and assign roles — **Privileged Role Administrator**, **Global Administrator**, or **Partner Tier2 Support** (included in Microsoft Lighthouse's default relationships). Cloud Application Administrator alone is not enough
2. In the Neo Dashboard, you configure which **permission categories** Neo should request (e.g., User Management, Security, Email) — see [M365 Permissions](/integrations/m365/intro)
3. You use your GDAP access to **consent the Neo app** in the customer tenant — no customer admin involvement needed
4. Neo grants only the permissions matching your selected categories — nothing more

***

## Prerequisites

Before connecting customer tenants via GDAP, ensure:

1. **You have active GDAP relationships** with your customer tenants in [Partner Center](https://partner.microsoft.com/dashboard). If you don't have GDAP set up yet, follow [Microsoft's GDAP guide](https://learn.microsoft.com/en-us/partner-center/gdap-introduction) first.
2. **Your GDAP relationships include the right roles** — **Privileged Role Administrator** (so Neo can provision; **Global Administrator** or **Partner Tier2 Support** work too, and Lighthouse default relationships already include Tier2) and **Exchange Administrator**, plus optionally **Privileged Authentication Administrator**. That's the whole set — see [Recommended roles](#recommended-roles) for why it's so short.
3. **You have admin access to your MSP's partner tenant** (the Entra ID tenant enrolled in CSP).

***

## Recommended roles

Neo acts in each customer tenant **app-only** — through its own application, using the Microsoft Graph permissions you pick in your [M365 permission profile](/integrations/m365/intro). So the GDAP relationship only needs the roles Neo uses to **set that up**, plus the ones it **assigns to its own app**. Keep it minimal:

### Required

| Role                              | Why Neo needs it                                                                                                                                                                                                                                                                                                       |
| --------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Privileged Role Administrator** | During setup, Neo uses it to grant its app the Graph permissions you selected and to assign the role(s) below. **Global Administrator** or the legacy **Partner Tier2 Support** role also works (Lighthouse default relationships include Tier2) — Cloud Application Administrator alone cannot grant Graph app roles. |
| **Exchange Administrator**        | Neo assigns this to its own app so it can manage Exchange (shared mailboxes, forwarding, delegation) — app-only Exchange access requires the role assigned directly to the app.                                                                                                                                        |

### Optional

| Role                                        | Enable it for                                                                                                                                                                      |
| ------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Privileged Authentication Administrator** | Resetting **admin** passwords and MFA / revoking sessions for admin accounts. Ordinary-user resets don't need it — leave it off unless you want Neo to act on privileged accounts. |

<Note>
  You don't need to add **User Administrator**, **License Administrator**, **Groups Administrator**, **Intune Administrator**, or **Conditional Access Administrator** to the relationship. Neo does user, license, group, device, and Conditional Access work through the **application permissions** in your permission profile — granted to Neo's app during setup — not through those directory roles. The roles above are the whole least-privilege setup.
</Note>

***

## Connecting customer tenants via GDAP

Setup lives under **Integrations → GDAP** in the Neo Dashboard, which walks you through it as a checklist. Work top to bottom:

<Steps>
  <Step title="Connect GDAP">
    Click **Connect** and sign in with your Secure App Model service account. Check **Consent on behalf of your organization** (this needs a Global Administrator) so Neo can act through your GDAP relationships. If that box is missed, the checklist flags it — just **Reconnect**.
  </Step>

  <Step title="Grant the Partner Center permission">
    A **Global Administrator** grants Neo the Partner Center permission: use **Copy consent link**, open it as a Global Admin, approve, then **Recheck**. This lets Neo tell which of your customers are CSP-reachable.
  </Step>

  <Step title="Choose permission categories">
    Set the **default permission categories** Neo requests in each tenant (User Management, Security, Email, …) — see [M365 Permissions](/integrations/m365/intro). You can override them per company later.
  </Step>

  <Step title="Map customer tenants">
    Click **Find tenants from GDAP** to review the customer tenants Neo discovered from your relationships and apply the matches. This grows the pool of companies eligible to connect.
  </Step>

  <Step title="Provision">
    Click **Connect all eligible** to provision every tenant-mapped company at once, or connect one at a time from **End Companies** (**Connect via GDAP** on a company). Watch live per-company progress in the provisioning-run panel.
  </Step>
</Steps>

Once a company is connected, its **M365 Access** shows "via GDAP". To remove Neo's access later, [disconnect the company](#disconnecting-a-company).

***

## Disconnecting a company

Disconnecting removes Neo's app from the customer tenant and revokes Neo's access.

<Steps>
  <Step title="Open the company in End Companies">
    Navigate to `https://dashboard.neoagent.io/end-companies` and select the company.
  </Step>

  <Step title="Disconnect">
    Click **Disconnect**. Neo removes the **Neo Azure Automations** app from the customer tenant and marks the company as not connected.
  </Step>
</Steps>

Disconnecting needs an **active** GDAP relationship — that's how Neo reaches the tenant to remove the app. If the relationship has lapsed, reconnect GDAP first and then disconnect, or have an admin remove the **Neo Azure Automations** app in the customer tenant manually.

***

## When a GDAP relationship lapses

A lapsed or expired GDAP relationship does **not** cut off Neo's existing access — Neo keeps operating in already-connected tenants. A lapse only stops **connecting new customers** and **adding permissions** to connected ones. To fully remove Neo's access from a tenant, [disconnect the company](#disconnecting-a-company) while the relationship is still active.

***

## GDAP vs Direct Consent

|                              | GDAP                                                                           | [Direct Consent](/integrations/m365/cloud) |
| ---------------------------- | ------------------------------------------------------------------------------ | ------------------------------------------ |
| **Who consents**             | MSP admin, using GDAP access — no customer involvement                         | A tenant admin in each customer tenant     |
| **CSP enrollment required**  | Yes                                                                            | No                                         |
| **Adding permissions later** | Automatic — no customer action needed                                          | Customer admin must re-approve             |
| **Best for**                 | MSPs managing many tenants — onboard customers without waiting for their admin | Individual tenants, or non-CSP scenarios   |

***

## Troubleshooting

<AccordionGroup>
  <Accordion title="Consent fails for a customer tenant">
    * Verify the GDAP relationship is **Active** in Partner Center
    * Ensure your GDAP relationship includes a role that can grant app permissions and assign roles — **Privileged Role Administrator**, **Global Administrator**, or **Partner Tier2 Support** (Cloud Application Administrator alone is not enough)
    * Check that the GDAP relationship hasn't expired (maximum duration is 730 days)
  </Accordion>

  <Accordion title="Neo can't perform actions after GDAP consent">
    * Verify the GDAP relationship includes the required operational roles (e.g., Exchange Administrator for mailbox operations)
    * Check the company permissions in the Neo Dashboard — missing roles will show as unavailable operations
  </Accordion>

  <Accordion title="GDAP relationship expired">
    GDAP relationships have a maximum duration of 730 days. An expired relationship does **not** remove Neo's existing access — connected tenants keep working — but it blocks connecting new customers and adding permissions. Create a new relationship in Partner Center with the same roles, then reconnect via the Neo Dashboard. To remove Neo's access from a tenant entirely, [disconnect the company](#disconnecting-a-company).
  </Accordion>
</AccordionGroup>
