Skip to content
English
Contact us
  • There are no suggestions because the search field is empty.

New GDAP Relationship [RULE-1139]

This rule detects when a new Granular Delegated Admin Privileges (GDAP) relationship is established between your Microsoft 365 tenant and an external organization. GDAP relationships grant an external partner organization specific administrative roles within your environment.

Rationale

GDAP relationships are the mechanism through which Microsoft Cloud Solution Providers (CSPs) and managed service providers obtain administrative access to customer tenants. While these relationships are commonly used for legitimate IT management purposes, they are also a known attack vector exploited by threat actors.

In recent years, attackers who gain access to a tenant -- often through compromised credentials or adversary-in-the-middle (AiTM) phishing -- have been observed creating rogue GDAP relationships to establish persistent, stealthy access. Because GDAP relationships grant privileged roles (such as Global Administrator, Exchange Administrator, or Security Administrator) to an external tenant, a malicious GDAP relationship can give an attacker full control over your environment while appearing as a legitimate partner relationship. This technique aligns with MITRE ATT&CK T1098 (Account Manipulation) and T1078 (Valid Accounts).

Monitoring for new GDAP relationships is critical because these relationships may go unnoticed by standard user-level monitoring. An unauthorized GDAP relationship effectively provides a backdoor that persists even after compromised user accounts are remediated.

Follow-up

Follow these steps to adequately address this detection:

  1. Verify whether the new GDAP relationship was intentionally created by an authorized administrator. Check with the IT department or management whether a new partner relationship was expected.

    • If no: The GDAP relationship was not authorized and may be the result of a compromise:

      1. Immediately terminate the GDAP relationship via the Microsoft 365 admin center under Settings > Partner Relationships.
      2. Review the audit logs to identify which account created the relationship and investigate whether that account has been compromised.
      3. Reset credentials and revoke sessions for any accounts involved in creating the unauthorized relationship.
      4. Contact the Attic IR team for further investigation to determine the scope of the compromise. An IR Credit Pack is required for this service.

    • If yes: The GDAP relationship was intentionally created:

      1. Verify that the assigned roles follow the principle of least privilege. Ensure the external organization has not been granted more permissions than necessary.
      2. If the roles and partner organization are acceptable: close the incident.

More information