This article is more than 1 year old

Microsoft fumbles zero trust upgrade for some Asian customers

Enhanced access privileges for partners choke on double-byte characters, contribute to global delays

Microsoft has messed up a zero trust upgrade its service provider partners have been asked to implement for customers.

The software giant has long given its partners delegated admin privileges (DAP) that allow them to administer customers' services or subscriptions on their behalf. Customers authorize DAP before partners can exercise privileges, and the service provider proceeds to provide service.

DAP is not new. But in recent years Microsoft has noticed that IT services providers have become a target for cyber criminals who realized that cracking a single IT consultancy could let them reach all of its clients.

So in 2022 Microsoft upgraded DAP to granular delegated admin privileges (GDAP) which, as the name implies, offers finer controls – so that if an attacker gains access to a partner's accounts the impact will be less horrible.

GDAP is a bit scary though. To enable it, partners can create new entities in clients' Active Directory, without the client's approval or even knowledge.

The rollout of GDAP has not gone brilliantly: Redmond has been slow to introduce tools that ease the chore, and extended some deadlines.

And on Thursday the software leviathan teased further extensions to deadlines for moving from DAP to GDAP.

One of the reasons is that if a customer tenant name includes a double-byte character, GDAP simply won't work.

Double-byte characters are most often found in scripts used for Japanese, Korean, simplified Chinese and traditional Chinese.

Well played for messing that up, Microsoft. Feel free to join the cultural sensitivity to Asia club most recently inhabited by whoever cast Scarlett Johansson in Ghost In The Shell.

The other reason for GDAP-related delays is that Microsoft partners "have requested default Azure Active Directory (Azure AD) roles when creating a new customer tenant." That’s not doable at present, so the boffins are busy designing the feature.

While it sorts out those messes, the software giant has advised it will soon set new deadlines for the following tasks:

  • Stop new DAPs – DAP is currently granted when a new customer tenant is created. Microsoft will no longer grant DAP for new customer creation.
  • Transition inactive DAPs – Microsoft will start transitioning DAP relationships that haven't been used in 90 or more days to GDAP with limited Azure AD roles. To review which relationships are inactive, use the DAP monitoring report.
  • Transition active DAPs – Microsoft will begin transitioning active DAP relationships to GDAP with limited Azure AD roles.

Another imminent offering is a bulk DAP removal tool that will debut on February 15, 2023.

Microsoft's also teased a change coming in late January that will make it easier to appoint a security contact for Azure users, and have fraud reports routed to them instead of just to Azure admins. The software giant has also foreshadowed the retirement of the Legacy Exchange Online Public Client ID – aka the ExO PowerShell public client – on March 31, 2023.

It "recommends that partners review any code or automation to locate any use of the legacy public client ID" before the retirement breaks things. The tool's app ID is "a0c73c16-a7e3-4564-9a95-2bdf47383716" in case that helps to find it. ®

More about


Send us news

Other stories you might like