Somewhat counterintuitively, this is being done to improve security
Microsoft has created a window of time in which its partners can – without permission – create new roles for themselves in customers' Active Directory implementations.To begin, remember that criminals have figured out that attacking IT service providers offers a great way to find many other targets. Evidence of that approach can be found in attacks on ConnectWise, SolarWinds, Kaseya and other vendors that provide software to IT service providers.
Today, GDAP"allows the partner to request and the customer to approve specific Azure Active Directory roles, allowing the partner to perform admin activities on behalf of the customer."Starting July 25, Microsoft will provide a tool that allows partners with existing delegated admin privileges relationships to create a GDAP relationship with Azure AD roles – without customer consent.