Microsoft recently implemented several improvements to the APIs that provide us with access to your tenant.
GDAP
Currently, Attic utilizes DAP (Delegated Admin Privileges) to access your environment. Microsoft has recently introduced an enhanced version called GDAP (Granular Delegated Admin Privileges). This new version offers more precise control over assigned permissions, and access will no longer be indefinite but will have an expiration date.
In the upcoming days, we will be transitioning the DAP connection to GDAP. You don’t need to take any action yourself. Over the next few months, the DAP connection will be phased out. Although Microsoft hasn’t specified a specific date, it is expected to happen this summer.
The GDAP connection will automatically be revoked after 2 years. We will request your reauthorization before that time. Initially, Attic will have the same rights as with DAP. However, in the future, we will restrict these rights to adhere to the principle of least privilege.
Exchange Online
Currently, Attic uses Remote PowerShell to check settings in Exchange. Microsoft is phasing out this method and has already disabled it for some tenants.
We have developed a new module that establishes connections in a more modern way and no longer requires Remote PowerShell. We will roll out this module in the coming days.
This change provides the opportunity to operate solely based on app consent in the future. As a result, Attic may even function without the GDAP connection, and we can offer a mostly read-only version for customers who prefer performing only checks.