If you have a CSP, MSSP, reseller or any other 3rd party that has access to your environment(s) and GDAP isn’t implemented, it’s likely they have the Global Administrator role by default. If your provider hasn’t contacted you about GDAP and/or implemented it already, you’d be right to question what else they haven’t done for you!?