Please note that this article is a work in progress and may change continuously as Microsoft updates GDAP protocols. Click here for more info from Microsoft.
Check back regularly for the latest updates to CloudRadial's GDAP instructions.
In the near future, Microsoft's DAP (Delegated Admin Privileges) for client tenants will be deprecated. The new gold standard will become GDAP (Granular Delegated Admin Privileges). This will be a new way that Microsoft Partners will be required to request consent to access their customers' accounts, as well as any third-party applications.
Applications such as CloudRadial will no longer be able to use the AdminAgents group with the proper permissions inside their own partner tenant in Microsoft. Normally this group with the application created as a member, which was performed with the PowerShell script, was all that was needed for the application to have the proper permissions to connect to your customer's tenants trhough DAP. With GDAP, this will no longer work.
Granting Admin Application Consent
You'll now need to provide Admin Application Consent in order to connect customer tenants with their Microsoft 365.
To get ahead of the change of a current customer who is connected through DAP, follow these steps:
- Navigate to Partner > Clients
- Click on the Delegated for the 365 Status of the customer (you can also Click the Client > Microsoft 365 tab
- Uncheck the box marked Delegated Administrator
IMPORTANT! You must uncheck this box or this will not work.
- You will be prompted to login using the Global Administrator account from your customer's tenant in Microsoft 365
!!!DO NOT USE YOUR OWN GLOBAL ADMIN ACCOUNT!!!
- First select Administrative Access Application allows for that company's Office 365 data to flow into CloudRadial
- Second select User Login Access Application allows users to use their Office 365 credentials to log into CloudRadial
Once complete, you will need to run a sync and the client will be set up. Repeat these steps for any client that you don't have delegated access to. It should look like the below image if successful:
- Note: It will show Unauthorized until a successful sync has occurred.
If you are simply adding a new company use the steps below:
- Navigate to Partner > Clients
- Click +Add at the top right
- Fill out all the relevant information but leave Microsoft 365 Tenant Identifier blank
- Click Submit
- Select the Client company > Microsoft 365 tab
- You will see the options to tie your client's tenant to CloudRadial from here using the Global Administrator account from your customer's tenant in Microsoft 365
- Under the Details tab Click Sync
Confirm Setup in Microsoft 365
Once you have tied in the proper access in CloudRadial, you will want to confirm the appropriate access from within Microsoft 365 to ensure no interruptions occur.
- Login to the customer's tenant https://portal.azure.com/
- Go to Azure Active Directory
- Click Enterprise Applications
- Check for these two permissions
- CloudRadial (User Logins)
- CloudRadial (Admins)
The data from Microsoft will now be flowing into the relevant areas of CloudRadial. They will now also have access to log into CloudRadial using their Microsoft 365 credentials. Setup is complete - simply repeat the ID entry steps for any existing clients or for new clients added to the portal.