Cloud services setup FAQs - PREVIEW ONLY

Cloud services setup is N-able’s onboarding service to the Microsoft Cloud. Cloud services setup is necessary to establish a trusted relationship between the application and the Microsoft cloud, so the application can read and act on the cloud data.

To access the Cloud services setup, go to Administration > Cloud Commander Setup in the left-hand navigation menu.

When you try to access Azure Resource Manager for the first time, you are directed to Cloud services setup.

  • If you are a Microsoft Partner and want to onboard CSP customers, you need a Microsoft service account with a Global Admin role. N-able uses the service account with least privileged access in all customer tenants to connect to the Microsoft Partner Center.

  • You don’t need a service account to onboard individual customers or if you are not an MS Partner. Non-CSP onboarding is not yet available.

There are three steps to Onboard CSP customers - PREVIEW ONLY:

  1. Onboard your MSP organization: Authentication at MSP level, to register the application. As a MS Partner onboarding CSP customers, authenticate using your Microsoft service account credentials with a Global Admin role. You are asked to review and approve the application’s requested permissions. You don’t need to consent on behalf of your organization. At the end of the authentication, the Microsoft-verified N-able application is registered under the MSP tenant with the granted permissions and it displays in the partner center under Enterprise Applications.
  2. Onboard customers: May Microsoft customers (Azure tenants) to MSP customers/sites. During this, the onboarding service issues a GDAP relationship request which must be forwarded to an admin at the customer side to accept. Without approval by the customer, the relationship cannot be finalized, so the application cannot start ingesting data from the cloud. This step is the same for non-CSP customers as well.
  3. Manage GDAP flow: The UI shows the status of the integration and indicates whether further action is needed. Most notable example is when the approval request needs to be copied and sent to the customer.

No, the onboarding workflow enables you to map multiple CSP customers at once. To add or remove customers, you can rerun the service and change as needed.

There are no configuration steps outside of the onboarding workflow. However, the following actions are required to complete the creation of the GDAP relationships up to the Approved state. These actions are:

  • Copy and send the approval request via email to an admin of the end customer
  • The admin for the end customer must approve the request before Azure Resource Manager can ingest data from the cloud. For end customer approval instructions, see the Microsoft documentation.

For more information, see Onboard CSP customers - PREVIEW ONLY.

Mandated by Microsoft, the integration status flow is the state transition of a GDAP relationship as you move through its creation and approval process.

Integration status descriptions

We track and display the status of the GDAP relationship workflow between the Microsoft tenant and your N-able customer.

Status Description Action
Not configured GDAP relationship not established

This status occurs when:

  • Initial status — GDAP relationship not yet defined or attempted
  • Offboarded customer — You have unmapped the customer

 If you want to onboard the customer, select your N-able customer and site that maps to the Microsoft tenant
Needs approval Customer mapping is selected but the GDAP relationship is not yet customer approved When prompted, click the Copy approval link to send to your customer
In-progress Transitional state No action required, but you can refresh the page to get an updated status
Finalize GDAP relationship is approved by the customer When prompted, click the Finalize approval link
Approved GDAP relationship is properly established. Azure Resource Manager can now ingest data from the cloud. No action required
Error GDAP relationship reports an error Resolve the issue causing the error, then use the Reset Approval link to try the customer mapping process again
Pending relationship Customer mapping exists in N-able but the GDAP relationship is terminated in Microsoft Offboard the customer (unmap) and onboard them again
Ignored Customer mapping existed but is now removed No action required
Issues found GDAP relationship cannot be created or can be created with but without all the required access permissions When prompted, click the Accept relationship link and then choose one:
  1. Revalidate — if you think you have resolved the issue and want to retry
  2. Accept — proceed despite the limitations
Approval with limitations Status applied when you accept the GDAP relationship after it had a previous status of Issues found No action required

After you finalize the approval, the status of the integration is marked as Approved and the application starts ingesting data from the cloud. For more information, see Onboard CSP customers - PREVIEW ONLY.

Yes. For information and instructions, see Offboard your MSP - PREVIEW ONLY

This scenario is currently not supported but will be. The onboarding service will be the same. Authentication as MSP is not a required step, authentication with the customer’s credentials is necessary, to create and configure the GDAP relationship in the same way. Non-CSP customers must be onboarded one by one.

Yes, re-run the Onboard CSP customers - PREVIEW ONLY to map additional customers either CSP or non-CSP.

Yes, if customers have been onboarded, you can Offboard CSP customers - PREVIEW ONLY. The integration status changes to Not configured. The Microsoft customer’s data is deleted from the application and the application can no longer act on the customer’s tenant.

With De-authenticate, we delete the Microsoft customer’s data from the application. We do not delete the service principal or the GDAP relationship from the customer’s tenant, but you can do that manually.

Yes, the application can be removed from the customer's Enterprise Applications in the Azure portal. The GDAP relationship can be terminated it two ways:

Reauthenticate your MSP - PREVIEW ONLY renews the partner's Microsoft service account credentials to ensure they are up to date. You may need to re-authenticate if certain changes have occurred. For example, you may need to re-authenticate if your credentials change, there are multi-factor authentication (MFA) changes, or the account hasn't used for 90 days.

GDAP relationships are created with an expiration of 730 days, which is the maximum time allowed by Microsoft. Microsoft does not support extension of GDAP relationships to ensure your end customers are actively aware that you have on-going access to their tenant.

If a GDAP relationship expires, its integration status changes to Not configured, and you must request a new GDAP relationship by onboarding that customer again and repeating the approval process.

To review and track your customers' integration status to look for expired, Not configured, mappings, go to .

This transition is not currently supported.

  • It is an end-to-end workflow
  • The registered application is verified as authentic by Microsoft
  • It uses the GDAP framework to establish relationships
  • It tracks the integration status of the tenants
  • Assigns least-privileged access following zero-trust cyber security protocol
  • It does not require additional manual configuration in the MS tenant
  • For Microsoft Partners with a reseller (CSP) account, it allows onboarding all CSP customers at once
  • In the future it will support non-CSP tenant onboarding