Cloud Commander acquired permissions

Permissions acquired in the MSP partner tenant

During application registration in your MSP partner tenant, we acquire the following permissions and roles. For more information about each of the Microsoft Entra ID roles, see All roles | Microsoft Learn.

Permission	Microsoft Entra ID role	Partner Center role
Access Partner Center	Global administrator
Manage delegated admin relationships with customers		Admin agent
Read and write all groups	Global administrator
Read and write group memberships	Global administrator
Read directory data	Directory Reader
Sign me in and read my profile	User Administrator
Access the directory as me	Directory Reader
Read and write all users' authentication methods	Authentication Administrator
Read and write all users' full profiles	User Administrator
Read organization information	Global Reader
Read domains	Domain Name Administrator
Maintain access to data I have given access to	User Administrator

Permissions acquired in the customer's tenant through GDAP

In the customer tenant, Cloud Commander requires access to both Microsoft 365 and Azure services. This access is granted via Granular Delegated Admin Privileges (GDAP), which allows for more precise and secure permission management than other methods, and it avoids the risks associated with broad admin access. For Microsoft 365, roles are included in the GDAP relationship. For Azure, the CSP’s privileged admin rights acquired through default Admin On Behalf Of (AOBO) are used.

Microsoft 365

When you onboard customer tenants in Cloud Commander, we acquire customer approval for the following permissions and Microsoft Entra ID roles. For more information about each of the Microsoft Entra ID roles, see All roles | Microsoft Learn.

Permission Microsoft Entra ID role

Create and manage enterprise apps Application administrator

Access authentication methods Authentication administrator

Manage MFA and password policies Authentication policy administrator

Manage Azure information protection Azure information protection administrator

Manage application registrations Cloud application administrator

Manage Entra ID devices Cloud device administrator

Manage compliance configurations in Entra ID and M365 Compliance administrator

Manage CA policies Conditional access administrator

Read directory data Directory readers

Read/write directory data Directory writers

Read domains Domain name administrator

Read and manage Exchange Exchange administrator

Manage groups and their settings Groups administrator

Invite guest users Guest inviter

Manage AD users and their configuration and sync with Entra ID Hybrid identity administrator

Manage Intune enrolled devices Intune administrator

Manage product licenses License administrator

Reset passwords Password administrator

Manage user’s authentication methods and MFA Privileged authentication administrator

Manage role assignments and PIM Privileged role administrator

Manage security configurations in Entra ID and M365 Security administrator

Manage the SharePoint service SharePoint administrator

Manage the Teams service Teams administrator

Read usage report data Usage summary reports reader

Manage users User administrator

Microsoft Azure management

For Azure Management, read/write permissions are not defined by the GDAP relationship. Provided that the service principal is granted access to the customer's Azure subscriptions, the Directory Reader role in GDAP is sufficient.

By default, the partner that provisioned the customer subscriptions already has owner permissions through Admin on Behalf of (AOBO) and the GDAP acts only as a secure, customer-controlled way of authenticating against the customer’s Azure site. The partner's Admin agent role controls who can read/write Azure resources.

In summary, GDAP acts as authentication to Azure management, not as its permission system. Azure already has fine-grained Identity Access Management (IAM) roles and AOBO management capabilities from the partner side.

For more information, see:

Application and service principal objects in Microsoft Entra ID | Microsoft Learn

Manage subscriptions and resources under the Azure plan | Microsoft Learn.

Permission	Microsoft Entra ID role
Create and manage enterprise apps	Application administrator
Access authentication methods	Authentication administrator
Manage MFA and password policies	Authentication policy administrator
Manage Azure information protection	Azure information protection administrator
Manage application registrations	Cloud application administrator
Manage Entra ID devices	Cloud device administrator
Manage compliance configurations in Entra ID and M365	Compliance administrator
Manage CA policies	Conditional access administrator
Read directory data	Directory readers
Read/write directory data	Directory writers
Read domains	Domain name administrator
Read and manage Exchange	Exchange administrator
Manage groups and their settings	Groups administrator
Invite guest users	Guest inviter
Manage AD users and their configuration and sync with Entra ID	Hybrid identity administrator
Manage Intune enrolled devices	Intune administrator
Manage product licenses	License administrator
Reset passwords	Password administrator
Manage user’s authentication methods and MFA	Privileged authentication administrator
Manage role assignments and PIM	Privileged role administrator
Manage security configurations in Entra ID and M365	Security administrator
Manage the SharePoint service	SharePoint administrator
Manage the Teams service	Teams administrator
Read usage report data	Usage summary reports reader
Manage users	User administrator

Updated: Dec 18, 2024

Cloud Commander acquired permissions

Permissions acquired in the MSP partner tenant

Permissions acquired in the customer's tenant through GDAP

Microsoft 365

Microsoft Azure management

Related articles