Get started with Cloud Commander

This article guides you through the initial set up of Cloud Commander. After you start your trial, an Onboarding Assistant will step you through the rest of the process.

• Step 1: Start a Cloud Commander trial
• Step 2: Prepare a service account and register your MSP tenant
• Step 3: Set up customer tenants

Prerequisites

• The person requesting the Cloud Commander trial must be able to create a service account with Microsoft Entra ID multi-factor authentication in your Microsoft Partner Center. The service account requires the following permissions:
  • Admin Agent role in your Microsoft Partner Center.
  • Global Admin Microsoft Entra ID role in your MSP tenant.
• The email address you use for the trial must be from your MSP tenant and able to receive email from N-able. If your MSP tenant doesn't have valid email addresses, please contact your sales representative or our support team.
• Enrollment as a Microsoft Cloud Solution Provider. See Enroll in the Cloud Solution Provider program | Microsoft Learn.
• To onboard your CSP tenants, you'll need an established relationship with your customers in Microsoft Partner Center. See Verify customer relationships.
• To access your customer tenants using Cloud Commander, ensure your customers don't have Conditional Access policies that block your access. See Set up your customer's Conditional Access policies.

Step 1: Start a Cloud Commander trial

1. Go to https://www.n-able.com/products/cloud-commander/trial.
2. Enter your contact information.
3. Enter an email address that can receive email from N-able.
4. Select Try it free.

   A welcome email is sent to the email address, which includes a link to the Cloud Commander login page. Do not forward the link—it only works for the registered account. The link expires in 14 days.

   If you don't receive the email or if the link expires, contact your sales representative or our support team.

5. From the welcome email, select the link and sign in to  Cloud Commander with the account credentials for the email address you used to request the trial.
6. Review the permissions requested and select Consent on behalf of your organization to allow others to sign into Cloud Commander.

   

7. Select Accept.

You are redirected to the Onboarding Assistant to guide you through the initial set up steps.

The Onboarding Assistant guides you to prepare a service account in the Microsoft Partner Center with the following attributes:

• Member of the Admin Agents group in Microsoft Entra ID.
• Global Admin Microsoft Entra ID role.
• Microsoft Entra ID multi-factor authentication—If you implement any third-party multi-factor authentication for the service account, you can't manage customer environments using GDAP and Cloud Commander.
• Conditional access policies must not limit the account.

After your service account is set up, the Onboarding Assistant guides you to authenticate and register the Cloud Commander application.

Step 2: Prepare a service account and register your MSP tenant

As the first Cloud Commander user, you are assigned the following platform roles for your MSP tenant:
- Microsoft Cloud Access Administrators
- Administrators
- Role Administrators
- User Group Administrators
- Command Block Job Log Reader
- Partner Center Customer Writer

1. Select Let's get started in the Onboarding Assistant.

   

2. Prepare your service account by choosing to generate a new service account or use an existing service account:

   The service account you use must have multi-factor authentication (MFA) enabled. MFA is required for Microsoft Partner Center and Cloud Commander.

   Generate a service account

   1. Select Generate service account.

      We generate the service account and display the credentials.

   2. Select Copy to clipboard and then Continue.
   3. Review the authorization information and select the checkbox indicating that you understand the MFA requirement.
   4. Select Authorize with your service account.

      A Microsoft login dialog displays with the username populated.

   5. Paste in the one-time password you copied earlier and select Sign In.
   6. Update the password.
   7. Follow the Microsoft prompts to set up MFA. MFA is required for Microsoft Partner Center and Cloud Commander.

   Use an existing service account

   1. Select I already have a service account.
   2. Review the authorization information and select the checkbox indicating that you understand the MFA requirement.
   3. Select Authorize with your service account.
   4. In the Microsoft login dialog, use your service account credentials to authenticate.
   5. Follow the Microsoft prompts to set up MFA. MFA is required for Microsoft Partner Center and Cloud Commander.
3. In the Microsoft dialog, review the permissions requested and select Accept to register your MSP tenant. For the list of permissions and roles acquired, see Permissions acquired in the MSP partner tenant.

   To follow least privilege practice, we recommend not selecting Consent on behalf of your organization. Doing so may grant unintended elevated privileges to users in your organization.

   

4. If prompted, close the popup to proceed.

   Cloud Commander is now connected, and we can access your Microsoft Partner Center and your customer's tenants.

   

5. Select Continue to Cloud Commander to set up your tenants in Cloud Commander.

Step 3: Set up customer tenants

The Onboarding Assistant takes you directly to the Microsoft Cloud Access view, where the list of tenants from your Microsoft Partner Center is displayed.

Our progress tracker will walk you through the tenant setup in Microsoft Cloud Access. The progress tracker shows the setup progress and provides a description of what is happening, and the Status column in the tenant list shows the current state of the tenant.

Select a tenant by clicking in its row and click Start tenant set up.

The right panel opens and shows the tenant's setup progress through the following steps. Here's the progress tracker for a completed tenant setup.

If you navigate away from the Microsoft Cloud Access view or the progress tracker, the setup continues. You can also have multiple tenants setting up at the same time.

Create customer

First, we create a new customer record in Cloud Commander for the customer tenant. This is usually a quick process that takes a few seconds.

Establish an admin relationship

Next, we check if the customer tenant has been previously set up in Cloud Commander. If it has, we reuse that admin relationship.

If not, we create a new admin relationship between your partner tenant and the customer tenant with the necessary permissions.

Get admin relationship approval

We check if the customer has already approved the admin relationship from a previous Cloud Commander setup.

If the customer hasn't approved the admin relationship yet, you need to request approval.

We provide a message template to copy and send to your customer to request approval. If you prefer to write your own message, copy the authorization link from the template and send it to your customer. Here are the steps to make the request:

1. In the progress tracker, select View approval message template.
2. Copy the message template or the authorization link and click Okay.
3. Send the message or authorization link to a global administrator for the customer so they can approve the request.

   The customer Admin account must have multi-factor authentication (MFA) enabled.

   

When the customer clicks the link, they:

1. Sign into Microsoft using their Admin account credentials, including MFA, for their organization.
2. Review the permissions requested and select Accept.

   To follow least privilege practice, we recommend not selecting Consent on behalf of your organization. Doing so may grant unintended elevated privileges to users in your organization.

Now we have to wait for your customer to approve the admin relationship in the Microsoft Partner Center. We automatically keep checking Microsoft for the admin relationship approval.

After the admin relationship is approved, there may be a delay of up to 5 minutes before the approval is synchronized from Microsoft Partner Center to Cloud Commander.

Finalize relationship

After the admin relationship is approved and synchronized, we register the Cloud Commander application with the customer tenant to finalize the relationship. This involves getting permissions and access from the customer tenant so that we can manage customer tenant applications such as users, groups, authentication methods, licenses, and more.

When the relationship is finalized, we can access the customer tenant information from Microsoft and begin to set up Cloud Commander capabilities for the tenant.

To help troubleshoot issues you encounter during this step, we include the following error details if they are available:

• Microsoft error details: Can include an error code, a Microsoft response message, a timestamp from the Microsoft record, and a Correlation ID, which is an automatically generated unique identifier (GUID) for the request.
• Cloud Commander error details: Include a Tracking ID and an Event ID.

For more information, see Troubleshoot errors in Cloud Commander.

Set up groups and roles

In this step, we set up the Cloud Commander groups and roles for the user who is setting up the tenant. This means we assign you to the Default platform user groups scoped to the tenant so that you can monitor and manage it.

Sync all users

Next, we synchronize the customer tenant Microsoft Entra ID users with Cloud Commander so that you can view all the customer tenant's users in Cloud Commander. This can take a few minutes.

Schedule reports

In the last step of the progress tracker, we schedule the Microsoft Secure Score report and the Microsoft Available Licenses report to run daily for the customer tenant. The reports update every day at midnight. This means that the reports for this new customer tenant will be empty until the update runs for the first time at midnight.

Successful tenant setup

When the progress tracker completes successfully, the customer tenant is enabled, available in the customer selector, and you can begin to monitor and manage it in Cloud Commander.

If the tenant is Enabled with limitations, the tenant is set up in Cloud Commander, but you'll need to request additional permissions approval from your customer before you can use all the Cloud Commander features. For instructions, see Request additional permissions for tenants.

Next steps

• Assign members to platform user groups
• If any of your tenants use a Hybrid Identity environment, Configure Hybrid Identity environment

Related articles

• Tenant statuses
• Requirements for Cloud Commander
• FAQs—Microsoft Cloud Access
• Cloud Commander acquired permissions
• User management

Updated: Mar 20, 2025