Get started with Cloud Commander
This article walks you through the initial set up of Cloud Commander. After you start your trial, the Onboarding Assistant will guide you through the remaining steps.
Prerequisites
Before you begin, make sure:
- You can create a service account in Microsoft Entra ID with multi-factor authentication (MFA).
- You are enrolled in the Microsoft Cloud Solution Provider (CSP) program. See Enroll in the Cloud Solution Provider program | Microsoft Learn.
- You have an established relationship with your customers in Microsoft Partner Center. See Verify customer relationships.
- Your customers' Conditional Access policies allow access. See Set up your customer's Conditional Access policies.
1. Start a Cloud Commander trial
- Go to Cloud Commander trial.
- Enter your contact details, including an email address from your MSP tenant that can receive messages from N-able. If your MSP tenant doesn't have valid email addresses, please contact your sales representative or N-able Support.
- Select Try it free.
You’ll receive a welcome email with a link to sign in to Cloud Commander. This link is valid for 14 days and works only for the registered email address. If you don’t receive the email or the link expires, contact your sales representative or N-able Support.
- From the welcome email, select the link and sign in using the credentials for the email address you used to register.
- Review the permissions requested and select Consent on behalf of your organization to allow others to sign into Cloud Commander.
- Select Accept.
You are redirected to the Onboarding Assistant to guide you through the initial set up steps.
2. Prepare a service account and register your MSP tenant
When you finish this step, you'll have a service account with the following attributes and your MSP tenant will be registered:
- Admin Agent role in Microsoft Partner Center.
- Global Admin role in Microsoft Entra ID.
- Multi-factor authentication (MFA) enabled in Microsoft Entra ID.
Third-party MFA solutions are not supported for managing customer environments with GDAP and Cloud Commander.
- In the Onboarding Assistant, select Let's get started.
- Choose one of the following options:
Option 1: Generate a service account
- Select Generate service account. We generate the service account and display the credentials.
- Copy the generated credentials with Copy to clipboard, then select Continue.
- Review the authorization details and confirm that you understand the MFA requirements by selecting the checkbox.
- Select Authorize with your service account.
- Paste in the one-time password and select Sign In.
- Update the password when prompted.
- Follow the Microsoft prompts to complete MFA setup. MFA is required for Microsoft Partner Center and Cloud Commander.
Option 2: Use an existing service account
- Select I already have a service account.
- Review the authorization details and confirm that you understand the MFA requirements by selecting the checkbox.
- Select Authorize with your service account.
- In the Microsoft login dialog, sign in using your service account credentials.
- Follow the Microsoft prompts to complete MFA. MFA is required for Microsoft Partner Center and Cloud Commander.
- Review the requested permissions and select Accept to register your MSP tenant. For more information, see Permissions acquired in the MSP partner tenant.
To follow least privilege practice, we recommend not selecting Consent on behalf of your organization. Doing so may grant unintended elevated privileges to users in your organization.
- If prompted, close the popup to proceed.
Cloud Commander is connected and can access your Microsoft Partner Center and your customer tenants.
- Select Continue to Cloud Commander to begin setting up your tenants.
3. Set up customer tenants
The Onboarding Assistant takes you directly to the Microsoft Cloud Access view, where you'll see a list of tenants from your Microsoft Partner Center.
A progress tracker guides you through the setup process. It shows each step, provides descriptions, and displays the current status in the Status column.
Start tenant setup
- In the Microsoft Cloud Access view, select the row for a tenant.
- Select Set up tenant.
The tenant panel opens and displays the tenant's setup progress. You can navigate away from this view at any time—the setup continues in the background. You can also set up multiple tenants simultaneously.
Progress tracker steps
1. Create Customer
Cloud Commander creates a new customer record for the selected tenant. This step usually takes a few seconds.
2. Establish an admin relationship
Cloud Commander checks if your organization already has admin relationships with the customer and if any of those relationships are valid.
Scenario 1: No valid admin relationships found
If no valid admin relationships are found, Cloud Commander creates a new one and provides a message template to request customer approval in the next step.
Scenario 2: Valid admin relationships found
If valid admin relationships are found, you choose which existing admin relationship to use or choose to create a new admin relationship.
- In the progress tracker, select Establish an admin relationship.
- Choose whether you want to use an existing relationship or create a new one. See GDAP admin relationships: Reuse or create new?.
- If you chose to use an existing admin relationship:
- Select the admin relationship to use. Discovered admin relationships that are not valid for Cloud Commander are disabled.
- The expiry date for the relationship displays to help you decide whether to use it or choose another with a later expiry.
- Select Confirm.
- If you chose to create a new admin relationship, select Confirm.
3. Get admin relationship approval
If you chose to use an existing admin relationship, this step quickly moves on to finalize the relationship because customer approval is already confirmed.
If you chose to create a new admin relationship, you need to request approval.
To request customer approval for the relationship, we provide a message template you can copy and send to them. If you prefer to write your own message, copy the authorization link from the template and send it to your customer.
- In the progress tracker, select View approval message template.
- Copy the message template or the authorization link and click Okay.
- Send the message or authorization link to a global administrator for the customer so they can approve the request.
The customer Admin account must have multi-factor authentication (MFA) enabled.
When the customer clicks the link, they:
- Sign into Microsoft using their Admin credentials, including MFA, for their organization.
- Review the permissions requested and select Accept.
To follow least privilege practice, we recommend not selecting Consent on behalf of your organization. Doing so may grant unintended elevated privileges to users in your organization.
Now we have to wait for your customer to approve the admin relationship in the Microsoft Partner Center. We automatically keep checking Microsoft for the admin relationship approval.
After the admin relationship is approved, there may be a delay of up to five minutes before the approval is synchronized from Microsoft Partner Center to Cloud Commander.
4. Finalize relationship
Once approval is synced, Cloud Commander registers its application with the customer tenant. This grants access to manage:
- Users
- Groups
- Authentication methods
- Licenses
- Other tenant resources
If issues occur, error details are provided:
- Microsoft error details: Error code, Microsoft message, timestamp from the Microsoft record, and Correlation ID, which is an automatically generated unique identifier (GUID) for the request.
- Cloud Commander error details: Tracking ID and an Event ID.
For help, see Troubleshoot errors in Cloud Commander.
5. Set up groups and roles
Cloud Commander assigns you to the Default platform user groups scoped to the tenant. This allows you to monitor and manage the tenant.
6. Sync all users
Cloud Commander syncs users from Microsoft Entra ID. This step may take a few minutes.
7. Schedule reports
Cloud Commander schedules two daily reports:
- Microsoft Secure Score
- Microsoft Available Licenses
Reports update at midnight. They may appear empty until the first update runs.
Successful tenant setup
When setup completes:
- The tenant is enabled and displays in the customer selector.
- You can begin monitoring and managing it in Cloud Commander.
If the tenant is Enabled with limitations, it means setup is complete, but additional permissions are needed before you can use all the Cloud Commander features. For instructions, see Request additional permissions for tenants.
Admin relationships with GDAP are created with an expiration of two years, which is the maximum time allowed by Microsoft. When a tenant admin relationship expires, we recommend disabling the tenant in Cloud Commander and repeating the approval process by setting up the tenant again. See Expiration of admin relationships.
Next steps
- Assign members to platform user groups
- If any of your tenants use a Hybrid Identity environment, Configure Hybrid Identity environment
Related articles
- Tenant statuses
- Requirements for Cloud Commander
- FAQs—Microsoft Cloud Access
- Cloud Commander acquired permissions
- User management
Updated: Aug 01, 2025