Start a Cloud Commander trial and setup

This page contains instructions to initially set up Cloud Commander.

Requirements

  • Enrollment as a Microsoft Cloud Solution Provider. See Check your Microsoft account.
  • An established relationship with your customers in Microsoft Partner Center. See Verify customer relationships.
  • If applicable, you may need to adjust your customer tenant Conditional Access policies to allow Cloud Commander to operate. The service accounts you use with Cloud Commander must be able to sign in to your Partner Center and Customer Tenants from our environment. For more information about the policy adjustments that are needed, see this Microsoft article.

Step 1: Start a Cloud Commander trial

  1. Go to https://www.n-able.com/products/cloud-commander/trial.
  2. Enter your contact information.
  3. Enter an email address that can receive email from N-able.
  4. Select Start Your  Free Trial.

    A welcome email is sent to the email address, which includes a link to the Cloud Commander login page. Do not forward the link—it only works for the registered account. The link expires in 14 days.

    If you don't receive the email or if the link expires, contact your sales representative or our support team.

  5. From the welcome email, select the link and sign in to  Cloud Commander with the account credentials for the email address you used to request the trial.
  6. Review the permissions requested and select Consent on behalf of your organization to allow others to sign into Cloud Commander.

  7. Select Accept.

    8. You are redirected to the Onboarding Assistant to guide you through the initial set up steps.

The Onboarding Assistant guides you to prepare a service account in the Microsoft Partner Center with the following attributes:

  • Member of the Admin Agents group in Microsoft Entra ID.
  • Global Admin Microsoft Entra ID role.
  • Microsoft Entra ID multifactor authentication (MFA)—If you implement any third-party MFA for the service account, you can't manage customer environments using GDAP and Cloud Commander.
  • Conditional access policies must not limit the account.

After your service account is set up, the Onboarding Assistant guides you to authenticate and register the Cloud Commander application.

Step 2: Prepare and authenticate a service account

As the first Cloud Commander user who requested the trial, you are assigned the following platform roles for your MSP organization:
- Administrators
- Role Administrators
- User Group Administrators
- Command Block Job Log Reader
- Partner Center Customer Writer

  1. On the fist page of the onboarding assistant, select Let's get started.

  2. Prepare your service account by choosing to generate a new service account or using an existing service account:
    Your choiceActions
    Generate a service account
    1. Select Generate service account.

      We generate the service account and display the credentials.

    2. Select Copy to clipboard and then Continue.
    3. Review the authorization information and select the checkbox indicating that you understand the multifactor authentication requirement.
    4. Select Authorize with your service account.

      A Microsoft login dialog displays with the username populated.

    5. Paste in the one-time password you copied earlier and select Sign In.
    6. Update the password.
    7. Follow the Microsoft prompts to set up multifactor authentication. MFA is a requirement for Microsoft Partner Center and Cloud Commander.
    Use an existing service account
    1. Select I already have a service account.
    2. Review the authorization information and select the checkbox indicating that you understand the multifactor authentication requirement.
    3. Select Authorize with your service account.
    4. In the Microsoft login dialog, use your service account credentials to authenticate.
    5. Follow the Microsoft prompts to set up multifactor authentication. MFA is a requirement for Microsoft Partner Center and Cloud Commander.
  3. In the Microsoft dialog, review the permissions requested and select Accept. The required permissions are only for the N-able application.

    Following least privilege practice, we recommend you don't select Consent on behalf of your organization. Consenting may grant unintended elevated privileges to users in your organization.

  4. If prompted, close popup to proceed.

    Cloud Commander is now connected, and we can access your Microsoft Partner Center to look for your customers and GDAP relationships.

  5. Select Continue to Cloud Commander to onboard your customers.

Step 3: Select the customers you want to onboard

Cloud Commander displays the list of Microsoft customers it found in your Microsoft Partner Center.

When you onboard Microsoft customers, we look for, or initiate, a Granular Delegated Admin Permissions (GDAP) relationship with each customer. When a GDAP relationship is Approved for a customer, we import their details from Microsoft in accordance with the solutions enabled in the GDAP relationship.

We track and display the status of the GDAP relationship between the customer and Cloud Commander. See Status descriptions.

  1. Filter or search to find the customer you want to onboard, click in the Request approval status column of the customer, and select Enabled.

    You can enable multiple customers now before you move to the next steps. You can also return to Microsoft Cloud Access later to add more customers.

    If you already have a GDAP relationship with a customer that has the necessary permissions, the customer's status updates to Approved, and Cloud Commander can import data from the cloud for the customer.

  2. If there isn't an existing GDAP relationship or if additional permissions are needed, Cloud Commander creates the relationship, but the status is Needs approval because customer approval is required.

    Select Copy approval to copy the link that's required to approve the GDAP request. Send the link to an administrator for the customer so they can approve the request. For instructions, see the Microsoft documentation.

    When the customer approval is complete, the GDAP relationship status updates to Approved.

  3. If the customer's status changes to Issues found, select Review limitations to view more information, and then choose one of these actions:
    1. If you don't plan to manage Microsoft Azure resources for the tenant and want to accept the current relationship, select Cancel.

      The status for the tenant remains Issues found, and you can manage the tenant in Cloud Commander but without Microsoft Azure access.

    2. If you do plan to manage Microsoft Azure resources for the tenant, follow the instructions in this article to update the licenses of the tenant in your Microsoft account.

      When complete, go back to the Cloud Commander Review limitations dialog for the tenant and select Revalidate.

  4. Select Refresh at the top of the dialog, to update the customer's status.

It can take several minutes for the Microsoft process to complete. When a customer GDAP relationship is finalized, its status is Approved or Issues found, and Cloud Commander can import data from the cloud for the customer. It may take up to five minutes for the collected data to display in Cloud Commander. You can go to Identity > Users to see the imported users.

For information about onboarding more customers after the initial setup, see Onboard CSP customers.

When your first customer is onboarded, Cloud Commander creates Default platform user groups with their roles scoped to that customer. Each time you onboard a new customer, the default platform user groups' scopes expand to include that new customer.

When you onboard a customer, you are added as a member to the default platform user groups for that customer. You are also assigned the following roles:
- User Administrators scoped to your MSP organization
- Administrators scoped to the onboarded customer
- Role Administrators scoped to the onboarded customer

The service account you authenticated in Step 2 is added as a member to the default platform user groups.

Step 4: Assign users to the default platform user groups

Cloud Commander includes the following default platform user groups to get you started. You add users to the groups according to job responsibility. After Cloud Commander is setup, you can customize these groups or create your own platform user groups as needed:
  • CC Admins
  • CC Technicians
  • CC License Admins

You can assign more users to the default platform user groups now or later. For more information, see Manage platform user groups.

To best illustrate how to assign users to the default platform user groups, the following task shows the steps for adding users to the CC Technicians group. The steps are the same when you add users to other groups.

  1. On the left navigation, select Identity > Groups.

    If the group list is empty or you can't find a specific group, select Refresh to show the most recent data.

  2. Search for CC Technicians and select its name to view the details.
  3. Go to the Members tab.
  4. Select Assign members.

    When multiple customers are selected in the global customer selector, only options that apply to all selected customers display.

  5. Select the checkbox for one or more users to add to the group and select Next.

  6. Review the list of members to add. If you need to make changes, select Back. Otherwise, select Done.

    The user(s) are added to the group and display on the members list.

Status descriptions

As you onboard your customer tenants, we track their integration status using the following states:

An existing GDAP relationship in Approval pending state is not supported, and you must go to the Microsoft Partner Center to follow the manual approval process.

StateDescriptionAction
Not configuredGDAP relationship not established. This status occurs when:
  • Initial status — GDAP relationship not yet defined or attempted.
  • Offboarded customer — You have offboarded the customer.
If you want to onboard the customer, click in the Request approval column of the customer to select Enabled.
Needs approvalApproval is required for the GDAP relationship. Select Copy approval to copy the link that's required to approve the GDAP request. Send the link to an administrator for the customer so they can approve the request. For instructions, see the Microsoft documentation.
ApprovedThe GDAP relationship is fully configured and ready to use. Cloud Commander can import data from the cloud.No action required.
Issues foundGDAP relationship can't be created, or it can be created but without all the required access permissions. If the customer's status changes to Issues found, select Review limitations to view more information, and then choose one of these actions:
  1. If you don't plan to manage Microsoft Azure resources for the tenant and want to accept the current relationship, select Cancel.

    The status for the tenant remains Issues found, and you can manage the tenant in Cloud Commander but without Microsoft Azure access.

  2. If you do plan to manage Microsoft Azure resources for the tenant, follow the instructions in this article to update the licenses of the tenant in your Microsoft account.

    When complete, go back to the Cloud Commander Review limitations dialog for the tenant and select Revalidate.

Awaiting MicrosoftDue to the asynchronous mode of Microsoft processing external requests, this status displays when Cloud Commander is waiting for Microsoft to complete processing.No action required.

Next steps

Related articles

Updated: Jul 09, 2024