Set up Cloud Commander

This page contains instructions to initially set up Cloud Commander.

Requirements

  • The person requesting the Cloud Commander trial must be able to create a service account with Microsoft Entra ID multifactor authentication (MFA) in your Microsoft Partner Center. The service account requires the following permissions:
    • Admin Agent role in your Microsoft Partner Center.
    • Global Admin Microsoft Entra ID role in your MSP partner tenant.
  • The email address you provide for the person starting the trial must be able to receive email from N-able.
  • Enrollment as a Microsoft Cloud Solution Provider. See Enroll in the Cloud Solution Provider program | Microsoft Learn.
  • To onboard your CSP tenants, you'll need an established relationship with your customers in Microsoft Partner Center. See Verify customer relationships.
  • If applicable, you may need to adjust your customer tenant Conditional Access policies to allow to operate. See Configure Conditional Access for Cloud Commander.

Step 1: Start a Cloud Commander trial

  1. Go to https://www.n-able.com/products/cloud-commander/trial.
  2. Enter your contact information.
  3. Enter an email address that can receive email from N-able.
  4. Select Start Your  Free Trial.

    A welcome email is sent to the email address, which includes a link to the Cloud Commander login page. Do not forward the link—it only works for the registered account. The link expires in 14 days.

    If you don't receive the email or if the link expires, contact your sales representative or our support team.

  5. From the welcome email, select the link and sign in to  Cloud Commander with the account credentials for the email address you used to request the trial.
  6. Review the permissions requested and select Consent on behalf of your organization to allow others to sign into Cloud Commander.

  7. Select Accept.
  8. You are redirected to the Onboarding Assistant to guide you through the initial set up steps.

The Onboarding Assistant guides you to prepare a service account in the Microsoft Partner Center with the following attributes:

  • Member of the Admin Agents group in Microsoft Entra ID.
  • Global Admin Microsoft Entra ID role.
  • Microsoft Entra ID multifactor authentication (MFA)—If you implement any third-party MFA for the service account, you can't manage customer environments using GDAP and Cloud Commander.
  • Conditional access policies must not limit the account.

After your service account is set up, the Onboarding Assistant guides you to authenticate and register the Cloud Commander application.

Step 2: Prepare and authenticate a service account

As the first Cloud Commander user who requested the trial, you are assigned the following platform roles for your MSP partner tenant:
- Administrators
- Role Administrators
- User Group Administrators
- Command Block Job Log Reader
- Partner Center Customer Writer

  1. On the fist page of the onboarding assistant, select Let's get started.

  2. Prepare your service account by choosing to generate a new service account or use an existing service account:

    Generate a service account

    1. Select Generate service account.

      We generate the service account and display the credentials.

    2. Select Copy to clipboard and then Continue.
    3. Review the authorization information and select the checkbox indicating that you understand the multifactor authentication requirement.
    4. Select Authorize with your service account.

      A Microsoft login dialog displays with the username populated.

    5. Paste in the one-time password you copied earlier and select Sign In.
    6. Update the password.
    7. Follow the Microsoft prompts to set up multifactor authentication. MFA is a requirement for Microsoft Partner Center and Cloud Commander.

    Use an existing service account

    1. Select I already have a service account.
    2. Review the authorization information and select the checkbox indicating that you understand the multifactor authentication requirement.
    3. Select Authorize with your service account.
    4. In the Microsoft login dialog, use your service account credentials to authenticate.
    5. Follow the Microsoft prompts to set up multifactor authentication. MFA is a requirement for Microsoft Partner Center and Cloud Commander.
  3. In the Microsoft dialog, review the permissions requested and select Accept. For the list of permissions and roles acquired, see Permissions acquired in the MSP partner tenant.

    To follow least privilege practice, we recommend not selecting Consent on behalf of your organization. Doing so may grant unintended elevated privileges to users in your organization.

  4. If prompted, close popup to proceed.

    Cloud Commander is now connected, and we can access your Microsoft Partner Center to look for your customer's tenants and your GDAP relationships.

  5. Select Continue to Cloud Commander to onboard your tenants.

Step 3: Select the tenants you want to onboard

Cloud Commander displays the list of Microsoft tenants it found in your Microsoft Partner Center.

When you onboard CSP tenants, we look for, or initiate, a Granular Delegated Admin Permissions (GDAP) relationship with each tenant. When a GDAP relationship is Approved for a tenant, we import their details from Microsoft in accordance with the solutions enabled in the GDAP relationship.

We track and display the status of the GDAP relationship between the tenant and Cloud Commander. See GDAP relationship status.

  1. Filter or search to find the tenant you want to onboard.
  2. Select the checkbox for the tenant and select Set as active.

    You can set multiple tenants to active now before you move to the next steps. You can also return to Microsoft Cloud Access later to add more tenants.

    If you already have a GDAP relationship with a tenant that has the necessary permissions, the status updates to Approved, and Cloud Commander can import data from the cloud for the tenant.

  3. If there isn't an existing GDAP relationship or if additional permissions are needed, Cloud Commander creates the relationship, but the status is Pending approval because customer approval is required.
    1. Select the checkbox for the tenant and select Establish GDAP relationship.

      A dialog displays an approval template message and link to send to the customer.

    2. Copy the message and send it to an administrator for the customer so they can approve the request. For instructions, see the Microsoft documentation.

      When the customer approval is complete, the GDAP relationship status updates to Approved.

      Due to Microsoft limitations, it can take up to 24 hours for the Microsoft GDAP relationship process to complete and be available in the APIs.

  4. Refresh the page from the top of the dialog, to update the tenant's status.

It generally takes a few minutes, but can take up to 24 hours, for the Microsoft process to complete and be available in the APIs. When the GDAP relationship is finalized, the status is set to Approved, and Cloud Commander can import data from the cloud for the tenant. It may take up to five minutes for the collected data to display in Cloud Commander. You can go to Identity > Users to see the imported users.

For information about onboarding more tenants after the initial setup, see Onboard new tenants.

When your first tenant is onboarded, Cloud Commander creates Default platform user groups with their roles scoped to that tenant. Each time you onboard a new tenant, the default platform user groups' scopes expand to include that new tenant.

When you onboard a tenant, you are added as a member to the default platform user groups for that tenant. You are also assigned the following roles:
- User Administrators scoped to your MSP partner tenant.
- Administrators scoped to the onboarded tenant.
- Role Administrators scoped to the onboarded tenant.

The service account you authenticated in Step 2 is added as a member to the default platform user groups.

Step 4: Assign users to the default platform user groups

Cloud Commander includes the following default platform user groups to get you started. You add users to the groups according to job responsibility. After Cloud Commander is setup, you can customize these groups or create your own platform user groups as needed:
  • CC Admins
  • CC Technicians
  • CC License Admins

You can assign more users to the default platform user groups now or later. For more information, see Manage platform user groups.

To best illustrate how to assign users to the default platform user groups, the following task shows the steps for adding users to the CC Technicians group. The steps are the same when you add users to other groups.

  1. In the left navigation, select Identity > Groups.

    If the group list is empty or you can't find a specific group, refresh the page to show the most recent data.

  2. Search for CC Technicians and select its name to view the details.
  3. Go to the Members tab.
  4. Select Assign members.

    When multiple customers are selected in the global customer selector at the top of the dialog only options that apply to all selected customers display.

  5. Select the checkboxes for the users to add them to the group and select Next.

  6. Review the list of members to add. If you need to make changes, select Back. Otherwise, select Done.

    The users are added to the group and display on the members list.

GDAP relationship status

As you onboard your CSP tenants, we track their GDAP relationship approval status using the following states:

An existing GDAP relationship in Approval pending state is not supported, and you must go to the Microsoft Partner Center to follow the manual approval process.

GDAP statusDescriptionAction
Needs approvalThe GDAP relationship is not established and must be requested. This status occurs when:
  • Initial status — GDAP relationship not yet defined or attempted.
  • Offboarded tenant — You have offboarded the tenant.
To onboard the CSP tenant, select the checkbox for the tenant and select Set as active.
Pending approvalThe request for approval is sent but is not approved yet.Select the checkbox for the tenant and select Establish GDAP relationship.
ApprovedThe GDAP relationship is fully configured and ready to use. Cloud Commander can import data from the cloud.No action required.
- When the GDAP relationship is blank, the tenant is a non-CSP tenant whose source is Microsoft 365.See Onboard non-CSP tenants.

Next steps

Related articles

Updated: Nov 25, 2024