FAQs—Microsoft Cloud Access
What is Microsoft Cloud Access and why is it needed?
Microsoft Cloud Access is N-able’s connecting service to the Microsoft Cloud. Microsoft Cloud Access is necessary to establish a trusted relationship between the application and the cloud, so the application can read and act on the cloud data. See Microsoft Cloud Access setup.
Why can't I authenticate with Microsoft when I sign into Cloud Commander?
Multi-factor authentication must be enforced on all Cloud Commander accounts.
One way to enforce multi-factor authentication is to enable security defaults in the Microsoft Partner Center. See the Microsoft documentation.
Can I change the service account I use with Cloud Commander?
Yes, to change your service account for Cloud Commander, first Offboard your MSP organization and then authenticate your organization again using the new user service account.
I am a Microsoft partner; do I have to onboard my tenants one by one?
The onboarding workflow enables you to map multiple CSP tenants at once. Non-CSP tenants must be onboarded one at a time.
What is the GDAP relationship status flow?
Mandated by Microsoft, the GDAP relationship status flow is the state transition of a GDAP relationship as you move through its creation and approval process.
GDAP relationship states
As you onboard your CSP tenants, we track their GDAP relationship approval status using the following states:
An existing GDAP relationship in Approval pending state is not supported, and you must go to the Microsoft Partner Center to follow the manual approval process.
| GDAP status | Description | Action |
|---|---|---|
| Needs approval | The GDAP relationship is not established and must be requested. This status occurs when:
|
To onboard the CSP tenant, select the checkbox for the tenant and select Set as active. |
| Pending approval | The request for approval is sent but is not approved yet. |
Select the checkbox for the tenant and select Establish GDAP relationship. |
| Approved | The GDAP relationship is fully configured and ready to use. Cloud Commander can import data from the cloud. | No action required. |
| - | When the GDAP relationship is blank, the tenant is a non-CSP tenant whose source is Microsoft 365. | See Onboard non-CSP tenants. |
I already have GDAP with my customer's CSP tenants, what happens in this case?
There are two scenarios:
- If you already have a GDAP relationship with a tenant that has the necessary permissions, the status updates to Approved, and Cloud Commander can import data from the cloud for the tenant.
- If there isn't an existing GDAP relationship or if additional permissions are needed, Cloud Commander creates the relationship, but the status is Pending approval because customer approval is required. See Onboard new tenants.
When will I see cloud data?
When a tenant's status changes to Approved and the application starts importing data from the cloud, you will see data. For more information, see Onboard new tenants.
Can I offboard as an MSP organization from Cloud Commander?
Yes. For information and instructions, see Offboard your MSP organization.
Can I add more tenants after I complete the initial onboarding?
Yes, re-run Onboard new tenants to add more tenants.
Can I remove tenants from Cloud Commander?
You can remove non-CSP tenants from Cloud Commander. See Remove non-CSP tenants. The tenant data is deleted from Cloud Commander and the application can no longer act on the customer’s tenant.
You can't remove CSP tenants from Cloud Commander, but for CSP and non-CSP tenants you can Make a tenant inactive such that tenant data is not visible in Cloud Commander.
Can the Cloud Commander application and the GDAP relationship be deleted from my customer’s CSP tenant?
Yes, the application can be removed from the customer's Enterprise Applications in Azure. The GDAP relationship can be terminated it two ways:
- As a Microsoft Partner, you (the MSP) can terminate the GDAP relationship from the Microsoft Partner Center.
- End customers can terminate the GDAP relationship from the Microsoft 365 Admin Center.
What does the Reauthenticate option in the onboarding workflow do?
Reauthenticate your MSP organization renews the partner's Cloud Commander credentials to ensure they are up to date. You may need to re-authenticate if certain changes have occurred. For example, you may need to re-authenticate if your credentials change, there are multi-factor authentication changes, or the account hasn't been used for 90 days.
GDAP relationships have an expiration date. What happens then?
GDAP relationships are created with an expiration of 730 days, which is the maximum time allowed by Microsoft. To ensure your customers are aware that you have ongoing access to their tenant, we recommend not using any GDAP Autoextend functions.
When a GDAP relationship expires, its GDAP relationship status changes to Needs approval, and you must request a new GDAP relationship by onboarding that tenant again and repeating the approval process.
What are the advantages of the N-able Microsoft Cloud Access?
- It is an end-to-end workflow for authenticating the application with Microsoft and creating connections with your customers' tenants so you can manage their data.
- The registered application is verified as authentic by Microsoft.
- It tracks the status of the tenants.
- Assigns least-privileged access following zero-trust cyber security protocol.
- It does not require additional manual configuration in the Microsoft tenant.
- For Microsoft Partners with a reseller (CSP) account, it allows onboarding all CSP tenants at once.
- It supports non-CSP tenant onboarding.
Updated: Jan 31, 2025