FAQs—Microsoft Cloud Access

Microsoft Cloud Access is N-able’s connecting service to the Microsoft Cloud. Microsoft Cloud Access is necessary to establish a trusted relationship between the application and the cloud, so the application can read and act on the cloud data.

Microsoft Cloud Access is implemented using the Microsoft Secure Application Model framework, with support for configuration and management of Granular Delegated Admin Permissions (GDAP) and requires the MSP (a Microsoft partner) to consent to a centralized N-able Microsoft Cloud Access application only once.

To begin Microsoft Cloud Access, select Settings > Microsoft Cloud Access in the left navigation.

When you try to access Cloud Commander for the first time, you are directed to the Microsoft Cloud Access.

  • If you are a Microsoft Partner with CSP customers, you need a Microsoft service account. N-able uses the service account with least privileged access in all customer tenants to connect to the Microsoft Partner Center. For more information, see Start a Cloud Commander trial and setup.
  • For Azure Resource Management, the customers must have Microsoft Azure subscriptions.

Multifactor authentication (MFA) must be enforced on all Cloud Commander accounts.

One way to enforce MFA is to enable security defaults in the Microsoft Partner Center. See the Microsoft documentation.

If a customer you wish to configure in Cloud Commander is not in your Microsoft Cloud Access customers list, you must establish a relationship with them in the Microsoft Partner Center. See the Microsoft documentation.

No, the onboarding workflow enables you to map multiple CSP customers at once. To add or remove customers, you can rerun the service and change as needed.

Mandated by Microsoft, the integration status flow is the state transition of a GDAP relationship as you move through its creation and approval process.

Status descriptions

As you onboard your customer tenants, we track their integration status using the following states:

An existing GDAP relationship in Approval pending state is not supported, and you must go to the Microsoft Partner Center to follow the manual approval process.

State Description Action
Not configured GDAP relationship not established. This status occurs when:
  • Initial status — GDAP relationship not yet defined or attempted.
  • Offboarded customer — You have offboarded the customer.
 If you want to onboard the customer, click in the Request approval column of the customer to select Enabled.
Needs approval Approval is required for the GDAP relationship. Select Copy approval to copy the link that's required to approve the GDAP request. Send the link to an administrator for the customer so they can approve the request. For instructions, see the Microsoft documentation.
Approved The GDAP relationship is fully configured and ready to use. Cloud Commander can import data from the cloud. No action required.
Issues found GDAP relationship can't be created, or it can be created but without all the required access permissions. If the customer's status changes to Issues found, select Review limitations to view more information, and then choose one of these actions:
  1. If you don't plan to manage Microsoft Azure resources for the tenant and want to accept the current relationship, select Cancel.

    The status for the tenant remains Issues found, and you can manage the tenant in Cloud Commander but without Microsoft Azure access.

  2. If you do plan to manage Microsoft Azure resources for the tenant, follow the instructions in this article to update the licenses of the tenant in your Microsoft account.

    When complete, go back to the Cloud Commander Review limitations dialog for the tenant and select Revalidate.
Awaiting Microsoft Due to the asynchronous mode of Microsoft processing external requests, this status displays when Cloud Commander is waiting for Microsoft to complete processing. No action required.

There are two scenarios:

  1. If you already have a GDAP relationship with a customer that has the necessary permissions, the customer's status updates to Approved, and Cloud Commander can import data from the cloud for the customer.
  2. If there isn't an existing GDAP relationship or if additional permissions are needed, Cloud Commander creates the relationship, but the status is Needs approval because customer approval is required. See Onboard CSP customers.

When a customer's status changes to Approved and the application starts importing data from the cloud, you will see data. For more information, see Onboard CSP customers.

Yes. For information and instructions, see Offboard your organization.

This scenario is currently not supported but it is planned. The workflow will be similar to the current Microsoft Cloud Access. Authentication as an MSP is not a required step, but authentication with the customer’s credentials is necessary, to create and configure the GDAP relationship in the same way. Non-CSP customers must be onboarded one by one.

Yes, re-run the Onboard CSP customers to add more customers.

Yes, if customers have been onboarded, you can Offboard customers. When you apply the changes, the integration status changes to Not configured. The Microsoft customer’s data is deleted from the application and the application can no longer act on the customer’s tenant.

With De-authenticate, we delete the Microsoft customer’s data from the application. We do not delete the service principal or the GDAP relationship from the customer’s tenant, but you can do that manually.

Yes, the application can be removed from the customer's Enterprise Applications in Azure. The GDAP relationship can be terminated it two ways:

Reauthenticate your organization renews the partner's Cloud Commander service account credentials to ensure they are up to date. You may need to re-authenticate if certain changes have occurred. For example, you may need to re-authenticate if your credentials change, there are multi-factor authentication (MFA) changes, or the account hasn't been used for 90 days.

GDAP relationships are created with an expiration of 730 days, which is the maximum time allowed by Microsoft. Microsoft does not support extension of GDAP relationships to ensure your end customers are actively aware that you have on-going access to their tenant.

When a GDAP relationship expires, its integration status changes to Not configured, and you must request a new GDAP relationship by onboarding that customer again and repeating the approval process.

To review and track your customers' integration status to look for expired, Not configured, customers, go to Settings > Microsoft Cloud Access in the left navigation.

  • It is an end-to-end workflow for authenticating the application with Microsoft and creating GDAP relationships with you customers' tenants so you can manage their data.
  • The registered application is verified as authentic by Microsoft.
  • It tracks the integration status of the tenants.
  • Assigns least-privileged access following zero-trust cyber security protocol.
  • It does not require additional manual configuration in the Microsoft tenant.
  • For Microsoft Partners with a reseller (CSP) account, it allows onboarding all CSP customers at once.
  • In the future it will support non-CSP tenant onboarding.

Updated: Jul 09, 2024