Onboard new tenants

To administer tenants in Cloud Commander, you must onboard them first. You can onboard tenants for:

CSP tenants: Customers you have a Cloud Service Provider (CSP) agreement with. The tenant source is Microsoft Partner Center.
Non-CSP tenants: Customers you don't have a CSP agreement with. The tenant source is Microsoft 365.

During the onboarding process, Cloud Commander performs the following actions:

Adds the Enterprise application to the customer's tenant, including the required consent permissions.
Adds and configures all solutions for the tenant that support automatic configuration.
Creates default platform user groups for the tenant if they do not already exist.
Adds an admin user to the Platform groups.
Assigns default platform user groups to the applicable roles for the activated solutions, scoped to the managed tenants.

When you onboard a tenant, you are added as a member to the default platform user groups for that tenant. You are also assigned the following roles:
- User Administrators scoped to your MSP organization.
- Administrators scoped to the onboarded tenant.
- Role Administrators scoped to the onboarded tenant.

Requirements for tenant onboarding

The initial setup of Cloud Commander must be completed, and your organization must have an approved GDAP relationship.
You must be signed in using a Cloud Commander account with the Administrators role.

CSP tenants

A CSP tenant is managed by a Cloud Service Provider (CSP).

When you onboard CSP tenants, we look for, or initiate, a Granular Delegated Admin Permissions (GDAP) relationship with each tenant. When a GDAP relationship is Approved for a tenant, we import their details from Microsoft in accordance with the solutions enabled in the GDAP relationship.

We track and display the status of the GDAP relationship between the CSP tenant and Cloud Commander. See Status descriptions.

Onboard CSP tenants

In the left navigation, select Settings > Microsoft Cloud Access.
Filter or search to find the tenant you want to onboard.
Select the checkbox for the tenant and select Set as active.
You can set multiple tenants to active now before you move to the next steps. You can also return to Microsoft Cloud Access later to add more tenants.
If you already have a GDAP relationship with a tenant that has the necessary permissions, the status updates to Approved, and Cloud Commander can import data from the cloud for the tenant.
If there isn't an existing GDAP relationship or if additional permissions are needed, Cloud Commander creates the relationship, but the status is Pending approval because customer approval is required.
1. Select the checkbox for the tenant and select Establish GDAP relationship.
  A dialog displays an approval template message and link to send to the customer.
2. Copy the message and send it to an administrator for the customer so they can approve the request. For instructions, see the Microsoft documentation.
  When the customer approval is complete, the GDAP relationship status updates to Approved.
  Due to Microsoft limitations, it can take up to 24 hours for the Microsoft GDAP relationship process to complete and be available in the APIs.
Refresh the page from the top of the dialog, to update the tenant's status.

It generally takes a few minutes, but can take up to 24 hours, for the Microsoft process to complete and be available in the APIs. When the GDAP relationship is finalized, the status is set to Approved, and Cloud Commander can import data from the cloud for the tenant. It may take up to five minutes for the collected data to display in Cloud Commander. You can go to Identity > Users to see the imported users.

GDAP relationships are created with an expiration of 730 days, which is the maximum time allowed by Microsoft. To ensure your customers are aware that you have ongoing access to their tenant, we recommend not using any GDAP Autoextend functions.

When a GDAP relationship expires, its GDAP relationship status changes to Needs approval, and you must request a new GDAP relationship by onboarding that tenant again and repeating the approval process.

Non-CSP tenants

Non-CSP tenants are tenants without a partner relationship, or tenants that have a relationship to another partner other than you. Some customers may have multiple partners, pay-as-you-go agreements, or Enterprise Agreements. Customers may use an MSP for a variety of services but may not want to join their tenant into your CSP agreement.

However, you may still want to administer these non-CSP tenants the same way you administer CSP tenants.

For you to administer non-CSP tenants in Cloud Commander, we create a guest account for you in the customer's tenant. The customer must approve the creation of that guest account, and after the guest account is created, customer approval is again required to connect your organization with the guest account.

We track and display the status of the guest account in the non-CSP tenant. See Guest account states.

Onboard non-CSP tenants

In the left navigation, select Settings > Microsoft Cloud Access.
Select Add a tenant.
Enter a temporary Tenant Name for the tenant in Cloud Commander until the full relationship is established. The true name of the tenant, based on the tenant ID, is imported from Microsoft during onboarding.
Enter the unique Tenant ID for the tenant. For instructions to find your Microsoft Entra tenant ID, see the Microsoft documentation.
Enter a Guest account email address that we can use to create a guest account.
Select Add tenant.
The new tenant displays in the Microsoft Cloud Access list of tenants. For now, the tenant is Inactive, not registered with the Cloud Commander application, and has a Guest account status of Needs approval. No account connection exists for the tenant yet because customer approval is required.
Request customer approval to create a guest account in their tenant:
1. Select the checkbox for the new tenant and select Request customer approval.
  The Request Customer Approval dialog displays an approval template that includes the link to authorize the guest account creation.
2. Select Copy message to clipboard and send the message to a global administrator for the customer so they can approve the request. When the customer clicks the Customer Consent Link, they:
  1. Sign into Microsoft using Admin account credentials for their organization.
  2. Review the permissions requested and select Accept.
    To follow least privilege practice, we recommend not selecting Consent on behalf of your organization. Doing so may grant unintended elevated privileges to users in your organization.
  After the customer approves the request, the guest account is created, and Microsoft sends an email invitation to the guest account email you entered earlier.
  Now the tenant is Pending, not registered with the application, and has a Guest account status of Pending approval.
Accept the guest account invitation and accept the consent permissions for Cloud Commander to access the non-CSP tenant data:
1. Go to the guest email account you are using, open the email invitation received from Microsoft, and select Accept invitation.
2. Sign into Microsoft using your guest account credentials.
3. Review the permissions requested and select Accept.
4. Follow the prompts to set up multifactor authentication if that is not already done for the account.
5. Review the permissions requested and select Accept.
  To follow least privilege practice, we recommend not selecting Consent on behalf of your organization. Doing so may grant unintended elevated privileges to users in your organization.
  Now the tenant is Pending, registered with the application, and has a Guest account status of Finalize approval.
Select the checkbox for the new tenant and select Finalize approval.
Now the tenant is Active, registered with the application, and has a Guest account status of Approved.

GDAP relationship states

As you onboard your CSP tenants, we track their GDAP relationship approval status using the following states:

An existing GDAP relationship in Approval pending state is not supported, and you must go to the Microsoft Partner Center to follow the manual approval process.

GDAP status	Description	Action
Needs approval	The GDAP relationship is not established and must be requested. This status occurs when: Initial status — GDAP relationship not yet defined or attempted. Offboarded tenant — You have offboarded the tenant.	To onboard the CSP tenant, select the checkbox for the tenant and select Set as active.
Pending approval	The request for approval is sent but is not approved yet.	Select the checkbox for the tenant and select Establish GDAP relationship.
Approved	The GDAP relationship is fully configured and ready to use. Cloud Commander can import data from the cloud.	No action required.
-	When the GDAP relationship is blank, the tenant is a non-CSP tenant whose source is Microsoft 365.	See Onboard non-CSP tenants.

Guest account states

The Guest account column indicates the approval status of a Cloud Commander guest account on the tenant.

Guest account status	Description	Action
Needs approval	No account connection exists between Cloud Commander and the tenant.	Select the checkbox for the tenant you want to add and select Request customer approval.
Pending approval	The guest account request is approved by the customer, but the connection between Cloud Commander and the tenant is not approved.	Accept the email invitation from Microsoft and sign into the tenant to accept the permissions consent to register the Cloud Commander application with the tenant.
Finalize approval	The Cloud Commander application is registered with the tenant, but you must finalize the connection.	Select the checkbox for the tenant and select Finalize approval.
Approved	A Cloud Commander guest account is successfully created on the tenant.	No action required.
-	When the Guest account is blank, the tenant is a CSP tenant whose source is the Microsoft Partner Center.	See Onboard CSP tenants.

Updated: Sep 30, 2024