Set up tenants in Cloud Commander

This article guides you through the process of setting up your customers' tenants in Cloud Commander. The goal is to get your customer's approval so we can display their tenant data. Once the setup is successful, the tenant is enabled, available in the customer selector, and you can begin to monitor and manage it in Cloud Commander.

This article includes the following instructions:

Prerequisites

  • Your need the Cloud Commander Microsoft Cloud Access Administrators role or be a member of a group with that role.
  • To access your customer tenants using Cloud Commander, ensure your customers don't have Conditional Access policies that block your access. See Set up your customer's Conditional Access policies.

Set up CSP tenants

A CSP tenant belongs to a customer you have a CSP agreement with, and its source is the Microsoft Partner Center.

Our progress tracker will walk you through the tenant setup in Microsoft Cloud Access. The progress tracker shows the setup progress and provides a description of what is happening, and the Status column in the tenant list shows the current state of the tenant.

  1. In Cloud Commander, go to the Microsoft Cloud Access view by going to Settings > Microsoft Cloud Access in the left navigation.
  2. Select a tenant and click Start tenant set up to begin. A CSP tenant has Microsoft Partner Center listed in the Source column.

    3. The right panel opens and shows the tenant's setup progress through the following steps. Here's the progress tracker for a completed tenant setup.

    If you navigate away from the Microsoft Cloud Access view or the progress tracker, the setup continues. You can also have multiple tenants setting up at the same time.

Create customer

First, we create a new customer record in Cloud Commander for the customer tenant. This is usually a quick process that takes a few seconds.

Establish an admin relationship

Next, we check if the customer tenant has been previously set up in Cloud Commander. If it has, we reuse that admin relationship.

If not, we create a new admin relationship between your partner tenant and the customer tenant with the necessary permissions.

Get admin relationship approval

We check if the customer has already approved the admin relationship from a previous Cloud Commander setup.

If the customer hasn't approved the admin relationship yet, you need to request approval.

We provide a message template to copy and send to your customer to request approval. If you prefer to write your own message, copy the authorization link from the template and send it to your customer. Here are the steps to make the request:

  1. In the progress tracker, select View approval message template.
  2. Copy the message template or the authorization link and click Okay.
  3. Send the message or authorization link to a global administrator for the customer so they can approve the request.

    The customer Admin account must have multi-factor authentication (MFA) enabled.

When the customer clicks the link, they:

  1. Sign into Microsoft using their Admin account credentials, including MFA, for their organization.
  2. Review the permissions requested and select Accept.

    To follow least privilege practice, we recommend not selecting Consent on behalf of your organization. Doing so may grant unintended elevated privileges to users in your organization.

Now we have to wait for your customer to approve the admin relationship in the Microsoft Partner Center. We automatically keep checking Microsoft for the admin relationship approval.

After the admin relationship is approved, there may be a delay of up to 5 minutes before the approval is synchronized from Microsoft Partner Center to Cloud Commander.

Finalize relationship

After the admin relationship is approved and synchronized, we register the Cloud Commander application with the customer tenant to finalize the relationship. This involves getting permissions and access from the customer tenant so that we can manage customer tenant applications such as users, groups, authentication methods, licenses, and more.

When the relationship is finalized, we can access the customer tenant information from Microsoft and begin to set up Cloud Commander capabilities for the tenant.

To help troubleshoot issues you encounter during this step, we include the following error details if they are available:

  • Microsoft error details: Can include an error code, a Microsoft response message, a timestamp from the Microsoft record, and a Correlation ID, which is an automatically generated unique identifier (GUID) for the request.
  • Cloud Commander error details: Include a Tracking ID and an Event ID.

For more information, see Troubleshoot errors in Cloud Commander.

Set up groups and roles

In this step, we set up the Cloud Commander groups and roles for the user who is setting up the tenant. This means we assign you to the Default platform user groups scoped to the tenant so that you can monitor and manage it.

Sync all users

Next, we synchronize the customer tenant Microsoft Entra ID users with Cloud Commander so that you can view all the customer tenant's users in Cloud Commander. This can take a few minutes.

Schedule reports

In the last step of the progress tracker, we schedule the Microsoft Secure Score report and the Microsoft Available Licenses report to run daily for the customer tenant. The reports update every day at midnight. This means that the reports for this new customer tenant will be empty until the update runs for the first time at midnight.

Successful tenant setup

When the progress tracker completes successfully, the customer tenant is enabled, available in the customer selector, and you can begin to monitor and manage it in Cloud Commander.

If the tenant is Enabled with limitations, the tenant is set up in Cloud Commander, but you'll need to request additional permissions approval from your customer before you can use all the Cloud Commander features. For instructions, see Request additional permissions for tenants.

Admin relationships with GDAP are created with an expiration of 730 days, which is the maximum time allowed by Microsoft. To ensure your customers are aware that you have ongoing access to their tenant, we do not recommend automatically extending the admin relationship.

When an admin relationship expires, you must request a new admin relationship by setting up that tenant again and repeating the approval process.

Set up non-CSP tenants

A non-CSP tenant belongs to a customer you don't have a CSP agreement with and its source is Microsoft 365.

A non-CSP tenant may not have a partner relationship, or it may have a relationship to another partner other than you. Some customers may have multiple partners, pay-as-you-go agreements, or Enterprise Agreements. Customers may use an MSP for a variety of services but may not want to join their tenant into your CSP agreement.

However, you can still administer these non-CSP tenants the same way you administer CSP tenants.

Add non-CSP tenant

  1. In the left navigation, select   SettingsMicrosoft Cloud Access.
  2. Select Add a tenant.
  3. Enter a temporary Tenant Name for the tenant in Cloud Commander until the full relationship is established. The true name of the tenant, based on the tenant ID, is accessed from Microsoft during the setup.
  4. Enter the unique Tenant ID for the tenant. For instructions to find your Microsoft Entra tenant ID, see the Microsoft documentation.
  5. Enter a Guest account email address to create a guest account for yourself in the tenant. The email must belong to your MSP tenant and be able to receive emails to accept the guest account invitation.
  6. Select Add tenant.

The non-CSP tenant displays in the Microsoft Cloud Access list of tenants. No account connection exists for the tenant yet because customer approval is required.

Get approval to create a guest account in the customer tenant

We create a guest account in the customer tenant so you can authenticate as the guest and accept the permissions for Cloud Commander.

  1. Select the tenant and select Request customer approval.

    An approval message template displays with a link to authorize the guest account creation.

  2. Select Copy message to clipboard and send the message to a global administrator for the customer to approve the request. When the customer clicks the link, they:
    1. Sign into Microsoft using an Admin account for their organization.
    2. Review the permissions requested and select Accept.

      To follow least privilege practice, we recommend not selecting Consent on behalf of your organization. Doing so may grant unintended elevated privileges to users in your organization.

After the customer approves the request, the guest account is created, and Microsoft sends an email invitation to the guest account email you entered earlier.

Accept the guest account invitation

If you don't receive an email invitation from Microsoft, check your spam folder.

  1. Go to the guest email account, open the email invitation from Microsoft, and select Accept invitation.
  2. Sign into Microsoft using your guest account credentials.
  3. Review the permissions requested and select Accept.

  4. If multi-factor authentication is not already set up for the account, follow the prompts to set it up.

Accept the permissions for Cloud Commander to access the tenant

  • After you authenticate with the guest account, you are prompted to review the permissions requested and select Accept.

    To follow least privilege practice, we recommend not selecting Consent on behalf of your organization. Doing so may grant unintended elevated privileges to users in your organization.

Now the tenant is registered with the Cloud Commander application.

Finalize approval

  • In the Microsoft Cloud Access view, select the tenant and select Finalize approval.

Now the non-CSP tenant is enabled and available in the Cloud Commander customer selector.

Next steps

Related articles

Updated: Mar 21, 2025