Onboard CSP customers

When you onboard Microsoft customers, we look for, or initiate, a Granular Delegated Admin Permissions (GDAP) GDAP is a Microsoft security feature that provides partners with least-privileged access following the Zero Trust cybersecurity protocol. It lets Microsoftpartners configure granular and time-bound access to their customers' workloads in production and sandbox environments. This least-privileged access needs to be explicitly granted to partners by their customers. relationship with each customer. When a GDAP relationship is Approved for a customer, we import their details from Microsoft in accordance with the solutions enabled in the GDAP relationship.

We track and display the status of the GDAP relationship between the customer and Cloud Commander. See Status descriptions.

During the onboarding process, Cloud Commander performs the following actions:

• Adds the Enterprise application to the customer's tenant, including the required consent permissions.
• Adds and configures all solutions for the customer that support automatic configuration.
• Creates default platform user groups for the customer if they do not already exist.
• Adds an admin user to the Platform groups.
• Assigns default platform user groups to the applicable roles for the activated solutions, scoped to the managed customers.

When you onboard a customer, you are added as a member to the default platform user groups for that customer. You are also assigned the following roles:
- User Administrators scoped to your MSP organization
- Administrators scoped to the onboarded customer
- Role Administrators scoped to the onboarded customer

Requirements

• The initial setup of Cloud Commander must be completed, and your organization must have an approved GDAP relationship.
• You must be signed in using a Cloud Commander account with the Administrators role. See Assign platform roles.

Onboard customers

1. Select Settings > Microsoft Cloud Access in the left navigation.
2. Filter or search to find the customer you want to onboard, click in the Request approval status column of the customer, and select Enabled.

   

   You can enable multiple customers now before you move to the next steps. You can also return to Microsoft Cloud Access later to add more customers.

   If you already have a GDAP relationship with a customer that has the necessary permissions, the customer's status updates to Approved, and Cloud Commander can import data from the cloud for the customer.

   

3. If there isn't an existing GDAP relationship or if additional permissions are needed, Cloud Commander creates the relationship, but the status is Needs approval because customer approval is required.

   Select Copy approval to copy the link that's required to approve the GDAP request. Send the link to an administrator for the customer so they can approve the request. For instructions, see the Microsoft documentation.

   When the customer approval is complete, the GDAP relationship status updates to Approved.

4. If the customer's status changes to Issues found, select Review limitations to view more information, and then choose one of these actions:
   1. If you don't plan to manage Microsoft Azure resources for the tenant and want to accept the current relationship, select Cancel.

      The status for the tenant remains Issues found, and you can manage the tenant in Cloud Commander but without Microsoft Azure access.

   2. If you do plan to manage Microsoft Azure resources for the tenant, follow the instructions in this article to update the licenses of the tenant in your Microsoft account.

      When complete, go back to the Cloud Commander Review limitations dialog for the tenant and select Revalidate.

5. Select Refresh at the top of the dialog, to update the customer's status.

It can take several minutes for the Microsoft process to complete. When a customer GDAP relationship is finalized, its status is Approved or Issues found, and Cloud Commander can import data from the cloud for the customer. It may take up to five minutes for the collected data to display in Cloud Commander. You can go to Identity > Users to see the imported users.

GDAP relationships are created with an expiration of 730 days, which is the maximum time allowed by Microsoft. Microsoft does not support extension of GDAP relationships to ensure your end customers are actively aware that you have on-going access to their tenant.

When a GDAP relationship expires, its integration status changes to Not configured, and you must request a new GDAP relationship by onboarding that customer again and repeating the approval process.

To rerun the Microsoft Cloud Access at any time to reconfigure existing customers or to onboard new customers, go to Settings > Microsoft Cloud Access in the left navigation.

Status descriptions

As you onboard your customer tenants, we track their integration status using the following states:

An existing GDAP relationship in Approval pending state is not supported, and you must go to the Microsoft Partner Center to follow the manual approval process.

Related articles

• What is a CSP?
• CSP vs. non-CSP tenants
• What is GDAP?

Updated: Jul 09, 2024