Overview 💥
Liongard’s Microsoft 365 Inspector relies on an Azure AD enterprise application to authenticate, retrieve data, and perform inspections.
In some cases, partners encounter errors such as "Unable to update permissions" when modifying the Enterprise Application or re-authenticate the Inspector. These issues typically occur when the required application or permissions are missing, incomplete, or not properly consented — especially in delegated admin (child tenant) scenarios.
This guide clarifies why the app may or may not appear in child tenants, how delegated admin permissions impact inspection behavior, and how to resolve permission update failures.
Why This Happens 🤔
The Liongard Azure AD Enterprise Application may not always appear in every customer (child) tenant. Its presence depends on how Microsoft Partner Center delegation and consent flows are configured.
📌 When the Liongard App Will Appear in a Child Tenant
Admin consent was granted using:
Global admin consent for all delegated tenants.
Per-tenant consent.
Manual consent inside the child tenant.
Child tenant is being inspected or accessed using delegated permissions
📌 When the Liongard App Will Not Appear in a Child Tenant
There is no delegated admin relationship.
Consent was never granted for that tenant.
Delegated access was removed by the customer.
The Inspector is configured only for the parent tenant.
Child tenant is not being inspected.
If the app is missing or its permissions are incomplete, updates may fail — and the Inspector may return authentication or permission errors.
Steps to Resolve 👨💻
1️⃣ — Log Into the Customer’s Azure AD Portal
Sign into the child tenant (not the partner tenant).
Use a Global Admin or Cloud App Admin account.
2️⃣ — Navigate to Enterprise Applications
Azure Portal → Azure Active Directory → Enterprise Applications
Search for:
Liongard (or)
Liongard Inspector (or)
Liongard Azure AD Application
If the application is present, proceed to Step 3.
If not present, review delegated access (see Step 4).
3️⃣ — Validate Permissions
Open the Liongard Enterprise Application and:
Go to Security→ Permissions
Ensure all required API permissions appear:
Microsoft Graph → various read permissions
Ensure permissions are granted for this tenant
If anything is missing:
Add the required permissions
Click Grant admin consent
4️⃣ — If the App Is Missing in the Child Tenant
This typically means:
❌ No delegated admin relationship exists
❌ Admin consent flow wasn’t completed
❌ Partner relationship was recently removed
❌ Inspector was never intended to inspect that child tenant
Resolve by:
Confirming a valid Partner Center Delegated Admin relationship
Re-running the authorization from the parent tenant
Using the Admin Consent URL provided during Liongard setup
Manually granting consent directly in the child tenant
5️⃣ — Re-run the Inspection in Liongard
Once permissions are updated:
Go to the Microsoft 365 Launchpoint
Run the inspection again
Confirm that the permissions update resolved the failure
When the App Appears in Child Tenants 🧑🏫
Scenario | Will the Liongard App Appear in the Child Tenant? | Reason |
Delegated Admin relationship + admin consent completed | ✅ Yes | Required for delegated inspection |
No delegated admin relationship | ❌ No | Liongard cannot provision or access the tenant |
Admin consent not granted | ❌ No | Permissions cannot be applied to the child tenant |
Inspector only configured for parent tenant | ❌ No | Child tenant not being inspected |
Important Notes 🚨
🔹 Liongard does NOT automatically push the app to all child tenants.
The application appears only when Microsoft’s delegated admin model allows it, and consent has been granted.
🔹 Missing permissions = failed inspection.
Even if the app exists in the tenant, missing or incomplete permissions will trigger authentication failures.
🔹 Delegated vs. Direct Inspection matters.
If the partner only inspects the parent tenant, child-tier applications will not appear — and this is expected.
External Resource Disclaimer ‼️
This article references external Microsoft resources and tools. Liongard does not control availability, functionality, or accuracy of third-party sites. Use them as optional reference resources.
When to Contact Liongard Support 🦁
If the issue persists after following the steps above, contact Liongard Support.
Include:
Parent tenant ID
Child tenant ID
Screenshot of Enterprise Applications list
Screenshot of permission list
Any consent prompts or error messages
Logs from a Clear Cache + Debug Mode run
Recent changes to delegated admin or partner settings
Providing these upfront speeds up troubleshooting and resolution.