Overview π₯
When using the Microsoft 365 Inspector in a multi-tenant configuration, Liongard automatically discovers customer (child) tenants associated with your Microsoft Partner Center environment.
If one or more child tenants are missing from Discovered Systems, this typically indicates an issue related to:
GDAP (Granular Delegated Admin Privileges)
Microsoft Partner Center relationships
Microsoft Graph API permissions
Authentication or consent configuration
Cached discovery data
Parent Inspector failures
This guide walks through the most common causes and provides troubleshooting steps to help restore tenant discovery.
Why Does This Happen? π€
Child tenants may fail to appear for several reasons, including:
Missing or invalid GDAP relationships
The tenant not appearing in the Microsoft Graph
ContractsresourceAuthentication or admin consent issues
Parent Inspector permission failures
Microsoft Graph API throttling or outages
Stale cached discovery data
Recent customer onboarding delays
Payload processing or launchpoint creation failures
Steps to Resolve π¨βπ»
1οΈβ£ Verify the Tenant Is Not Already Discovered
Navigate to: Admin β Inspectors β Microsoft 365 β Discovered Systems
Search for the affected tenant.
If the tenant already exists:
Discovery has already completed successfully.
If the tenant is missing:
Continue with the next steps.
2οΈβ£ Check the βDiscoveredβ Array in the Parent Dataprint
Open the Parent Microsoft 365 Launchpoint
On System Details page select Data Print Explorer
Search for:
Discovered
If the client tenant appears in the array:
Check Parent inspector Payload Processing Logs for any errors during launchpoint creation.
If the tenant is not found in the
Discoveredarray, proceed to theContracts array.
3οΈβ£ Validate the βContractsβ Array
The Contracts array is what Microsoft uses to list delegated admin customers.
In the parent inspector dataprint, search for:
Contracts
If the tenant is missing from the
Contractsarray:
β Liongard cannot discover the tenant because Microsoft is not returning the delegated relationship through Graph API.
β This issue must be resolved within Microsoft Partner Center or the GDAP relationship configuration.
Reference: Microsoft Graph Contract Resource
4οΈβ£ Validate the GDAP Relationship
Sign in to: Microsoft Partner Center
Confirm the following:
The customer tenant appears under Customers
A valid GDAP/Admin Relationship exists
Required delegated roles are assigned
The relationship has not expired or been removed
The customer has not revoked delegated access
Without a valid GDAP relationship, Liongard cannot discover or inspect the tenant.
5οΈβ£ Validate Authentication and Consent
Ensure the Parent Microsoft 365 Inspector:
Has valid authentication
Has completed Microsoft admin consent
Uses an account with the required Entra ID roles
Uses Microsoft MFA enforcement
Is a member of the
AdminAgentssecurity group
If permissions or GDAP assignments were recently modified:
Edit the Parent Inspector
Select Open Microsoft Sign-In
Complete authentication again
Initiate an inspection by using the Clear Cache and Debug Mode
6οΈβ£ Verify the Parent Inspector Is Running Successfully
Discovery only occurs when the Parent Inspector completes successfully.
Common issues preventing discovery include:
Authentication failures
Expired refresh tokens
Conditional Access restrictions
API permission failures
Microsoft Graph throttling
Network or firewall restrictions
Resolve any Parent Inspector errors before troubleshooting discovery further.
7οΈβ£ Check Microsoft Service Health
Review Microsoft service health status for issues affecting:
Microsoft Graph API
Partner Center APIs
Entra ID authentication services
Useful resources:
Temporary Microsoft outages or throttling may prevent tenant discovery.
8οΈβ£ Recently Added Tenant? Allow Propagation Time
New GDAP relationships and delegated permissions may require time to propagate through Microsoft services.
Propagation can sometimes take between 2 and 24 hours.
Recommended actions:
Wait for propagation to complete
Re-run the Parent Inspector afterward
Use Clear Cache mode during the next inspection
9οΈβ£ Attempt Manual Discovery
If auto-discovery fails:
Add the client tenant manually as a new inspector.
Attempt authentication
If this fails β relationship or permissions are broken.
If this succeeds β auto-discovery is the only failing component.
Discovery Flowchart π
START
β
βΌ
Is the tenant listed in Discovered Systems?
β βββ YES β Done
βΌ
Check Dataprint β Discovered array
β
Is the tenant listed?
β βββ YES β Check inspection logs
βΌ
Check Contracts array
β
Is the client tenant listed?
β βββ NO β Fix Partner Center relationship
βΌ
Validate permissions & consent
β
Inspector running successfully?
β βββ NO β Fix Inspector errors
βΌ
Check Microsoft service health
β
Still not discovered?
βΌ
Contact Liongard Support
Important Notes π¨
GDAP Relationships Are Required
Liongard relies on Microsoft GDAP relationships to enumerate and inspect delegated customer tenants. Without a valid delegated relationship, tenants cannot be discovered.
The Contracts Array Is Microsoft-Controlled
Liongard does not generate or manage the Contracts resource. If a tenant is missing from the array, Microsoft is not exposing the delegated relationship through Graph API.
AdminAgents Membership Is Still Required
Even if custom security groups are used for Admin Relationships, the account authenticating the Parent Inspector must still belong to the AdminAgents security group.
When to Contact Liongard Support π¦
If the issue persists after completing all troubleshooting steps, contact Liongard Support and provide:
Parent Inspector name
Missing tenant name
Screenshot of the
DiscoveredarrayScreenshot of the
ContractsarrayParent Inspector logs
Confirmation of GDAP relationship status
Any recent Partner Center or onboarding changes
Clear Cache + Debug Mode logs
Providing this information upfront significantly accelerates investigation and resolution.
External Resource Disclaimer βΌοΈ
This article references external Microsoft resources and tools. Liongard does not control availability, functionality, or accuracy of third-party sites. Use them as optional reference resources.