Overview
Liongard has released an update to our Microsoft Cloud Inspectors to make sure they’re ready for Microsoft’s upcoming transition from Delegated Admin Privileges (DAP) to Granular Delegated Admin Privileges (GDAP).
Partners will need to update their Parent Microsoft Cloud Inspectors for them to continue working properly using the configuration steps listed below.
Prerequisites
If you have a current Microsoft Parent inspector that is tied to a Microsoft account you use to manage customer relationships via the Microsoft Partner Center, then you will use the Multi-Tenant setup steps.
Before you can update your Multi-Tenant Microsoft Cloud Parent Inspectors in Liongard, ensure that you have successfully transitioned your customers' tenant to GDAP. In order to proceed, please note that you will need to login to your Microsoft Partner Center with a user that is assigned the Admin Agents role.
For more information on Microsoft's GDAP specifications, please visit Microsoft's documentation.
In order to validate that your Child Inspectors are ready for Liongard's update, ensure that your customers' GDAP relationship has the Global Administrator Azure AD role applied in addition to the AdminAgents security group assigned with the Global Administrator Azure AD role for that admin relationship, as shown below.
Configuration Steps
Step 1: Reconfigure Parent Inspectors
Depending on the relationship to the tenant(s) that you manage, your configuration steps will be different. Microsoft Cloud Service Inspectors in Liongard will fall under one of two categories: Multi-Tenant or Single-Tenant configurations.
Setup | Description |
Multi-Tenant | I have a Microsoft account I use to manage my customer relationships via the Microsoft Partner Center. |
Single-Tenant | I have a Microsoft account that I access directly to manage my customer on their behalf. I do not manage this customer in the Microsoft Partner Center |
If this is a Multi-Tenant setup, ensure that you have completed the prerequisite steps as outline above.
Identify the legacy Microsoft Cloud Parent Inspectors and edit the Inspector(s).
In Liongard, navigate to Admin > Inspectors > Inspector Types > Navigate to the Appropriate Microsoft Inspector > Select the Inspector > Navigate to the Appropriate Parent Inspector > Select the Actions button > Select Edit.
Scroll down to the System Setting section:
Find the Enable Multi-Tenant Application toggle. Leave the toggle on if you are setting up a Multi-Tenant Parent Inspector. Turn the the toggle off if you are setting up a Single-Tenant Parent Inspector.
Select the "Open Microsoft Sign-In" button
Authenticate with either of the following credentials, depending on your tenant relationship:
Multi-Tenant: Sign-in the organization for the associated Tenant ID with an account that is assigned the Teams Administrator, Privileged Role Administrator, Application Administrator, Global Reader, Reports Reader, Security Reader, and Directory Writer roles for Azure AD as well the Admin Agents role within the Partner Center.
Single-Tenant: Sign-In into the organization for the associated Tenant ID with an account that is assigned the Teams Administrator, Privilged Role Administrator, Application Administrator, Global Reader, Reports Reader, Security Reader, and Directory Writer roles for Azure AD.
Follow the prompts to accept the requested permissions by selecting checkbox to consent and select Accept
A green check will appear to validate you successfully completed the step.
Select Save. The Inspector will now be triggered to run within the minute.
Microsoft Sign-In
You will need to sign in to for each additional Microsoft Cloud Parent Inspector you set up by signing in with the same account. However, you will not be prompted for the permission consent.
Step 2: Repeat the Process for all Microsoft Cloud Parent Inspectors
For any other Parent Inspectors for the same tenant, repeat the Microsoft Sign-In process in the Inspector configuration page.
Bulk Schedule to Space Out Child Inspectors
Liongard recommends to space the Child Inspectors for the Microsoft Cloud Inspectors in order to prevent potential API throttling. To resolve this, follow these steps:
Select All Child Launchpoints
Click the check mark box to select all child launchpoints in the bottom Inspector section
Click "Actions" > "Set Inspector Schedule"Set Times to Space Out Launchpoints
In the screen on the right, select the checkbox for "Space These Launchpoints"
Set the interval to "5" and units to "minute(s)"Select Save
Step 3 (Optional): Remove Previous Application
The previous Microsoft 365 Inspector configuration required you to create an application within your Azure Active Directory Tenant. You may remove this application from the "Enterprise Applications" section in the associated Azure Directory Tenant.
Removing Previous Application
The new configuration steps automatically creates a new application named "Liongard" with the current date in the Created On column. Be sure to refer to the Created On column to ensure you delete the previous application.