All Collections
Inspectors
Microsoft Cloud
Microsoft Cloud | Updating Microsoft Cloud Service Inspectors for Granular Delegated Admin Privileges
Microsoft Cloud | Updating Microsoft Cloud Service Inspectors for Granular Delegated Admin Privileges
Updated over a week ago

Overview

Liongard has released an update to our Microsoft Cloud Inspectors to make sure they’re ready for Microsoft’s upcoming transition from Delegated Admin Privileges (DAP) to Granular Delegated Admin Privileges (GDAP).

Partners will need to update their Parent Microsoft Cloud Inspectors for them to continue working properly using the configuration steps listed below.

Prerequisites

If you have a current Microsoft Parent inspector that is tied to a Microsoft account you use to manage customer relationships via the Microsoft Partner Center, then you will use the Multi-Tenant setup steps.

Before you can update your Multi-Tenant Microsoft Cloud Parent Inspectors in Liongard, ensure that you have successfully transitioned your customers' tenant to GDAP. In order to proceed, please note that you will need to login to your Microsoft Partner Center with a user that is assigned the Admin Agents role.

For more information, please watch this video for a detailed walkthrough of this process or visit Microsoft's documentation.

In order to validate that your Child Inspectors are ready for Liongard's update, ensure that your customers' GDAP relationship has the Global Administrator Azure AD role applied in addition to the AdminAgents security group assigned with the Global Administrator Azure AD role for that admin relationship, as shown below.


Configuration Steps

Step 1: Reconfigure Parent Inspectors

Depending on the relationship to the tenant(s) that you manage, your configuration steps will be different. Microsoft Cloud Service Inspectors in Liongard will fall under one of two categories: Multi-Tenant or Single-Tenant configurations.

Setup

Description

Multi-Tenant

I have a Microsoft account I use to manage my customer relationships via the Microsoft Partner Center.

Single-Tenant

I have a Microsoft account that I access directly to manage my customer on their behalf. I do not manage this customer in the Microsoft Partner Center



If this is a Multi-Tenant setup, ensure that you have completed the prerequisite steps as outline above.

Identify the legacy Microsoft Cloud Parent Inspectors and edit the Inspector(s).

In Liongard, navigate to Admin > Inspectors > Inspector Types > Navigate to the Appropriate Microsoft Inspector > Select the Inspector > Navigate to the Appropriate Parent Inspector > Select the Actions button > Select Edit.

Scroll down to the System Setting section:

  • Find the Enable Multi-Tenant Application toggle. Leave the toggle on if you are setting up a Multi-Tenant Parent Inspector. Turn the the toggle off if you are setting up a Single-Tenant Parent Inspector.

  • Select the "Open Microsoft Sign-In" button

  • Authenticate with either of the following credentials, depending on your tenant relationship:

    • Multi-Tenant: Sign-in the organization for the associated Tenant ID with an account that is assigned the Application Administrator, Global Reader, Reports Reader, Security Reader, and Directory Writer roles for Azure AD as well the Admin Agents role within the Partner Center.

    • Single-Tenant: Sign-In into the organization for the associated Tenant ID with an account that is assigned the Application Administrator, Global Reader, Reports Reader, Security Reader, and Directory Writer roles for Azure AD.

  • Follow the prompts to accept the requested permissions by selecting checkbox to consent and select Accept

  • A green check will appear to validate you successfully completed the step.

  • Select Save. The Inspector will now be triggered to run within the minute.

Microsoft Sign-In

You will need to sign in to for each additional Microsoft Cloud Parent Inspector you set up by signing in with the same account. However, you will not be prompted for the permissions consent.

Step 2: Repeat the Process for all Microsoft Cloud Parent Inspectors

For any other Parent Inspectors for the same tenant, repeat the Microsoft Sign-In process in the Inspector configuration page.

Bulk Schedule to Space Out Child Inspectors

Liongard recommends to space the Child Inspectors for the Microsoft Cloud Inspectors in order to prevent potential API throttling. To resolve this, follow these steps:

  1. Select All Child Launchpoints
    Click the check mark box to select all child launchpoints in the bottom Inspector section
    Click "Actions" > "Set Inspector Schedule"

  2. Set Times to Space Out Launchpoints
    In the screen on the right, select the checkbox for "Space These Launchpoints"
    Set the interval to "5" and units to "minute(s)"

  3. Select Save

Step 3 (Optional): Remove Previous Application

The previous Microsoft 365 Inspector configuration required you to create an application within your Azure Active Directory Tenant. You may remove this application from the "Enterprise Applications" section in the associated Azure Directory Tenant.

Removing Previous Application

The new configuration steps automatically creates a new application named "Liongard" with the current date in the Created On column. Be sure to refer to the Created On column to ensure you delete the previous application.

Did this answer your question?