Overview 💥
With Microsoft’s implementation of Granular Delegated Admin Privileges (GDAP) and ongoing security improvements to Microsoft Entra ID, Liongard has updated the Microsoft 365 Inspector to align with these modern authentication and delegation requirements.
To successfully authenticate with Partner Center and retrieve data from all managed Microsoft 365 tenants, a valid M365 Parent Inspector must use an Entra ID account assigned with the appropriate least-privilege roles. These roles ensure Liongard can authenticate, retrieve data, and—when configured—deploy the Liongard Entra Application into child tenants for delegated inspections.
This article provides:
A complete explanation of required roles.
Why each role matters (parent vs. child tenant).
Differences between delegated-only and application-permission setups.
When and why the Liongard Enterprise Application appears in child tenants.
GDAP requirements for both permission models.
Common failure symptoms when roles are missing.
Security details regarding OAuth token handling.
Why Are Roles Required? 🤔
Liongard uses two interaction models with Microsoft:
✅ Delegated Permissions (via GDAP)
Uses the partner’s Entra ID account.
Inspects child tenants through the secure GDAP relationship.
Permissions come from role assignments given to the user inside each child tenant's GDAP relationship.
✅ Application-Based Permissions (Secure Application Model)
Liongard registers its application inside each child tenant.
Additional Graph API data is accessible.
Requires elevated roles (e.g., Privileged Role Administrator) to assign permissions.
Depending on whether your environment uses delegated-only permissions or application permissions, different roles are required.
Required Roles for the Parent (Partner) Tenant Account 🌟
The following roles are required for the M365 parent inspector account that authenticates with Partner Center and issues delegated operations:
Parent Inspector Required Roles :
Cloud Application Administrator
Directory Writers
Global Reader
Privileged Role Administrator
Reports Reader
Security Reader
Teams Administrator
Each role contributes to a comprehensive set of permissions that enables the inspector to perform its functions without compromising on the principle of least privilege.
Below, we have listed the recommended configuration steps for various expected scenarios:
A detailed explanation for each is provided later in this article.
GDAP Role Requirements in Child Tenants 🧑🏫
Depending on the setup you choose, the child tenant may require different roles.
Scenario 1: GDAP WITH Application Permissions (Maximum Data Retrieval)
(Recommended for full-featured inspections using the Secure Application Model)
In this model, Liongard:
Creates/uses the Liongard Entra Application inside each child tenant.
Assigns Graph API application permissions to maximize available data.
Requires elevated GDAP roles to grant these permissions.
Required GDAP Roles (Child Tenant)
Directory Writers
Cloud Application Administrator
Privileged Role Administrator
Why these roles?
Role | Purpose |
Directory Writers | |
Cloud Application Administrator | Enables consent to the Liongard Entra application using the Secure Application Model (SAM). |
Privileged Role Administrator | Required to assign app-based Graph permissions within the child tenant. Without it: SAM flow fails with 403 from the Partner Center API. |
Scenario 2: GDAP WITHOUT Application Permissions (Delegated-Only)
(Less permissive – limited data available)
In this configuration:
No application permissions are granted in child tenants
Liongard relies exclusively on the delegated roles granted via GDAP
Some data points will not be available (Teams, SharePoint, OneDrive, MFA, etc.)
Required GDAP Roles (Child Tenant)
Directory Writers
Reports Reader
SharePoint Administrator
Security Reader
Teams Administrator
Cloud Application Administrator (recommended for SAM fallback support)
Privileged Authentication Administrator (needed for certain MFA datasets)
When Is the Liongard Entra Application Created in Child Tenants? 🐯
The application is created when:
The child tenant is being inspected.
A GDAP relationship exists between the partner and the child tenant.
The required GDAP roles exist, and admin consent is granted.
The application is not created when:
GDAP relationship does not exist.
The GDAP relationship exists but does not include required roles.
Consent has NOT been granted in the child tenant.
The inspector is only configured for the parent tenant.
The partner chooses delegated-only mode.
The child tenant is not selected for inspection.
Common Error Symptoms When Roles Are Missing 👨💻
➡️ Directory Writers missing
401 Unauthorized or 403 Forbidden on:
Directory objects
Group lifecycle policies
User directory data
➡️ Cloud Application Administrator missing
Failure during Secure Application Model consent flow
403 errors from Partner Center API
Application permissions cannot be granted
➡️ Privileged Role Administrator missing
Unable to assign Graph API application permissions
Application is created but permissions remain unassigned
Missing Teams/SharePoint/OneDrive data
➡️ Reports Reader missing
Missing:
Mailbox storage data
Licensing reports
Usage analytics
Resulting API calls: 403 Forbidden
➡️ Teams Administrator missing
Teams, Channels, team member lists do not populate
403 errors on:
…/teams
…/teams/{id}/channels
➡️ SharePoint Administrator missing
SharePoint Sites and Drives return 403 or empty results
Inspector Role Explanations 🚀
1️⃣ Cloud Application Administrator
Why the Parent Inspector Requires It
Needed to request admin consent for the Liongard application
Required to allow SAM-based authentication
Why GDAP Requires It
Needed to accept or apply consent inside child tenants
Without this: partner center returns HTTP 403 during the consent process
2️⃣ Directory Writers
Why the Inspector Requires It
Required for endpoints needing
Directory.Read.AllLiongard only requests read scopes, even though the role name suggests write capability
Missing role triggers:
401 Unauthorized
403 Forbidden
Why GDAP Requires It
Required for delegated-only model
Enables directory-based data retrieval
3️⃣ Reports Reader
Why the Inspector Requires It
Required for:
Microsoft usage reports
Mailbox analytics
Storage reports
Licensing reports
Without it, the inspector cannot read reporting endpoints.
4️⃣ Security Reader
Why the Inspector Requires It
Required to retrieve:
Security alerts
Secure Score data
Audit logs
5️⃣ Teams Administrator
Why the Inspector Requires It
Required for any Teams/Gaph delegated operations
Missing this role hides:
Teams
Channels
Membership data
6️⃣ SharePoint Administrator
Why the Inspector Requires It
Required for:
SharePoint sites
SharePoint lists
OneDrive drives
Site permissions
7️⃣ Privileged Role Administrator
Why GDAP Requires It
Needed to assign application permissions in child tenants
Required for Liongard to grant the Graph permissions necessary for full coverage
Missing this role results in incomplete data retrieval
Security: Credential & Token Storage 🚨
Liongard follows strict security best practices: Liongard does not store M365 user credentials‼️.
Instead:
Liongard stores OAuth tokens generated via “Sign in to Microsoft”.
Tokens are:
Encrypted at rest.
Transmitted only over secure channels.
Limited by Microsoft in scope and duration.
No plaintext tokens or credentials are ever stored.
Summary 🤩
GDAP Role Requirements by Scenario :
Scenario | Application Created in Child Tenant? | Required Roles |
GDAP + Application Permissions (SAM) | Yes | Directory Writers, Cloud Application Administrator, Privileged Role Administrator |
GDAP Without Application Permissions (Delegated Only) | Yes | Directory Writers, Cloud Application Administrator, Reports Reader, SharePoint Administrator, Security Reader, Teams Administrator, Privileged Authentication Administrator |
No GDAP / No Delegated Permissions | No | N/A |