With Microsoft's implementation of Granular Delegated Admin Privileges (GDAP), Liongard has updated the Microsoft 365 (M365) inspector to align with these new protocols. To accurately configure an M365 parent inspector within this framework, it is necessary to utilize an Entra ID account that possesses specific roles for authentication with Partner Center and associated M365 tenants.
Required Roles:
Cloud Application Administrator
Directory Writers
Global Reader
Privileged Role Administrator
Reports Reader
Security Reader
Teams Administrator
Each role contributes to a comprehensive set of permissions that enables the inspector to perform its functions without compromising on the principle of least privilege.
Below, we have listed the recommended configuration steps for various expected scenarios:
Inspecting Multi-Tenant Entra ID/Microsoft 365 Tenants with GDAP Relationships:
Liongard utilizes the Secure Application Model, ensuring that our inspector can only access the data available to the M365 user account used during the parent inspector setup process. Liongard offers the option to add application-based Graph API permissions to the Liongard application created within child tenant environments to maximize the retrieval of critical data. This option is completely optional and requires the following roles to be present in each child tenant GDAP relationship:
GDAP Relationship Required Roles:
Directory Writers
Cloud Application Administrator
Privileged Role Administrator
M365 inspector configuration page:
Example Partner Center GDAP relationship:
In the screenshot above, all Microsoft Entra roles were requested for the GDAP relationship, allowing the admin to freely assign or remove any required roles. If the relationship does not already include the roles required for the Liongard Entra application, a new relationship will need to be requested.
Inspecting Multi-Tenant Entra ID/Microsoft 365 Tenants with GDAP Relationships Without Application Permissions
For partners who choose to exclude the "Privileged Role Administrator" from their GDAP relationships or prefer only to authorize delegated permissions for the Liongard application at the child tenant level, we recommend the following roles for each GDAP relationship. Please note that utilizing this less permissive method will make some data points unavailable in the Liongard M365 inspector.
GDAP Relationship Required Roles:
Directory Writers
Reports Reader
SharePoint Administrator
Security Reader
Teams Administrator
Microsoft 365 inspector configuration page:
Inspector Roles Explanations:
For a full breakdown of Microsoft Entra’s roles and the associated permissions, please visit: Microsoft Entra built-in roles - Microsoft Entra ID | Microsoft Learn
Cloud Application Administrator:
Why does the M365 parent inspector require it?
Liongard utilizes this role to request consent for the Liongard Application from the parent tenant.
Why does the GDAP relationship require it?
Liongard utilizes this role to acquire consent for the Liongard Application from the child tenant using the SAM authentication flow. When this role is unavailable, the graph API returns a 403 HTTP error from the Partner Center API, indicating that an account without this role lacks the requisite permissions.
Directory Writers:
Why does the M365 inspector require it?
The Directory Writers role is required to access any endpoint that needs a Directory.Read.All scope, such as
https://graph.microsoft.com/v1.0/groupLifecyclePolicies
A GDAP Directory Writers role must be set up for endpoints that rely on this scope to functionLiongard only requests the Read scope and does not write any information. Permissions in Microsoft work as a union of roles and scopes. To write, we would need to request the Directory.ReadWrite.All scope, which Liongard does not use. If the Directory Writers role is not set up, we receive a 401 error from this endpoint (and potentially others).
Reports Reader:
Why does the M365 inspector require it?
Without this role, data surfaced by Microsoft reports can not be acquired (e.g. Mailbox data storage data, user data, and licensing data), as Liongard lacks the required permissions. Any endpoints responsible for populating report data will fail with a 403 error
Teams Administrator:
Why does the M365 inspector require it?
Without this role Teams, Teams Channels, and Teams Member data cannot be retrieved from the Graph API through delegated permissions.
SharePoint Administrator
Why does the M365 inspector require it?
Without this role SharePoint site and drive data cannot be retrieved from the Graph API through delegated permissions.
Privileged Role Administrator
Why does the GDAP relationship require it?
Liongard requires this role to add and consent to application-based Graph API permissions for the Liongard Entra application in the target child tenant instance. This access is granted through a secure sign-in process utilizing the Secure Application model.
Does Liongard store the M365 account credentials?
Liongard does not store the M365 account credentials. As per security best practices, Liongard does not keep the actual account credentials used to authenticate with Microsoft services.
Liongard does store an OAuth token generated when using the “Sign-in to Microsoft” button within the inspector. This token is then used for subsequent inspections, which avoids the need to store and use the actual credentials each time. Tokens that can be limited in scope and durationenhance security.
Furthermore, these OAuth tokens are never stored in plain text and are always transmitted encrypted and over safe channels.