Prerequisites:
For a successful GDAP setup, you'll need a Microsoft Standard security posture, established GDAP relationships, and a valid Microsoft Token code upon login:
Security Posture: To manage your customers in Microsoft Partner Center, Microsoft MFA enforcement is a must. If you're using third-party MFAs such as OKTA, Duo, or OneLogin, Microsoft MFA enforcement is required for the account registering the Liongard app. Ensure MFA enforcement by navigating to Conditional Access Policy under Security in Azure AD. If absent, check if Security defaults are enabled under Azure AD properties. If neither is present, consult your security officer on how to proceed. It's impossible to use Partner Center to manage your customers, either through the Partner Center or via API, without adhering to Microsoft's Security requirements.
GDAP Relationships: After setting up security per Microsoft guidelines, establish GDAP relationships with your partners. Follow our guide or assistance.
Token Authentication: To avoid issues with cached credentials, log into Liongard using an incognito window or a clean browser. When logging into Microsoft from the parent inspector config, admin -> Inspectors -> Microsoft Suites inspector -> Edit -> Open Microsoft Sign-In, ensure you receive an MFA token prompt from Microsoft. If your policy allows bypassing it within certain IPs, connect via a hotspot or similar to compel Microsoft's authentication. This step is crucial to incorporate MFA in the token we require for communicating with Microsoft's Partner Center. Once complete, initiate the Parent Inspector, followed by the Child Inspector(s).
Addressing 400 Errors from Inspectors:
A common issue, responsible for the 400 error, is when a Child tenant has a Conditional Access Policy that is blocking the authentication attempt from the parent tenant. An easy way to identify which CA policy is the culprit is to review the sign-in logs on the CA Azure page:
Connect to the child Azure AD tenant.
Navigate to Security > Conditional Access > Sign-In Logs.
Select the "user logins (non-interactive)" log group.
Look for the failed authentication attempt, from the parent tenant.
Once found, the log should show which CA policies were applied and what conditions the authentication attempt failed to meet.
โ
Edit the policy that is blocking the auth attempt and add an exception to the policy for the parent tenant and save the policy.
When adding the exception to the policy apply the following settings:
Check the "Guest or external users" box.
Select the "Service Provider Users" option in the drop-down.
Tick the "Select" radio button.
Click the blue link that says "0 Azure AD organizations selected" and add your parent tenant. (Note: You may not find the parent tenant by searching for the name. If you experience this, copy the tenant ID from the parent tenant and paste it into the field.)
Run the child inspector again and it should land successfully. If not, consult the child AAD tenant CA sign-in logs again and see if the auth attempt is being blocked by another CA policy.
Risky Users
Additionally, the 400 errors can appear when the account used to authenticate the parent inspector is in the "Risky User" list, in the parent tenant. To resolve this, log in to your parent Azure AD tenant and dismiss the risky user alert for the account used to authenticate the inspector. Then, run your inspectors again.
โ
Missing Security Group or Roles
Furthermore, these errors can also surface when the AdminAgents security group and Azure AD roles have not been added to the Admin Relationships for your child tenants in Partner Center. Please adhere to the following steps in Microsoft's Partner Center:
Ensure your customers' GDAP relationship is assigned with the Cloud Application Administrator, Directory Writers, Global Reader, Security Reader, Teams Administrator, and Reports Reader Azure AD roles.
The AdminAgents security group should be added with the above six Azure AD roles within the admin relationship.
For more information regarding Microsoft Cloud inspectors and GDAP, check the following: