Prerequisites:
For a successful GDAP setup, you'll need a Microsoft Standard security posture, established GDAP relationships, and a valid Microsoft Token code upon login:
Security Posture: To manage your customers in Microsoft Partner Center, Microsoft MFA enforcement is a must. If you're using third-party MFAs such as OKTA, Duo, or OneLogin, Microsoft MFA enforcement is required for the account registering the Liongard app. Ensure MFA enforcement by navigating to Conditional Access Policy under Security in Azure AD. If absent, check if Security defaults are enabled under Azure AD properties. If neither is present, consult your security officer on how to proceed. It's impossible to use Partner Center to manage your customers, either through the Partner Center or via API, without adhering to Microsoft's Security requirements.
GDAP Relationships: After setting up security per Microsoft guidelines, establish GDAP relationships with your partners. Follow our guide or assistance.
Token Authentication: To avoid issues with cached credentials, log into Liongard using an incognito window or a clean browser. When logging into Microsoft from the parent inspector config, admin -> Inspectors -> Microsoft Suites inspector -> Edit -> Open Microsoft Sign-In, ensure you receive an MFA token prompt from Microsoft. If your policy allows bypassing it within certain IPs, connect via a hotspot or similar to compel Microsoft's authentication. This step is crucial to incorporate MFA in the token we require for communicating with Microsoft's Partner Center. Once complete, initiate the Parent Inspector, followed by the Child Inspector(s).
Addressing 401 Errors from Inspectors:
401 errors from Inspectors usually indicate that the account linked with the Inspector lacks Microsoft's Multi-Factor Authentication (MFA) activation. In cases where third-party MFA solutions like DUO are in use, it's essential to also enable Microsoft's MFA for successful authentication with the Microsoft Graph API. Should these errors persist even with Microsoft's MFA enabled, you might be facing a token retrieval issue which is discussed under the 400 errors section. For further information on the Microsoft MFA requirement, refer to Mandating multi-factor authentication (MFA) for your partner tenant .
Additional troubleshooting steps may be performed by following these steps:
Open up Microsoft Graph API Explorer in a new browser window.
At the top, click “Sign In” and sign in as the Global Administrator for the Parent Tenant.
Once back at the Graph API explorer page, Paste the following URL in the query box, to the right of GET and v1.0:
Click “Run Query”
If your output matches the below, you will need to verify that a Conditional Access Policy that enforces MFA is applied to the account used to authenticate your parent inspector or verify Security Defaults are enabled:
"error": { "code": "unauthorized", "message": "You are not authorized to access the resource.", "innerError": { "code": "unauthorizedMissingMfaTokenClaim", "message": "The MFA claim was missing in the token.", "target": null, "details": null,
For more information regarding Microsoft Cloud inspectors and GDAP, check the following: