Overview 💥
If your Microsoft 365 Inspector fails with the following message:
Request failed with status code 403.
This is a problem with your permissions within the target system, not the Liongard Inspector.
It usually indicates the user/service account that authenticated your Parent Inspector doesn’t have sufficient permissions to access required Microsoft Graph or Partner Center endpoints.
This error is commonly tied to missing or incorrectly applied Entra ID roles, or a misconfigured GDAP (Granular Delegated Admin Privileges) relationship between your Partner Center tenant and your customer tenants.
This article provides an in-depth explanation of why Error 403 occurs, how to verify each configuration area, and how to fully resolve it.
Why Does This Happen? 🤔
The HTTP 403 Forbidden response means Microsoft has denied access to one or more APIs called by the Liongard Microsoft 365 Inspector.
This is not a Liongard system failure — it’s a permissions configuration issue within Microsoft Entra ID or Partner Center.
Liongard communicates with:
Microsoft Graph API — to read Entra ID users, roles, sign-ins, MFA data, etc.
Partner Center API — to enumerate customer tenants and access GDAP relationships.
To perform these actions, Liongard requires a Parent Inspector authenticated under a Microsoft account that has:
Sufficient Entra ID roles within the partner tenant.
Proper AdminAgents group membership.
Valid GDAP relationships between parent and child tenants with correct role delegation.
If any of these layers are misaligned, Microsoft will return a 403 error when Liongard attempts to query.
Common Causes of 403 Errors 🧑🏫
Root Cause | Explanation | Result in Liongard |
Missing Entra Roles on Parent Account | The user authenticating the Parent Inspector lacks one or more of the seven required Entra roles. | Inspector cannot read Microsoft Graph or Partner Center data. |
Not a Member of AdminAgents | The account is not part of the built-in Partner Center AdminAgents group. | Partner Center API calls (e.g., listing customers) fail. |
GDAP Relationship Misconfigured | GDAP does not include required roles or was applied to the wrong group. | Child tenant inspection fails, Parent Inspector reports 403. |
Expired or Revoked GDAP | Relationship expired or revoked in Partner Center. | Liongard cannot authenticate into child tenants. |
Conditional Access Restrictions | MFA bypass or IP policies block Graph API tokens. | Microsoft rejects requests due to conditional access enforcement. |
Cached Browser Tokens | Stale credentials during sign-in. | Invalid token causes permission mismatch at runtime. |
Preconditions / Security Checklist 👨💻
Before you begin, ensure the following are configured properly in the Parent Tenant:
Requirement | Details / Validation Steps |
Microsoft MFA Enforced | Ensure the Parent Inspector account enforces Microsoft MFA. If third-party MFA is used (Okta, Duo, OneLogin, etc.), confirm Security Defaults or Conditional Access are applied. |
Browser Session | Sign in via incognito or private mode to prevent cached tokens from interfering. |
Active Partner Center Access | Log into Partner Center and verify that you can view customer tenants. |
GDAP Active | In Partner Center → Customer → Admin Relationships, confirm GDAP status = Active. |
Required Role Assignments & Group Membership 🦁
1. Parent Tenant (Account Used for Parent Inspector)
The Parent Inspector account authenticates Liongard’s integration with Microsoft Graph and Partner Center.
This account must have the following seven Entra ID roles assigned:
Role Name | Purpose in Liongard |
Teams Administrator | Allows API access to Teams configuration and license data. |
Cloud Application Administrator | Grants permission to view applications within Entra ID. |
Directory Writers | Enables Liongard to read directory-level attributes as needed for tenant inspection. |
Global Reader | Provides read-only access to tenant-wide Microsoft 365 settings. |
Security Reader | Grants read access to security-related policies and reports. |
Reports Reader | Allows access to usage and sign-in reports. |
Privileged Role Administrator | Required for visibility into role assignments across users and groups. |
In addition, this user must be a member of the AdminAgents security group — a built-in group automatically provisioned for Partner Center administrative delegation.
Verification Steps:
Open Microsoft Entra Admin Center → Roles & Administrators.
Confirm all 7 roles above are assigned.
In Partner Center, navigate to Users → Groups → AdminAgents, ensure your Parent Inspector account is listed.
‼️Note: For a detailed explanation of why Liongard requires these specific roles, please refer to our documentation.
2. Child Tenant(s) (via GDAP Relationship)
Each customer (child) tenant you inspect must have a valid GDAP relationship with your Partner tenant.
Requirement | Description |
GDAP Relationship Active | Verify under Partner Center → Customer → Admin Relationships. |
Assigned Roles (minimum 3) | • Privileged Role Administrator |
Applied to Correct Group | Roles must be assigned to the same AdminAgents group used by your Parent Inspector account. |
Relationship Duration | Ensure the GDAP has not expired (default duration can vary). |
Permissions Propagation | It may take up to 30 minutes for GDAP role assignments to propagate through Microsoft Graph. |
‼️Note: It's impossible to use Partner Center to manage your customers, either through the Partner Center or via API, without adhering to Microsoft's Security requirements.
Steps to Resolve Error 403 🤩
Step | Action | Why It Matters |
1. Verify Parent Account Roles | In Entra Admin Center, confirm all seven required roles are assigned. | Ensures full access to Graph API and directory data. |
2. Check AdminAgents Membership | Confirm the account is part of the built-in AdminAgents group. | Required for Partner Center API calls. |
3. Validate GDAP Relationships | Partner Center → Admin Relationships → confirm AdminAgents group is assigned and roles applied. | Ensures delegated access to child tenants. |
4. Refresh Authentication | In Liongard → Parent Inspector → click Open Microsoft Sign-In, complete MFA. | Generates a new access token with updated roles. |
5. Rerun Parent Inspector | Run manually and confirm that all child tenants are detected. | Validates the fix. |
6. Review Logs (if still failing) | Check Azure AD Sign-in Logs for “Conditional Access” or “MFA bypass” blocks. | Identifies policy-level causes. |
7. Confirm API Access | Use Graph Explorer (https://developer.microsoft.com/graph) to test | Verifies permissions directly with Microsoft Graph. |
Impact & Considerations 😉
Impact Area | Description / Risk |
Inspection Failure | Missing roles or GDAP misalignment cause Liongard to fail retrieving data. |
Partial Data Visibility | Certain Liongard metrics (e.g., MFA methods, license usage) may not populate if specific roles are absent. |
Security Implications | Over-assignment of roles increases administrative exposure — apply least privilege. |
GDAP Expiration | GDAP relationships typically expire after a set duration. Renew them proactively. |
Token Refresh Needed | Any change in roles or group membership requires reauthenticating the Parent Inspector. |
Additional Resources
For more information regarding Microsoft Cloud inspectors and GDAP, check the following: Updating Microsoft Cloud Service Inspectors for Granular Delegated Admin Privileges
✅ Pro Tip: After applying any new roles or GDAP configurations, wait at least 30 minutes before re-running the Parent Inspector to allow Microsoft Graph to synchronize role memberships.