Skip to content
English
  • There are no suggestions because the search field is empty.

Microsoft Partner Center / GDAP

Intune, Email, MFA, Defender for M365, and Defender for Endpoint

Cork leverages the Cloud Application Administrator functionality (or more broadly Global Administrator, if issues arise) via Microsoft GDAP to retrieve information about your clients' tenants and installed security controls to underwrite and monitor warranty performance. It follows the approach used by several MSP technology vendors to efficiently connect and monitor multiple services across client environments.

This guide will help you verify that your MSP tenant has the appropriate permissions needed needed to gain this visibility within Cork.

Due to how GDAP works, it we recommend the following setup:

  1. Create a service account in your internal tenant, such as corkintegration@your_principal.onmicrosoft.com
    1. Set up a Microsoft-based MFA (authenticator, OTP, etc)
  2. This service account temporarily needs Global Administrator to make the connection. Its roles can be updated to one of the following after the connection has been made:
    1. Application Administrator
    2. Cloud Application Administrator
    3. Privileged Role Administrator (no longer recommend, however still viable)
  3. Create a new security group in your internal tenant, this will be needed for each GDAP relationship, we recommend naming it in a way that denotes it is used for GDAP purposes, such as GDAP_SG_1
  4. Add the service account to this new security group
    1. This is needed to propagate permissions to each GDAP relationship
  5. Add the service account to the existing AdminAgents security group
    1. This is needed to communicate with the Partner Center API
  6. Navigate to Partner Center, for each tenant you want to ingest into Cork follow the below
    1. If the GDAP relationship already has one of those roles mentioned above, skip to step C
    2. Request a new GDAP relationship for that tenant with one of the three roles mentioned above
    3. Add the new security group to the GDAP relationship and select the same permission you created the GDAP relationship with
  7. Propagating these security group changes may take some time, so some tenants may not sync immediately
  8. Navigate to Cork > Integrations and find the "Microsoft Multi Tenant" connection under the "Multi" category
  9. Click "Connect & continue", it should open a Microsoft OAuth window. Login with the service account and verify with your MFA token.
  10. Cork will first look at your GDAP relationships, and if permissions have been configured correctly will properly enable access in each of your configured tenants.
    1. As you update or onboard new tenants with the permissions, the integration will update. The initial customer list may be cached for up to 30 minutes, so please take your time between resyncing the integration.

 

Note: If you use Microsoft to manage your internal tenant, you must use the single tenant connection to integrate your internal tenant with Cork.