Email, MFA, Defender for M365, and Defender for Endpoint
Cork leverages the Cloud Apps Administrator functionality (or more broadly Global Administrator, if issues arise) via Microsoft GDAP to retrieve information about your clients' tenants and installed security controls to underwrite and monitor warranty performance. It follows the approach used by several MSP technology vendors to efficiently connect and monitor multiple services across client environments.
This guide will help you verify that your MSP tenant has the appropriate permissions needed needed to gain this visibility within Cork.
There are some initial steps to follow:
-
When connecting, you must use an account that has Microsoft MFA enabled
-
Your Partner Center GDAP relationships need to have one of three privileged roles:
-
Applications Administrator, Cloud Applications Administrator, or Global Administrator
-
-
Within those GDAP relationships, you need to ensure that a security group containing the same account making the connection has the same assigned role that the GDAP relationship does.
-
On initial connection, the account doing the connecting needs to be Global Admin, this role can be changed after the connection is established, either using PIM or simply adjusting the roles.
-
Once the connection is established, it may take some time for tenants to start syncing, this is simply a delay with Microsoft service principal propagation.
-
Once you've verified the roles are configured properly, you can click the 3-dot menu to the right of the integration labeled "Multi" and click "Modify", then you can press "Repair Connection"
I generally recommend creating a service account for this purpose, that way it is easy for you to audit and manage permissions without fiddling around with existing accounts.