Updating Microsoft Cloud Service Inspectors for Granular Delegated Admin Privileges

Overview

Liongard has released an update to our Microsoft Cloud Inspectors to make sure they’re ready for Microsoft’s upcoming transition from Delegated Admin Privileges (DAP) to Granular Delegated Admin Privileges (GDAP).

Partners will need to update their Parent Microsoft Cloud Inspectors for them to continue working properly using the configuration steps listed below.

❗️

Prerequisites

If you have a current Microsoft Parent inspector that is tied to a Microsoft account you use to manage customer relationships via the Microsoft Partner Center, then you will use the Multi-Tenant setup steps.

Before you can update your Multi-Tenant Microsoft Cloud Parent Inspectors in Liongard, ensure that you have successfully transitioned your customers' tenant to GDAP. In order to proceed, please note that you will need to login to your Microsoft Partner Center with a user that is assigned the Admin Agents role.

For more information, please watch this video for a detailed walkthrough of this process or visit Microsoft's documentation.

In order to validate that your Child Inspectors are ready for Liongard's update, ensure that your customers' GDAP relationship has the Global Administrator Azure AD role applied in addition to the AdminAgents security group assigned with the Global Administrator Azure AD role for that admin relationship, as shown below.

📘

Frequently Asked Questions

When will I be able to update my Microsoft Cloud Parent Inspectors' authentications for the GDAP updates?

DateLiongard Instances
4/27/2023US7
05/15/2023All Instances

What permissions does the user within Microsoft need to have to update the Parent Inspectors' authentications?

The user will need to be an Global Administrator for the tenant associated with the Parent Inspector in addition to being assigned to the Admin Agents role within the Partner Center.

Why is the Global Admin Azure AD Role required for the GDAP relationship?

As a part of transitioning your Microsoft 365 inspectors over to use GDAP, you must authorize our application by logging in with an account that has Global Admin rights. The level of permission required for that authorization step is fixed by Microsoft. The Global Admin rights are only used to authorize an application that is given a more specific set of permissions displayed for approval during the authentication step.

We do not store or even "see" Global Admin credentials during this process. As a result of that process, we get back an API token with only that defined set of permissions.

It is possible to setup the GDAP relationships required for the Multi-Tenant setup in bulk?

Yes! Microsoft provides a bulk-migration tool which you can find here. We would also recommend CyberDrain's CIPP tool as a more user-friendly alternative. Please note, if using the bulk method you will still need to follow our guidance on how to setup the GDAP relationships per the prerequisite section above.

Here is a helpful video that goes over the setup steps and difference between the two bulk-migrations tools.

How does this transition impact data returned by Liongard's Microsoft Cloud Parent Inspectors?

As it currently stands, some of the Microsoft Graph API endpoints have not been updated to support GDAP. Because of this, some of the data previously returned by Liongard's SharePoint, OneDrive, and Teams Child Inspectors will be impacted until Microsoft updates the Microsoft Graph API. Scroll down or click here for a detailed list.

Configuration Steps

🚧

Parent Inspectors

The following steps are only necessary for any existing Microsoft Cloud Service Parent Inspectors. All Child Inspectors will inherit the permissions.

Step 1: Reconfigure Parent Inspectors

Depending on the relationship to the tenant(s) that you manage, your configuration steps will be different. Microsoft Cloud Service Inspectors in Liongard will fall under one of two categories: Multi-Tenant or Single-Tenant configurations.

SetupDescription
Multi-TenantI have a Microsoft account I use to manage my customer relationships via the Microsoft Partner Center.
Single-TenantI have a Microsoft account that I access directly to manage my customer on their behalf. I do not manage this customer in the Microsoft Partner Center

If this is a Multi-Tenant setup, ensure that you have completed the prerequisite steps as outline above.

Identify the legacy Microsoft Cloud Parent Inspectors and edit the Inspector(s).

In Liongard, navigate to Admin > Inspectors > Inspector Types > Navigate to the Appropriate Microsoft Inspector > Select the Inspector > Navigate to the Appropriate Parent Inspector > Select the Actions button > Select Edit.

Scroll down to the System Setting section:

  • Find the Enable Multi-Tenant Application toggle. Leave the toggle on if you are setting up a Multi-Tenant Parent Inspector. Turn the the toggle off if you are setting up a Single-Tenant Parent Inspector.
  • Select the "Open Microsoft Sign-In" button
  • Authenticate with either of the following credentials, depending on your tenant relationship:
    • Multi-Tenant: Sign-in the organization for the associated Tenant ID with an account that is assigned the Global Administrator role for Azure AD as well the Admin Agents role within the Partner Center.
    • Single-Tenant: Sign-In into the organization for the associated Tenant ID with an account that is assigned the Global Administrator role for Azure AD.
  • Follow the prompts to accept the requested permissions by selecting checkbox to consent and select Accept
  • A green check will appear to validate you successfully completed the step.
  • ❗️Note❗️For the Multi-Tenant method, signing in with a user that has legacy MFA methods will result in Child Inspectors not being discovered. Please see this KB for more details.
  • Select Save. The Inspector will now be triggered to run within the minute.

🚧

Microsoft Sign-In

You will need to sign in to for each additional Microsoft Cloud Parent Inspector you set up by signing in with the same account. However, you will not be prompted for the permissions consent.

Step 2: Repeat the Process for all Microsoft Cloud Parent Inspectors

For any other Parent Inspectors for the same tenant, repeat the Microsoft Sign-In process in the Inspector configuration page.

🚧

Bulk Schedule to Space Out Child Inspectors

Liongard recommends to space the Child Inspectors for the Microsoft Cloud Inspectors in order to prevent potential API throttling. To resolve this, follow these steps:

  1. Select All Child Launchpoints
    Click the check mark box to select all child launchpoints in the bottom Inspector section
    Click "Actions" > "Set Inspector Schedule"
  2. Set Times to Space Out Launchpoints
    In the screen on the right, select the checkbox for "Space These Launchpoints"
    Set the interval to "5" and units to "minute(s)"
  3. Select Save

Step 3 (Optional): Remove Previous Application

The previous Microsoft 365 Inspector configuration required you to create an application within your Azure Active Directory Tenant. You may remove this application from the "Enterprise Applications" section in the associated Azure Directory Tenant.

❗️

Removing Previous Application

The new configuration steps automatically creates a new application named "Liongard" with the current date in the Created On column. Be sure to refer to the Created On column to ensure you delete the previous application.

Inspector Data Points Impacted

Microsoft is continuing to update their Microsoft Graph API endpoints to support GDAP. As it currently stands, some of the Microsoft Graph API endpoints have not been updated. Because of this, some data previously returned by Liongard's SharePoint, OneDrive, and Teams Child Inspectors will be impacted until Microsoft updates the Microsoft Graph API.

❗️

Data Points No Longer Returned to Liongard After You've Updated Your Cloud Inspectors

365 Inspector

Our team is currently working towards a solution to return the Microsoft 365 MailRules data and we will provide an update as soon as possible.

  • Data Print Fields: MailRules, Users[].userPurpose
  • Metrics: Office 365: Internal Forwarding Rule Summary, Office 365: External Forwarding Rule Summary, Office 365: Mailbox Rules Count, Office 365: Mailbox Rules with Errors List, Office 365: Mailbox Rules with Errors Count
  • Actionable Alerts: Microsoft 365 | External Forwarding Rule Added/Removed/Modified, Microsoft 365 | InternalForwarding Rule Added/Removed/Modified
  • Integration Mappings: N/A

SharePoint Inspector:

  • Data Print Fields: Sites, Drivers, Lists, Pages
  • Metrics: All metrics are still in the platform but will only be available for parent SharePoint Inspectors.
  • Actionable Alerts: N/A
  • Integration Mappings: N/A

OneDrive Inspector:

  • Data Print Fields: SystemInfo.UserDriveCount, SystemInfo.GroupDriveCount, Drives
  • Metrics: Total Drives Count, Largest Drive Size and Owner, Average Drive Contents Size, Total Size of All Drives
  • Actionable Alerts: N/A
  • Integration Mappings: Total Shared Drives, Shared Drives

Teams Inspector:

  • Data Print Fields: Teams
  • Metrics: Microsoft Teams: List of Archived Teams, Microsoft Teams: Count of Archived Teams, Microsoft Teams: List of Private Teams, Microsoft Teams: Count of Private Teams, Microsoft Teams: User Team Summary, Microsoft Teams: Channel Summary, Microsoft Teams: Teams Summary
  • Actionable Alerts: Microsoft Teams: User Team Summary, Microsoft Teams: Channel Summary, Microsoft Teams: Teams Summary
  • Integration Mappings: Active Teams, Archived Teams, Count of Private Channels, List of Private Channels, Teams