M365 CSP/GDAP Permission Checker Crate
What does the M365 CSP/GDAP Permission Checker Crate do?
This Crate gives you a simple way to help validate that your GDAP roles and permissions are correct and assigned to the appropriate account. Your Rewst service account that is used to manage your Microsoft tenants requires specific GDAP roles in order to perform it's various actions. The Administrative Relationships set up for each customer in Microsoft CSP must also match those roles tied to the user. The workflow in this Crate is designed to identify if any of these roles are correct and assigned to the appropriate account for a specified org.
For more information on the recommended GDAP roles, see the Best Practices for Microsoft Integration page in our documentation.
Crate prerequisites
The Microsoft Graph integration must first be set up before unpacking this Crate.
Unpack the M365 CSP/GDAP Permission Checker Crate
Navigate to Crates > Crate Marketplace in the left side menu of the Rewst platform.
Search for
M365 CSP/GDAP Permission Checker
.Click on the Crate tile to begin unpacking.
Click Unpack Crate.
Click Continue.
The Crate's configuration page Enter your time estimate into the Time Saved (seconds) field.
Expand the Always Pass accordion menu. Ensure that Activate for all current and future managed organizations is toggled on to allow you to run the Crate ad-hoc for any of your client accounts.
Click Unpack.
How to use the Crate
Navigate to Automations > Workflows.
Search for
[ROC] M365: CSP/CPV Permission Checker
. Click on the workflow to open it in the workflow builder.Within the [ROC] M365: CSP/CPV Permission Checker main workflow, click
Test
.Select the tenant you want to check permissions for from the Trigger Context Organization dropdown menu. This list is derived from the organizations enabled in your trigger configuration.
Enter the domain associated with the managing organization's tenant in the Primary Domain of the MSP field.
Click Test.
Click View Results.
Click Load Context.
Click to expand all
s in the context code. The errors messages contained within this record will indicate if roles are present or missing. For example:
"missing_roles": [
{
"ID": "No ID associated with no user",
"Name": "Security Administrator",
"Note": "No users assigned to this role.",
"Found": false,
"Principal Organization IDs": []
},
{
"ID": "No ID associated with no user",
"Name": "Authentication Policy Administrator",
"Note": "No users assigned to this role.",
"Found": false,
"Principal Organization IDs": []
}
]
Technical execution of the Crate
Workflow steps
Last updated
Was this helpful?