# M365 CSP/GDAP Permission Checker Crate
{% hint style="info" %}
If you’re new to Crates, read through our introductory Crate documentation [here](https://docs.rewst.help/prebuilt-automations/crates). Find the Crate in our Crate Marketplace.
{% endhint %}
## What does the M365 CSP/GDAP Permission Checker Crate do?
This Crate gives you a simple way to help validate that your GDAP roles and permissions are correct and assigned to the appropriate account. Your Rewst service account that is used to manage your Microsoft tenants requires [specific GDAP roles in order to perform it's various actions](https://docs.rewst.help/documentation/integrations/individual-integration-documentation/cloud/microsoft-cloud-integration-bundle/authorization-best-practices#recommended-roles-for-gdap). The Administrative Relationships set up for each customer in Microsoft CSP must also match those roles tied to the user. The workflow in this Crate is designed to identify if any of these roles are correct and assigned to the appropriate account for a specified org.
For more information on the recommended GDAP roles, see the [Best Practices for Microsoft Integration](https://docs.rewst.help/documentation/integrations/cloud/authorization-best-practices) page in our documentation.
### **Workflow breakdown** Gather tenant info
* The **\[ROC] M365: Get Tenant Info by Domain** sub-workflow uses the collected domain, represented as `{{ CTX.primary_domain }}`.
* A `GET` request is made to: `https://login.microsoftonline.com/{{ CTX.provided_domain }}/.well-known/openid-configuration`
Determine tenant ID
A data alias is created for the `msp_tenant_id`, which is extracted from the returned tenant info using the following Jinja statement:
```
{{ CTX.tenant_info.authorization_endpoint.split('/')[3] }}
```
Assess roles
* The **\[ROC] M365: Get Role Assignments** sub-workflow is initiated.
* The [Necessary GDAP roles](https://docs.rewst.help/documentation/integrations/individual-integration-documentation/cloud/microsoft-cloud-integration-bundle/authorization-best-practices#recommended-roles-for-gdap) are confirmed through a `GET` request to the following Graph endpoint:
* Base URL: `https://graph.microsoft.com/beta`
* Endpoint: `/roleManagement/directory/roleAssignments?$filter=roleDefinitionId eq '{{ CTX.role_id }}'&$expand=principal`
* The output differentiates between present and absent roles, with results set for comparison in the subsequent step.
Compile and analyze results
* A comparison is conducted between the `msp_tenant_id` and the IDs from the returned roles to ensure appropriate permissions.
* A summary of the roles is generated, and a `missing roles` data alias is defined.
Example output:
```
"missing_roles": [
{
"ID": "No ID associated with no user",
"Name": "Security Administrator",
"Note": "No users assigned to this role.",
"Found": false,
"Principal Organization IDs": []
},
{
"ID": "No ID associated with no user",
"Name": "Authentication Policy Administrator",
"Note": "No users assigned to this role.",
"Found": false,
"Principal Organization IDs": []
}
]
```
## Crate prerequisites
The [Microsoft Cloud Integration Bundle](/documentation/integrations/integration-guides/microsoft-cloud-integration-bundle.md) must be set up before unpacking this Crate.
## Unpack the M365 CSP/GDAP Permission Checker Crate
1. Navigate to **Crates > Crate Marketplace** in the left side menu of the Rewst platform.
2. Search for `M365 CSP/GDAP Permission Checker`**.**\
\
3. Click on the Crate tile to begin unpacking.
4. Click **Unpack Crate**.
5. Click **Continue**.
The Crate's configuration page
6. Enter your time estimate into the **Time Saved (seconds)** field.
7. Expand the **Always Pass** accordion menu. Ensure that **Activate for all current and future managed organizations** is toggled on to allow you to run the Crate ad-hoc for any of your client accounts.
8. Click **Unpack**.
### Use the Crate
1. Navigate to **Automations > Workflows**.
2. Search for `[ROC] M365: CSP/CPV Permission Checker`. Click on the workflow to open it in the Workflow Builder.
3. Within the **\[ROC] M365: CSP/CPV Permission Checker** main workflow, click `Test`.
4. Select the tenant you want to check permissions for from the **Trigger Context Organization** dropdown menu. This list is derived from the organizations enabled in your trigger configuration.
5. Enter the domain associated with the managing organization's tenant in the **Primary Domain of the MSP** field.
6. Click **Test**.
7. Click **View Results**.
8. Click **Load Context**.\
\
9. Click to expand all  s in the context code. The errors messages contained within this record will indicate if roles are present or missing. For example:
```
"missing_roles": [
{
"ID": "No ID associated with no user",
"Name": "Security Administrator",
"Note": "No users assigned to this role.",
"Found": false,
"Principal Organization IDs": []
},
{
"ID": "No ID associated with no user",
"Name": "Authentication Policy Administrator",
"Note": "No users assigned to this role.",
"Found": false,
"Principal Organization IDs": []
}
]
```
{% hint style="info" %}
Got an idea for a new Crate? Rewst is constantly adding new Crates to our Crate Marketplace. Submit your idea or upvote existing ideas here in our [Canny feedback collector](https://rewst.canny.io/crates).
{% endhint %}
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.rewst.help/documentation/crates/existing-crate-documentation/m365-csp-gdap-permission-checker-crate.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.