Microsoft Cloud Integration Bundle

Assign the security group to the service account user you created previously

1. Navigate to Manage > Groups. Click +New Group.

   1. Choose security group as the group type.

   2. Name the group Rewst GDAP-[ROLE NAME].

   3. Enter for SCP GDAP role assignment as the description.

   4. Choose Yes for Microsoft Entra roles can be assigned to the group.

   5. Add the Rewst user you created in the previous steps as a member of the group.

   6. Click Create.

   7. Click Yes in the dialog that appears.

2. You will need to complete step 1 a total of 12 times, to create 12 security groups, each named differently to indicate the role it is associated with. For example, Rewst GDAP-[NEXT ROLE NAME], etc.

3. Wait for the status to change to Active. Note that this can take anywhere from a few minutes to 24 hours depending on Microsoft's response time.

Assign recommended roles for GDAP

1. Navigate to partner.microsoft.com and sign in.

2. Click Partner Center > Customers > Customer List.

3. Click on the name of the customer you would like to create the admin relationship for once the customer list loads.

4. Click Admin Relationships > Request a New Relationship.

5. Name the relationship, keeping in mind that this name must be unique for each customer or relationship. We suggest the customer's initials, followed by GDAP. For example, ABC-GDAP.

6. Enter the maximum duration of 730 days in the Duration in Days field.

7. Click Select Microsoft Entra roles.

8. Add the 12 roles explained in this list by checking off the boxes. Note that the total list of roles is not alphabetized. Use control + F or command + F to search for your relevant roles.

   1. Application Administrator - Can create and manage all applications, service principals, app registration, enterprise apps, consent requests. Cannot manage directory roles, security groups.

   2. Authentication Policy Administrator - Configures authentication methods policy, MFA settings, manages Password Protection settings, creates/manages verifiable credentials, Azure support tickets. Restrictions on updating sensitive properties, deleting/restoring users, legacy MFA settings.

   3. Cloud App Security Administrator - Manages all aspects of the Defender for Cloud App Security in Azure AD, including policies, alerts, and related configurations.

   4. Cloud Device Administrator - Enables, disables, deletes devices in Azure AD, reads Windows 10 BitLocker keys. Does not grant permissions to manage other properties on the device.

   5. Exchange Administrator - Manages all aspects of Exchange Online, including mailboxes, permissions, connectivity, and related settings. Limited access to related Exchange settings in Azure AD.

   6. Intune Administrator - Manages all aspects of Intune, including all related resources, policies, configurations, and tasks.

   7. User Administrator - Manages all aspects of users, groups, registration, and resets passwords for limited admins. Cannot manage security-related policies or other configuration objects.

   8. Privileged Authentication Administrator - Sets and resets authentication methods for all users (admin or non-admin), deletes/restores any users. Manages support tickets in Azure and Microsoft 365. Restrictions on managing per-user MFA in legacy MFA portal.

   9. Privileged Role Administrator - Manages role assignments in Azure AD, Azure AD Privileged Identity Management, creates/manages groups, manages all aspects of Privileged Identity Management, administrative units. Allows managing assignments for all Azure AD roles including Global Administrator.

   10. Security Administrator - Can read security information and reports, and manages security-related features, including identity protection, security policies, device management, and threat management in Azure AD and Office 365.

   11. SharePoint Administrator - Manages all aspects of SharePoint Online, Microsoft 365 groups, support tickets, service health. Scoped permissions for Microsoft Intune, SharePoint, and OneDrive resources.

   12. Teams Administrator - Manages all aspects of Microsoft Teams, including telephony, messaging, meetings, teams, Microsoft 365 groups, support tickets, and service health.

9. Click Save.

10. Review your selection and click Finalize Request.

11. You'll be redirected to a page that shows the request. Copy the link in that page.

12. Email the link to your customer. They will need to accept the request to continue your bundle set up steps. Once approved, the relationship will show as Active in the Admin Relationships list. You may also approve on the customer's behalf since you have Global Administrative privileges. To do this, choose to send the email to yourself. Note that if you choose this option, it will still send an email to your customer. You may want to notify them that they can disregard the email.

• Symptom: Failure to proceed past the authentication step, not even reaching the Microsoft Auth login screen.

• Common Cause: This may occur due to a delay on Microsoft's end where the system is still processing the app registration.

• Solution: Wait a minute or two before attempting to re-authenticate. This allows time for the backend processes to complete.

• Symptom: Successful authentication only after switching between the new Rewst Cloud Connector and the legacy Rewst Prod App Registration.

• Potential Cause: Existing Rewst Prod installations in the Microsoft tenant might interfere with the new setup.

• Solution:

  • Restart the integration wizard from the beginning.

  • Make sure all configuration steps are correctly completed. Pay extra attention to step 2 and confirm that a notification appears, indicating that the configurations have been updated.

• Error Context: Pertains to errors when consenting on a client (e.g., green shield button on CSP/Graph/EXO integration table).

• Common Issue: Transition to Microsoft's Granular Delegated Admin Privileges (GDAP) introduces complexities in tenant access control.

• About GDAP:

  • Purpose: GDAP enables fine-grained control over tenant access, allowing the creation of groups in your MSP tenant, assignment of permissions, and user allocation.

  • Example: Create specific groups like "Standard M365 Clients - Exchange Administrator" or "Strict M365 Clients - Exchange Administrator" to manage access levels across different clients.

• Rewst's Role: Since Rewst can interact with various endpoints, the correct permissions in both your tenant and client tenant are essential.

• Potential Resolution: Understand and Implement GDAP Utilize GDAP to create groups and assign permissions, ensuring compliance with your security policies.

• Root Cause: Most commonly related to a misunderstanding of Application vs. Delegated permissions within Microsoft Graph Integration.

  • Application Permissions: Granted to applications, not tied to users. Allows access to data without user consent.

  • Delegated Permissions: Tied to specific users, requiring their consent for data access.

• Microsoft's Direction: Microsoft is shifting from Application permissions to Delegated permissions for security reasons. Application permissions lack an audit trail, hiding who accessed data and when. They also allow Microsoft Partners to have a tenant in their organization without the client's awareness.

• Relevance to Tasks:

  • User Permissions: For user-related endpoints, such as reading calendar items, or sending mail as a user, the authenticating account must have the necessary permissions.

  • Example: To send as [email protected] via Rewst, ensure Rewst-Service Account has Send As permission on the SendfromMe account.

• Error Message & Context: Request_BadRequest, Unsupported token. Unable to initialize the authorization context. This manifests as a "Bad Request" error when making calls to Graph, despite seemingly correct integration and tenant delegation credentials.

• Suspected Cause: The error may stem from a cached token or from the integration being authorized prior to setting the checkbox for CSP delegation in CSP, Graph, or Exchange Online.

• Potential Resolution:

  1. Uninstall and Reinstall CSP Integration: Go to CSP integration, click "Uninstall," wait, then click "Install."

  2. Reauthorize CSP with Admin Access: Use the recommended service account with admin access for reauthorization.

  3. Repeat for Other Integrations: Follow steps 1-2 for Exchange Online and Graph, checking Use CSP Delegated Consent before authorizing.

  4. Re-Consent on Behalf of Managed Tenants: Return to CSP integration and click the green shield to re-consent.

As per Microsoft documentation the following needs to be true for resetting a user's password/modifying their password profile.

See Microsoft Documentation

In a delegated scenario the Rewst enterprise applications need to have the 'Directory.AccessAsUser.All' permission (and corresponding GDAP roles)

In a application call scenario(MSP Level/Integration installed at the customer level standalone from CSP) the application must be assigned a priviledged role such as Authentication Administrator or Priviledged Authentication Administrator.

If the refresh token couldn't be retrieved or stored, reauthorization must occur.

A Conditional Access Policy may have set the maximum session time, causing this error. Consider changing the policy or following guidance under Conditional Access.

The absence of MFA setup or Conditional Access policies blocking Rewst's access may lead to this error. Check MFA settings and Conditional Access policies.

Password changes, session revocations, or account disabling may lead to this error. Reauthorization will be needed.

This might occur when a trusted device used for the first authorization has been deleted from the Intune portal. Reauthorization is required.

If the user lacks sufficient access rights or is missing the necessary Exchange role, check the user's rights and Exchange role information. When using GDAP, the user must be in the "Exchange Administrators" group.

This is likely a failure to call Intune APIs. Check if the tenant has the necessary license available.

The request might be malformed if the body doesn't contain JSON or if variables haven't expanded. Look for syntax errors or incorrect bracket usage.

Multiple causes could lead to this error, such as the user not authorizing the Rewst CSP integration or not being in the AdminAgents group. If you're using GDAP, ensure that the user is added to the correct group(s) for Rewst to function.

This could indicate that the relationship between the tenant and the partner has been dissolved from the client side, or that a GDAP relationship has expired. Check the partner relationship information and ensure it is still active.

This means that Exchange connections are no longer possible. Please verify Exchange subscription availability.

If GDAP has been deployed and you're seeing this error, it may be because the user is not in any GDAP groups. Verify the user's GDAP group membership.

If you're unable to connect to Teams Admin cente, this might mean the tenant is missing a Teams license. Check to ensure the necessary licenses are available.

This error is mainly seen around security tasks and is likely due to a missing license such as M365 BP or Azure AD P1. Check the tenant's license information to ensure that the necessary licenses are available for the requested operation.

• Cause: Often related to Multi-Factor Authentication (MFA). Absence of MFA, incorrect MFA configuration, or unsupported third-party MFA provider.

• Requirements: Microsoft mandates the use of the StrongAuthClaim method in MFA requests, confirming additional security checks beyond username and password.

• Potential Resolutions:

  1. Enable MFA with StrongAuthClaim: Make sure the user account for Microsoft CSP integration has MFA enabled using the StrongAuthClaim method (usually with Microsoft MFA).

  2. Confirm MFA at Sign-In: If using Microsoft MFA and encountering errors, ensure MFA confirmation at sign-in. Try incognito browsing or sign out and back in if needed.

  3. Create a Dedicated User Account: Recommended for Microsoft CSP integration with specific requirements (e.g., Global Administrator permissions, MFA with StrongAuthClaim, AdminAgents role added in Partner Center to enable API access).

Duo / Third Party MFA Notice: Duo MFA was removed from Microsoft's supported list in 2022. Users must switch to Microsoft MFA to comply with requirements. See Microsoft Partner Account - MFA Requirements

This feature requires a P1 license or higher. Check the client's tenant license information to ensure that the necessary licenses are in place.

Client error 400 Bad Request means there's an issue with the request. It's most likely that an incorrect value is being sent. Please verify the correctness of the values in the request.

When in the context of authorizing the Microsoft Cloud Bundle this error can sometimes be related to Conditional Access policies, either on the MSP tenant (if failing to authorize) or on the customer tenant (when performing CPV consent aka clicking the blue shield).

If the issue is during the initial authorization, then it is important to check your conditional access policies and modify them to either exclude the user used to authorize the integration (typically the Rewst@ user) or to address the conflict (as an example, limiting access by location).

If the issue is during CPV consent of a customer then you will need to check the customer's conditional access policies and modify them to exclude the service provider tenant or address the conflict (example from above could apply).

We've identified a recurring issue within the Entra UI concerning the inconsistent permissions display on the Enterprise App Permissions page. Users may encounter situations where the permissions are either fully paginated and visible or not all permissions are displayed as expected.

Incomplete display of permissions

If what you see resembles the screenshot below, it indicates that not all permissions are being displayed. In such cases, the seemingly absent permissions are assigned but not visible due to a limitation within the UI. This known issue stems from a bug on Microsoft's end, which unfortunately is beyond our ability to directly resolve. For visibility into the complete set of permissions under these circumstances, using the API is the recommended approach.

Complete display of permissions

If your Entra UI matches the below screenshot, this suggests that all permissions are being properly shown. So if any are missing, they are actually missing. Should there be any unexpected permissions missing in this scenario, it likely points to an bug or failure in the permissions assignment process on the Rewst side.

If you get this error while running EXO commands, check if the dedicated account linked to the Microsoft Cloud Integration Bundle for authorization has the Exchange Administrator Role.