Rewst User Setup and GDAP Relationship Guidance

Step by Step

The Importance of Setting Up GDAP

While effort is required to get GDAP set up up front, but this setup will allow you to automate from the MSP level and prevent the need to configure and manage a separate microsoft Integration for every single customer.

This guide walks through the process of setting up the GDAP relationship step-by-step. But manual processes are for the birds. Check out the Configure New GDAP Relationship Crate!

Introduction

This guide specifically goes over the following:

  • Creating the Rewst service account user.

  • Creating the Rewst group that GDAP permissions will be assigned to.

  • Adding the Rewst user to the AdminAgents group.

  • Creating a new admin relationship with the roles specifically required by Rewst. (Depending on your current GDAP relationship setup(s) this may not be necessary as long as your relationship contains the right roles and groups are available with the necessary permissions for the user)

Other applications/your technicians might need additional roles added to the relationship. Adding new roles after the relationship has been created requires recreating the relationship.

  • Adding the Rewst group to the admin relationship.

  • Adding the roles for the Rewst group in the admin relationship.

IMPORTANT: As of January 2024 it was discovered that there is an issue on Microsoft's end that can cause issues with RBAC settings for certain APIs.

Because of this it is recommended to break each individual role out into seperate groups within the GDAP relationship, failure to do so can result in intermittent GET, PATCH, and POST failures on API calls.

In the video and text guide for this document the instructions state to create one group, however the document and video will be updated at a later date to reflect this.

When setting up the group(s) in Entra you should do the following:

Create a corresponding group for each role that will be assigned per Recommended Roles for GDAP, an example of this would be: GDAP - Application Administrator GDAP - Exchange Administrator etc.

In the admin relationship within the Partner Center you will need to add each group to the relationship and assign the corresponding role to the corresponding group in the relationship.

Example: GDAP - Application Administrator -> Application Administrator

The user used to authorize the integration(s) will need to be a member of each of these groups.

Below are the manual steps for completing this task

Azure Active Directory (In Partner Tenant)

  1. Navigate to Users.

  1. Click New UserCreate User.

  1. Provide the user principal name.

    • example: rewst

  2. Provide a display name.

    • example: Rewst Integration

  3. Provide a password.

    • document this for later usage

  4. Click Next: Properties.

  1. Click Next: Assignments.

  2. Click Add Role while under the assignments tab.

  3. Search for Global Administrator in the role selection.

  4. Select the Global Administrator role.

Note: This role is required for installing the Enterprise Applications used when Rewst first authorizes.

  1. Click Select.

  1. Verify the role is now listed in the main pane.

  2. Click Next: Review + Create If the role is there.

    • Verify the information is correct on the Review + Create page.

  3. Click Create.

  4. Navigate back to Microsoft Entra ID.

  5. Click Groups.

  1. Click on New Group on the Groups page.

  1. Select Security for Group type.

  2. Enter Rewst – GDAP for the group name.

  3. Enter Rewst GDAP Permissions Group for the group description.

  4. Set Microsoft Entra roles can be assigned to the group to Yes.

  5. Click on No members selected.

  6. Select the Rewst account created in the previous steps in the new pane type in Rewst.

  7. Click Select.

  1. Select Yes when prompted with the following:

    • "Creating a group to which Microsoft Entra roles can be assigned is a setting that cannot be changed later. Are you sure you want to add this capability?"

It is also necessary to add the user to the ‘AdminAgents’ group on the group's page as well after the previous steps are done.

Partner Center

If you do not already have a CSP relationship established, you can reference the Microsoft Request A Relationship With A Customer documentation.

  1. Navigate to the Microsoft Partner Center.

  2. Click on Customers once on the Partner Center home page.

  1. Click on the name of the customer you would like to create the admin relationship for once the customer list loads.

  1. Click on Admin Relationships in the left nav pane once in the customer page.

  1. Press Request for new admin relationship once on the relationship page.

  2. Provide a name for the admin relationship.

Note: This value must be unique per relationship/customer.

  1. Provide a duration.

    • max is 730 days

  2. Click Select Microsoft Entra Roles.

  1. Select the roles listed in Recommended Roles for GDAP.

Note: The list is not in alphabetical order and it is recommended that you use CTRL + F to search the page to make finding the roles easier.

  1. Click the Save button once all roles are selected.

  2. Click Finalize Request once you've verified all the roles you selected are listed.

You will be redirected to a page that shows the request.

At this point, your customer will need to accept the request or you will need to log in as a global administrator on the tenant to accept the request using the link in the Click to review and accept section.

  1. Click Done.

Once the request has been approved the admin relationship will be established.

  1. Verify that the relationship is established by returning to the Admin Relationships page and confirming the status is active.

  2. Click on the relationship name if the status is Active.

This will bring you to the page that shows all the available roles in the relationship and the list of available security groups.

  1. Click Add security groups.

  1. Select Rewst - GDAP

Click Next.

  1. Select the roles required for Rewst in the relationship as per Recommended Roles for GDAP.\

  1. Click Save.

  2. Wait for the status to change to Active (manual page refresh is needed).

These steps will need to be performed for each customer (creating the admin relationship/assigning the group to the relationship/assigning the roles to the group in the relationship)

Last updated