Rewst User Setup and GDAP Relationship Guidance
Step by Step
Last updated
Step by Step
Last updated
Feedback
⬆️ CannyCopyright © 2024 Rewst
While effort is required to get GDAP set up up front, but this setup will allow you to automate from the MSP level and prevent the need to configure and manage a separate microsoft Integration for every single customer.
This guide walks through the process of setting up the GDAP relationship step-by-step. But manual processes are for the birds. Check out the Configure New GDAP Relationship Crate!
This guide specifically goes over the following:
Creating the Rewst service account user.
Creating the Rewst group that GDAP permissions will be assigned to.
Adding the Rewst user to the AdminAgents group.
Creating a new admin relationship with the roles specifically required by Rewst. (Depending on your current GDAP relationship setup(s) this may not be necessary as long as your relationship contains the right roles and groups are available with the necessary permissions for the user)
Other applications/your technicians might need additional roles added to the relationship. Adding new roles after the relationship has been created requires recreating the relationship.
Adding the Rewst group to the admin relationship.
Adding the roles for the Rewst group in the admin relationship.
IMPORTANT: As of January 2024 it was discovered that there is an issue on Microsoft's end that can cause issues with RBAC settings for certain APIs.
Because of this it is recommended to break each individual role out into seperate groups within the GDAP relationship, failure to do so can result in intermittent GET, PATCH, and POST failures on API calls.
In the video and text guide for this document the instructions state to create one group, however the document and video will be updated at a later date to reflect this.
When setting up the group(s) in Entra you should do the following:
In the admin relationship within the Partner Center you will need to add each group to the relationship and assign the corresponding role to the corresponding group in the relationship.
Example: GDAP - Application Administrator -> Application Administrator
The user used to authorize the integration(s) will need to be a member of each of these groups.
Below are the manual steps for completing this task
Login to Microsoft Entra ID.
Navigate to Users.
Click New User → Create User.
Provide the user principal name.
example: rewst
Provide a display name.
example: Rewst Integration
Provide a password.
document this for later usage
Click Next: Properties.
Click Next: Assignments.
Click Add Role while under the assignments tab.
Search for Global Administrator in the role selection.
Select the Global Administrator role.
Note: This role is required for installing the Enterprise Applications used when Rewst first authorizes.
Click Select.
Verify the role is now listed in the main pane.
Click Next: Review + Create If the role is there.
Verify the information is correct on the Review + Create page.
Click Create.
Navigate back to Microsoft Entra ID.
Click Groups.
Click on New Group on the Groups page.
Select Security for Group type.
Enter Rewst – GDAP for the group name.
Enter Rewst GDAP Permissions Group for the group description.
Set Microsoft Entra roles can be assigned to the group to Yes.
Click on No members selected.
Select the Rewst account created in the previous steps in the new pane type in Rewst.
Click Select.
Select Yes when prompted with the following:
"Creating a group to which Microsoft Entra roles can be assigned is a setting that cannot be changed later. Are you sure you want to add this capability?"
It is also necessary to add the user to the ‘AdminAgents’ group on the group's page as well after the previous steps are done.
If you do not already have a CSP relationship established, you can reference the Microsoft Request A Relationship With A Customer documentation.
Navigate to the Microsoft Partner Center.
Click on Customers once on the Partner Center home page.
Click on the name of the customer you would like to create the admin relationship for once the customer list loads.
Click on Admin Relationships in the left nav pane once in the customer page.
Press Request for new admin relationship once on the relationship page.
Provide a name for the admin relationship.
Note: This value must be unique per relationship/customer.
Provide a duration.
max is 730 days
Click Select Microsoft Entra Roles.
Note: The list is not in alphabetical order and it is recommended that you use CTRL + F to search the page to make finding the roles easier.
Click the Save button once all roles are selected.
Click Finalize Request once you've verified all the roles you selected are listed.
You will be redirected to a page that shows the request.
At this point, your customer will need to accept the request or you will need to log in as a global administrator on the tenant to accept the request using the link in the Click to review and accept section.
Click Done.
Once the request has been approved the admin relationship will be established.
Verify that the relationship is established by returning to the Admin Relationships page and confirming the status is active.
Click on the relationship name if the status is Active.
This will bring you to the page that shows all the available roles in the relationship and the list of available security groups.
Click Add security groups.
Select Rewst - GDAP
Click Next.
Click Save.
Wait for the status to change to Active (manual page refresh is needed).
These steps will need to be performed for each customer (creating the admin relationship/assigning the group to the relationship/assigning the roles to the group in the relationship)
Create a corresponding group for each role that will be assigned per , an example of this would be: GDAP - Application Administrator GDAP - Exchange Administrator etc.
Select the roles listed in .
Select the roles required for Rewst in the relationship as per .\