MS GDAP REQUIRED CHANGES FOR JUNE 30, 2024 - FOR DELEGATED ADMIN CONFIGURATIONS

As you are aware - Microsoft has transitioning from DAP relationships to GDAP Roles in July of 2023.  With this change they have also updated the API/Graph Explorer endpoints for obtaining User Registration Data such as MFA Status and Authentication Methods. 

In order for Lifecycle Insights to continue to retrieve user registration data and other data, we require that you add new permissions to your existing App Registration(s).  
This includes both Direct Application Registrations as well as Delegated Admin Registrations. 

There are two general actions you must take.

ACTION 1.  In your MSP Azure tenant, add a new permission to the existing App Registered for LCI.

To do that, follow these steps:

1. Log into your MSP Azure tenant that has the GDAP relationships defined for all of your Microsoft Customers -- https://portal.azure.com/

2. Under the Azure Services menu, select Microsoft Entra ID.

3. In the left Nav pane, click on App Registrations.

 

 

4.  Find and open the App Registration that was configured previously for Lifecycle Insights.

In the Left Nav Pane click API Permissions

Click the Add a Permission Tile. 

Select Microsoft Graph from the Microsoft API's Menu

 

Select Application permission Only.  DO NOT SELECT DELEGATED PERMISSIONS.

 

Use the Search Bar and enter "Audit" to quickly find the permission.
Find AuditLog and expand the permission to select AuditLog.Read.All

 

Click Add Permission at the bottom of the window.

 

 

When the permissions is added, it will not automatically grant admin consent.  Click the Grant Admin Consent button to grant consent for the new permission.

All permissions should now show as granted. 

ACTION 2  For each of your Microsoft tenants (Customers), you must explicitly grant access to the LCI Azure App registered in your MSP Azure tenant.

Even if you have granted consent previously you will need to follow these steps to grant consent for the newly added permission. 

Here are the instructions to do that:

 

  • In Lifecycle Insights, click on Administration Integrations Microsoft 365
  • Click on the DELEGATED COMPANY MATCH tab

 

For each MS Tenant you have mapped to an LCI Company, you will now see a GRANT CONSENT button.   You must click on that button for each customer once and follow the prompts.

 

 

 

Here are the steps you must follow for each customer:

 

1. Click on the GRANT CONSENT button.

 

 

2.  Next, you will be prompted to sign into Azure to grant consent.  This will redirect you to your customer's Azure portal.  You must log in with Admin credentials.  Alternatively, you can copy the consent link and send it a someone who has Admin credentials.

 

Click the AZURE SIGN-IN FOR CONSENT button.

 

 

3.  Log into your customer's Azure portal with Admin Credentials

 

4.  You will be prompted with Consent page.  Click Accept.

 

 

5.  You will be presented with confirmation that the consent was granted.  You can close the window.

 

NOTE:  If you receive a Sign In error that indicates 'No reply address is registered for the Application' after clicking Accept, this simply means that you have not registered a Redirect URI for the LCI Azure App Registration in your MSP tenant (see above).  If you get this specific error, the consent WAS STILL GRANTED.

 

6.  For your current working session, we will indicate if you have attempted to grant consent with an icon to the far right of the GRANT CONSENT button.

 

7.  Repeat for all of your MS Customers mapped to LCI Company.