Check GDAP Relationship & Permissions

Checking your GDAP relationship

This provides instructions on how to check your GDAP relationship and permission settings with one of your customer tenants.


Tip: If you need to create or rebuild a GDAP relationship, you can use the free Sync 365 GDAP Builder: https://www.sync365license.com/gdap-builder/

The tool helps generate the GDAP relationship with the required roles for Sync 365 access. It is useful when the existing relationship is missing, expired, has the wrong roles, or was created against the wrong security group.

Check the existing GDAP relationship

  • Log into the Microsoft partner center and go to the customer list - https://partner.microsoft.com/en-us/dashboard/commerce2/customers/list
  • Open the customer and click the "admin relationships" tab on the left side. 
    • Make sure you have an active relationship that has not expired
    • Open the relationship and make sure it has the Microsoft Entra Roles for "Global Reader" and "Application Administrator" as a minimum
    • Look at the security groups below. Ensure the security group that has your Sync 365 user in it is listed. Click on the security group 
    • Make sure that the security group has Global Reader and Application Administrator selected in the roles
  • If the delegated admin account that is used in Sync 365 is not in one of the groups with the permissions assigned:
    • In your own Azure AD / Entra tenant, add the account to the security group that is assigned to the GDAP relationship.

When to use the free GDAP Builder

Use the free Sync 365 GDAP Builder if:

  • The customer does not have a GDAP relationship.
  • The existing GDAP relationship has expired.
  • The relationship has the wrong roles assigned.
  • The wrong security group was selected.
  • You want a cleaner way to create a new GDAP relationship for Sync 365 access.

Open the tool here: Free Sync 365 GDAP Builder


After this is resolved in Sync 365 you can click Refresh Data > Refresh Office 365 data to force a refresh.

    • Related Articles

    • System Exception – CoreException Thrown by Provider

      Error: Exception of type 'Providers.Common.V1.CoreException' was thrown. This is a generic exception triggered when Sync 365 is unable to access data from the customer tenant due to missing permissions. Cause: The delegated admin account lacks the ...
    • Access Denied – Caller Lacks Valid Entra Role

      Error: Access Denied – Caller should have a valid Entra role This error means the account making the request is not assigned any valid role in Microsoft Entra ID (formerly Azure AD) within the customer tenant — often due to GDAP misconfiguration. ...
    • Management Role Error – User Not Assigned Roles

      Error: The user isn't assigned to any management roles This error means the delegated admin account does not have the required directory roles assigned within the customer tenant — typically via the GDAP security group. Cause: The delegated admin ...
    • User Not Found – Account Does Not Exist or Is Inactive or AADSTS90072

      Error: User was not found Or: AADSTS90072: User account '{EUII Hidden}' from identity provider 'https://sts.windows.net/658bfa###' does not exist in tenant 'Tenant' and cannot access the application '3efeacdc-560a-41a1-b337-e302923082ea'(Sync 365 ...
    • AADSTS50177 – User Not Found in Target Tenant

      Error: AADSTS50177 – User does not exist in tenant and cannot access the application This error means the user referenced in the delegated access attempt is not recognised in the customer tenant. It commonly occurs when the GDAP relationship is ...