Conditional Access Policies - Partner & Customer Guidance

Conditional Access Policies

Conditional access policies can block partner accounts and apps from accessing the customer tenant. If you have a restrictive conditional access policy on a customer tenant, you need to ensure you have excluded the service providers or the service principal.


You can read about Microsofts recommendations for CA policies and GDAP here:  GDAP frequently asked questions - Partner Center | Microsoft Learn 



Recommendations


Your Partner Tenant

  • Have a conditional access policy that applies to the service account you are using for Sync 365.
  • Enforce multi factor authentication
  • DO NOT have any trusted locations (The Microsoft Partner Center will block connections where MFA has not been used)


Customer Tenants

Exclude service provider users from ALL conditional access policies

  • Log into conditional access policies in the customer tenant
  • For each policy add an exclusion to "Users and Groups"
    • Select: Guest or external users> Service provider users> Enter your partner tenant ID.


    • Related Articles

    • GDAP relationship missing, expired or not working

      GDAP relationship missing, expired or not working This article explains what to check when Sync 365 cannot access a customer tenant because the Microsoft GDAP relationship is missing, expired, incomplete, or does not include the required roles. When ...
    • Granular Delegated Admin Permissions - GDAP Overview

      This article explains how Granular Delegated Admin Permissions (GDAP) impact access to customer tenants and the requirements for full functionality in Sync 365. Microsoft Resources for GDAP Granular Delegated Admin Privileges (GDAP) Introduction - ...
    • Direct CSP and Indirect CSP feature differences

      Direct CSP and Indirect CSP feature differences This article explains the main differences between Direct CSP and Indirect CSP workflows in Sync 365. Sync 365 supports both Direct CSP and Indirect CSP partners, but some Microsoft data and billing ...
    • Adding an AzureAD Application

      NOTE: Preferred method is using Grant Partner Center Consent To access your customer tenants and automate your license billing, we need to create an AzureAD Application in your Partner tenant. This is compatible with Delegated Admin Permissions and ...
    • Using the Sync 365 Free GDAP Builder

      The Sync 365 GDAP Builder helps Microsoft partners create GDAP approval links and assign approved GDAP roles to partner security groups. Link: GDAP Builder Use this tool when you need to create a GDAP relationship request, generate a customer ...