GDAP relationship missing, expired or not working

GDAP relationship missing, expired or not working

GDAP relationship missing, expired or not working

This article explains what to check when Sync 365 cannot access a customer tenant because the Microsoft GDAP relationship is missing, expired, incomplete, or does not include the required roles.

When this article applies

Use this article when:

  • A customer tenant does not appear in Sync 365.
  • Licence or subscription data is not refreshing.
  • You see Microsoft access errors related to delegated admin permissions.
  • Partner Center shows the customer but Sync 365 cannot read the tenant.
  • GDAP was recently changed, renewed, or removed.

Use the exact access-error guide first

If Sync 365 shows a specific Microsoft access or role error, open the matching guide below first.

What GDAP does

GDAP stands for Granular Delegated Admin Privileges. It controls which Microsoft customer tenants your partner account can access and which admin roles are available for each tenant.

Sync 365 relies on your Microsoft partner access to read tenant, licence, subscription, and user information. If GDAP is missing or does not include the required roles, Sync 365 may not be able to refresh that customer.

Common symptoms

  • The tenant is missing from the tenant list.
  • Licence counts stop updating.
  • Subscription details do not refresh.
  • Contact Sync stops updating users or contacts.
  • Microsoft error messages mention access denied, forbidden, invalid role, or missing delegated permissions.

Step 1: Check the customer in Partner Center

  1. Log in to Microsoft Partner Center with the partner admin account used by Sync 365.
  2. Open the customer record.
  3. Check whether a GDAP relationship exists.
  4. Check whether the relationship is active, pending, expired, or terminated.
  5. Confirm the relationship includes the admin roles required for your Sync 365 workflows.

Step 2: Check the partner admin account

Confirm that the Microsoft account connected to Sync 365 is still valid and has access to the required Partner Center customers.

Common issues include:

  • The partner admin account was disabled.
  • The account’s MFA or Conditional Access policy changed.
  • The account no longer has the required Partner Center access.
  • The refresh token expired or was revoked.
  • The account is not assigned to the relevant GDAP relationship.

Step 3: Check whether the customer accepted GDAP

If a GDAP relationship was recently created or renewed, the customer may still need to accept it.

Until the customer accepts the relationship, Sync 365 may not be able to access the tenant.

Step 4: Re-authenticate Microsoft access in Sync 365

If GDAP is correct but Sync 365 still cannot access Microsoft data, re-authenticate the Microsoft partner admin account in Sync 365.

This is especially useful after:

  • MFA changes
  • Password changes
  • Conditional Access changes
  • Admin role changes
  • Token expiry or revocation errors

Step 5: Refresh the tenant data

After fixing GDAP or re-authenticating Microsoft access, allow Sync 365 to refresh the tenant data.

Depending on the process, some updates may not appear immediately. If the tenant still does not refresh after the next scheduled sync, contact support.

Common causes

  • GDAP relationship expired.
  • GDAP relationship was created but not accepted by the customer.
  • Required Microsoft roles were not included.
  • The partner admin account is not assigned to the GDAP relationship.
  • Conditional Access or MFA is blocking the partner admin account.
  • The Microsoft refresh token expired or was revoked.

Best practice

  • Review GDAP expiry dates regularly.
  • Use a dedicated partner admin account for Sync 365 where appropriate.
  • Keep MFA and Conditional Access policies compatible with the Sync 365 authentication flow.
  • Re-authenticate Sync 365 after major Microsoft security or admin role changes.
  • Check GDAP before raising a support ticket about missing tenants or stale licence counts.

When to contact support

Contact support if:

  • GDAP is active but Sync 365 still cannot access the tenant.
  • The tenant appears in Partner Center but not in Sync 365.
  • You are unsure which Microsoft role is missing.
  • Re-authentication succeeds but licence data still does not refresh.
  • The Microsoft error message is unclear.

When contacting support, include the customer tenant name, tenant ID if available, screenshot of the GDAP relationship status, and the exact error message shown in Sync 365.

Related articles

    • Related Articles

    • Using the Sync 365 Free GDAP Builder

      The Sync 365 GDAP Builder helps Microsoft partners create GDAP approval links and assign approved GDAP roles to partner security groups. Use this tool when you need to create a GDAP relationship request, generate a customer approval URL, assign GDAP ...

    • Granular Delegated Admin Permissions - GDAP Overview

      This article explains how Granular Delegated Admin Permissions (GDAP) impact access to customer tenants and the requirements for full functionality in Sync 365. Microsoft Resources for GDAP Granular Delegated Admin Privileges (GDAP) Introduction - ...

    • Direct CSP and Indirect CSP feature differences

      Direct CSP and Indirect CSP feature differences This article explains the main differences between Direct CSP and Indirect CSP workflows in Sync 365. Sync 365 supports both Direct CSP and Indirect CSP partners, but some Microsoft data and billing ...

    • Conditional Access Policies

      Conditional access policies can block partner accounts and apps from accessing the customer tenant. If you have a restrictive conditional access policy on a customer tenant, you need to ensure you have excluded the service providers or the service ...

    • Adding an AzureAD Application

      NOTE: Preferred method is using Grant Partner Center Consent To access your customer tenants and automate your license billing, we need to create an AzureAD Application in your Partner tenant. This is compatible with Delegated Admin Permissions and ...