Error: Access Denied – Caller should have a valid Entra role
This error means the account making the request is not assigned any valid role in Microsoft Entra ID (formerly Azure AD) within the customer tenant — often due to GDAP misconfiguration.
Cause: The Sync 365 delegated admin account is not assigned via a GDAP relationship with sufficient permissions.
Resolution
Fix the GDAP relationship as follows:
- Log in to Microsoft Partner Center
- Navigate to the affected customer’s GDAP configuration
- Verify:
- The correct security group is assigned to the GDAP roles
- Your Sync 365 admin account is a member of this group
- The group includes at least the following roles:
- Application Administrator
- Global Reader
Full step-by-step guide: Checking your GDAP relationship
Changes usually take effect within ~30 minutes after group updates.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article