This document serves as a guide for starting the wizard while connecting Zomentum with Microsoft.
Microsoft is moving from DAP to GDAP. To use Zomentum Connect in combination with GDAP, MSPs need to perform the following steps to get consent from every user or tenant they manage.
The following steps need to be completed in order to use Microsoft New Authentication:
Configuring Zomentum Connect
TABLE OF CONTENTS
- Configuring Zomentum Connect
- Create a Dedicated Security Group
- Create an App Registration
- Complete The Wizard
- Set up the GDAP relationships and permissions.
- Grant Consent for Your Customers
- FAQ
- Error : Customer tenant is Not Consented
- error code: Authorization_RequestDenied
- Error Code : Request_BadRequest
- Error Code : Authentication_Unauthorized
- Error Code: HTTP request returned status code 403
- Internal server error : When adding a customer
- Internal server error : When grant consent after selecting multiple tenants.
Prerequisite:
Enable Microsoft Lighthouse in your Microsoft partner account.
The license for this is free of charge.
You don't need to disconnect the Microsoft (Legacy) account until all tenants have been migrated!
1. Login to Microsoft with an account that has Partner rights on the Microsoft partner platform.
2. Create a dedicated service account. The first step is creating a dedicated service account in your Microsoft Partner account for the Zomentum Connect integration.
Log in to the Azure Portal using an account that has the necessary permissions to create service accounts
Navigate to Microsoft Entra ID. Click on the Add button, and choose User > Create New User.
3. Create a new username and password for the service account:
4. In the Assignments tab, click Add Role to include the Application Administrator and the Global Reader role
5. In the Assignments tab, click Add Group. Assign this new user to the Admin Agents group.
6. Complete the creation wizard to create the user
7. Make sure that this new user requires MFA. Most likely, your account will already enforce MFA using your existing Conditional Access Policies. If that is not the case, please make sure to enable Per-User MFA
8. Once MFA is enabled, log in as the user for the first time and set up its MFA configuration.
It is required to use Microsoft authenticator, and not a 3rd party MFA solution. Check if you can login in to inprivate browser window in to https://admin.microsoft.com.
9. Store the username and password in a safe place. You will need them in the next steps.
Create a Dedicated Security Group
We need to create a dedicated security group to use for setting up GDAP relationships. Perform the following steps:
1. Log in to the Azure Portal using a Global Admin account that has the necessary permissions to create security groups.
2. Navigate to Microsoft Entra ID
3. Click on the Add button, and choose Group:
4. Choose Security as its type.
5. Leave Membership Type set to Assigned.
6. Under the Members section, click on No members selected and add the service account we created in the previous step as a member.
7. Complete the creation wizard to create the security group.
Create an App Registration
In this step, we will set up an Application Registration which allows us to request programmatic access to your customer tenants. Perform the following steps:
1. Log in to the Azure Portal using a Global Admin account that has the necessary permissions to create App Registrations
2. Navigate to App Registrations
3. Click on the New Registration button
4. Give the App a name, for example, ZomentumConnect.
5. In the Supported Account Types section, choose Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant).
6. In the Redirect URI section, choose Web in the drop-down, and enter the following URL: https://app.goolash.io/configuration/microsoft-graph/secure-app/partner-center/callback
7. Register the application
8. You'll be redirected to the Overview page of this new App Registration. Look for the identifier next to the Application (client) ID and add it to the following form:
9. Now we can add the necessary permissions for this App. Go to the API Permissions section and click on Add a permission. In the pane that pops up, click Microsoft Graph. Next you will be asked for the type of permission: Delegated or Application. This is different for each permission we add.
Please ensure the following three permissions are added:
Application: Organization.Read.All
Delegated: User.Read.
All this should have been added by default
10. We also require the Partner Center API to be enabled. Click on Add a permission again, and this time click on the APIs my organization uses at the top of the pane.
Search for Microsoft Partner Center and add the user_impersonation permission
11. You should now have these permissions listed:
12. On the same page, click on the Grant Admin Consent for "your organisation" button.
13. Finally, we must set up a Client Secret. Click on the Certificates & secrets menu item on the left and open the Client secrets tab
14. Click on New client secret and give it a description. Choose the expiry time. Once the secret expires, you'll have to update these settings in Zomentum Connect again
15. Press Add to generate a new client secret. Make sure you copy the value (not the Secret ID) and store it somewhere safe
16. Add the values to the new Microsoft authentication wizard in Zomentum Connect and proceed.
Complete The Wizard
Select your partner account and login with the newly created service account:
Set up the GDAP relationships and permissions.
The most important step in this configuration is making sure that there are GDAP relationships added to all your customers. In almost all cases, you will probably already have this relationship set up. Perform the following steps:
1. Log in to your Partner Center and go to the list of Customers
2. For each customer that you want to connect to Zomentum, follow these steps.
3. Click on the Customer name and then on the Admin Relationships section
4. Click on the Request for New Relationship button
5. Give the new relationship a name and duration
6. Select at least the following Entra ID roles:
- Global Reader
- Application Administrator
7. Click on Finalize request
8. Once the GDAP relationship is created, also add the security group we created earlier. On the page of the relationship, click on the Add Security Group button
9. Select the security group you created in the previous steps, and assign all permissions to it.
10. Repeat these steps for all customers you want to connect to Zomentum.
Grant Consent for Your Customers
Go to Configure and click on Configure:
Click on Add Customer.
Select the tenants where you want to have Consent from.
Successfully connected tenants will be marked green and will be now synced with the authentication method.
If we don’t have a successfully connected tenant we will go back to the old authentication model.
Application administrator rights is only needed to get Consent. When the Consent is granted, the Application administrator can be removed from the GDAP partner administrator profile.
Troubleshooting Page
You can check if the high-level Microsoft settings are set correctly with the troubleshooting link.
The admin relationship link will provide the MSP direct access to the admin relationship profile in the Microsoft partner portal. This helps when the MSP needs to check settings for an end-customer tenant.