Skip to content
English
More support Customer portal
Sign in to Gradient
  • There are no suggestions because the search field is empty.

Microsoft Permissions Troubleshooting (GDAP & Consent Setup)

If you’re setting up the Microsoft Integration and run into issues with consent or permissions, don’t worry — most problems are quick to fix.

Step 1: Confirm You’re Using the Correct Admin Account

To connect your Microsoft environment, the account you use to approve access must have either:

  • Application Administrator, or

  • Privileged Role Administrator

How to check:

  1. Sign in to entra.microsoft.com.

  2. Go to Users › Your account › Assigned roles.

  3. Look for Application Administrator or Privileged Role Administrator.

If you see either role → ✅ you’re good to proceed.

If you don’t see these roles → move to Step 2

 

Step 2: Try Another Admin Account (Least Friction Option)

If your current account doesn’t have the required roles:

  1. Ask your organization’s Global Admin to identify an account that does have Application Administrator or Privileged Role Administrator.

  2. Use that account to complete the Microsoft consent process in our app.

💡 Tip: Many Pax8 partners already have a shared “general admin” account for Microsoft tenant management. Using that is perfectly fine.

If your new Admin account works, great you can proceed from there!

If no suitable account exists or it also fails → go to Step 3.

 

Step 3: Check Your GDAP Relationship (for Pax8 Partners)

If you purchase Microsoft licenses through Pax8, you likely already have a Granular Delegated Admin Privileges (GDAP) relationship between Pax8 and your child tenants.

 

You can verify this in the Microsoft Partner Center:

  1. Log in to partner.microsoft.com.

  2. Go to Customers › [Customer name] › Admin relationships.

  3. Locate the active GDAP relationship.

  4. Select View roles and assignments.

Look for these roles in the list:

  • Application Administrator

  • Privileged Role Administrator

If one (or both) appear → ✅ great, you can re-try consent using your admin account.

If neither appear → continue to Step 4.

 

Step 4: Adjust the Existing GDAP (If Possible)

If your GDAP already exists but just needs additional roles, check if you can add the roles to an existing security group:

  1. Go to Microsoft Entra › Groups.

  2. Find the group linked to the GDAP relationship.

  3. Under Privileged access (PIM) or Roles assigned, add:

    • Application Administrator, and/or

    • Privileged Role Administrator.

    Then retry the consent process.

⚠️ Important: You can only add roles that were part of the original GDAP request.If these roles weren’t included originally, you’ll need a new GDAP relationship (see Step 5).

 

 

If you are able to update the existing GDAP relationships → ✅ great, you can re-try consent using your admin account.

If not, continue → to Step 5

 

Step 5: Create a New GDAP Relationship 

If your current GDAP doesn’t include the necessary roles, it can’t be updated to add them.

You’ll need to create a new GDAP relationship with those roles included.

 

Here’s how:

  1. In Partner Center, go to Customers › [Customer name] › Request admin relationship.

  2. Choose the Granular (GDAP) option.

  3. Select the required roles:

    • Application Administrator

    • Privileged Role Administrator

     

  4. Send the request to the customer.

  5. The customer must approve the new relationship (or you can approve with an administrative account you have for that customer under your control)

Once approved, retry consent in our app — it should now succeed.

 

Step 6: Still Stuck?

If you’ve:

  • Confirmed your account has admin roles,

  • Verified or re-created your GDAP relationship,

    and you still can’t complete consent — contact our support team with:

    • A screenshot of your Entra roles

    • A screenshot of the GDAP roles shown in Partner Center

 

We’ll help verify configuration or guide you through final steps.