Skip to main content

Overview

If you manage client tenants through Microsoft Partner Center, you can connect Petra directly to your CSP account. This lets you see all of your GDAP-managed tenants in one place, onboard them to Petra without needing each client’s Global Admin to approve individually, and manage permissions across tenants from a single table. Partner Center integration is available at app.petrasecurity.com/portal and is also offered during onboarding.

Prerequisites

Before connecting, confirm the following:
  1. You have a Microsoft Partner Center account with active GDAP relationships for the tenants you want to manage.
  2. The user connecting Partner Center is in the AdminAgents security group in your MSP tenant.
  3. The Azure AD application Petra M365 Security Analyzer is registered with delegated permissions. If you have not done this before, Petra will walk you through it during setup.

Connecting Partner Center

  1. Go to app.petrasecurity.com/portal, or click Add Tenant from the navbar and choose Continue with Partner Center.
  2. Click Connect Microsoft Partner Center.
  3. Sign in with your MSP tenant credentials on the Microsoft login page and consent to the requested permissions.
  4. After approval, you are redirected back to Petra. Your managed tenants will appear automatically.
You can also connect Partner Center during onboarding. The flow is the same; you will be redirected back to the onboarding wizard when finished.

Managing Tenants

Once connected, the managed tenants table shows every client tenant that has an active GDAP relationship with your MSP.

What the table shows

ColumnDescription
TenantDisplay name and Microsoft tenant ID
GDAP PermissionsWhether the GDAP relationship includes the roles Petra needs. Shows Ready or Missing.
UsersNumber of users in the tenant (refreshed on sync)
Petra StatusCurrent onboarding state: Monitoring, Paused, Previously Deleted, or Not Protected
Email PermsWhether Petra has the Exchange permissions it needs. Shows a Fix button if permissions need to be resynced.
ActionsOnboard, view, or request permissions depending on the tenant’s status

Syncing tenants

Click Sync Tenants (in the overflow menu at the top of the table) to refresh the list from Microsoft. This queries your GDAP relationships and updates tenant names, user counts, and permission status.

GDAP permission requirements

To onboard a tenant through Partner Center, your GDAP relationship must include one of these roles:
  • Global Administrator
  • Application Administrator
  • Cloud Application Administrator
If a tenant shows Missing under GDAP Permissions, click Request to create a new GDAP relationship request. You will receive a link that the client’s admin needs to approve.

Onboarding a Tenant

  1. Find the tenant in the managed tenants table.
  2. Confirm that GDAP Permissions shows Ready.
  3. Select the product you want from the dropdown:
    • Petra Active for continuous monitoring
    • Petra Autopsy for a full 6-month forensic investigation
    • Petra Scan for a quick security check (available on request)
    See Active vs. Autopsy for a comparison.
  4. Click Onboard (or Add).
Petra installs the application into the client tenant and grants the required permissions automatically using your GDAP relationship. No action is required from the client’s admin.

Batch scanning

If Petra Scan is enabled for your organization, you can scan multiple tenants at once. Use the checkboxes in the Exclude column to skip specific tenants, then click Scan or Onboard & Scan to run a scan across all eligible tenants in one step.

Reauthenticating

If your OAuth session expires or you need to switch the connected account, open the overflow menu at the top of the table and click Reauthenticate Partner Center. This runs the same Microsoft sign-in flow as initial setup and replaces the stored credentials.

How Petra Connects to Your Partner Center

Step 1: Initial authentication

When you connect Partner Center, Petra redirects you to Microsoft’s login page (login.microsoftonline.com) where you sign in with your MSP tenant credentials. You are asked to consent to the following permissions:
  • Microsoft Graph: DelegatedAdminRelationship.Read.All, DelegatedAdminRelationship.ReadWrite.All, User.Read.All, Organization.Read.All, Directory.ReadWrite.All, Application.ReadWrite.All, AppRoleAssignment.ReadWrite.All, DelegatedPermissionGrant.ReadWrite.All
  • Partner Center API: user_impersonation
These are all delegated permissions, meaning they act on behalf of the signed-in user and are scoped to what that user is authorized to do.

Step 2: Discovering client tenants via GDAP

When you sync tenants, Petra uses the stored refresh token to get a Microsoft Graph access token, then queries the tenantRelationships/delegatedAdminRelationships endpoint filtered to status eq 'active'. This returns only GDAP relationships that have been explicitly approved by the client tenant. Petra reads the roles and customer tenant IDs from these relationships and stores them locally for display.

Step 3: Onboarding a client tenant

When you click Onboard, two things happen:
  1. Delegated permission consent via Partner Center API. Petra calls the Partner Center /v1/customers/{tenantId}/applicationconsents endpoint. This is Microsoft’s CPV (Control Panel Vendor) API, which installs the Petra application into the client tenant and grants delegated permissions (Graph, Exchange, Office 365 Management APIs). This operation is governed by the GDAP relationship and only succeeds if an active relationship with the required admin roles exists.
  2. Application permission grants via Graph API. After the service principal is installed, Petra obtains a customer-tenant-scoped Graph token (using the GDAP relationship) and creates appRoleAssignment entries on the Petra service principal. These are the application-level permissions needed for background operations like reading audit logs and managing mailbox settings without user context.

Security

  • All access is mediated through GDAP. Petra cannot access any client tenant that has not approved a GDAP relationship with your MSP. If the relationship is terminated or expires, access is revoked.
  • Delegated context. The Partner Center consent and Graph API calls operate in the context of the authenticated MSP admin user, bounded by their GDAP role assignments.
  • No direct credentials. Petra does not store or use any client tenant passwords, certificates, or secrets. Access is entirely through OAuth tokens derived from the GDAP relationship.
  • Revocable at any time. You can disconnect Partner Center from Petra at any time. Client tenants can terminate the GDAP relationship to immediately revoke access.

Troubleshooting

If you encounter errors while onboarding tenants or syncing permissions, Petra now provides specific, actionable error messages to help you resolve the issue.

GDAP Access Errors

“The Partner Portal user does not have GDAP access to customer tenant” This error (AADSTS50177) means the user you authenticated with does not have access to the customer tenant through the GDAP security group. To resolve:
  1. Add the authenticated user to the GDAP security group that grants admin access to this customer tenant in Microsoft Partner Center.
  2. Alternatively, reconnect the Partner Portal with a different user who already has GDAP access to this tenant.
The error message will include the authenticated user’s email and the customer tenant name to help identify which relationship needs to be fixed. “Operation not allowed: tenant already has an active GDAP relationship” This error (403 disallowedOperation) occurs when you try to create a new GDAP relationship request for a tenant that already has an active relationship. To resolve:
  1. Check the managed tenants table to see if the tenant already appears with an active GDAP relationship.
  2. If the relationship exists but shows Missing permissions, the relationship may need to be updated with the required roles rather than creating a new one.
  3. If you need to create a new relationship, first terminate the existing one in Microsoft Partner Center.
“GDAP relationship request failed: duplicate display name” This error (400) occurs when you try to create a GDAP relationship with a display name that already exists for another relationship. To resolve:
  1. Use a unique display name for the new GDAP relationship request.
  2. Display names must also meet Microsoft’s length requirements (Petra validates this automatically).

Permission Errors

“The Partner Portal user does not have sufficient permissions to manage customer tenant” This error (often “Unsupported token”) indicates one of the following:
  1. The authenticated account does not have the Admin Agent role in Microsoft Partner Center.
  2. The Azure AD application is not properly consented in your MSP tenant.
  3. The user is not a member of the GDAP security groups for your customer tenants.
To resolve:
  1. Verify the user has the Admin Agent role in Partner Center.
  2. Ensure the user is a member of the GDAP security groups for your customer tenants.
  3. If needed, reconnect the Partner Portal to refresh the consent and permissions.

Session Expiration Errors

“The Partner Portal authorization has expired or been revoked” (AADSTS65001) “The Partner Portal session has expired” (AADSTS700082) These errors indicate your OAuth session has expired or been revoked. To resolve:
  1. Click Reauthenticate Partner Center from the overflow menu at the top of the managed tenants table.
  2. Sign in again with your MSP tenant credentials and consent to the requested permissions.

Application Permission Grant Failures

“Failed to grant application permissions” or “Failed to grant Graph API permissions” When onboarding or syncing permissions, Petra grants both delegated permissions (via Partner Center) and application permissions (via Graph API). If application permissions fail to grant, you may see:
  • A message indicating which specific permissions failed.
  • An error if all permissions failed individually.
These errors typically indicate a GDAP relationship issue or insufficient permissions. Check that:
  1. The GDAP relationship is active and includes the required admin roles.
  2. The authenticated user has the Admin Agent role in Partner Center.
  3. The user is a member of the GDAP security group for this customer tenant.
If delegated permissions synced successfully but application permissions failed, Petra will surface the specific error instead of silently claiming success.

FAQs

Does connecting Partner Center affect my clients?

No. Connecting only reads your existing GDAP relationships. Nothing is installed in any client tenant until you explicitly click Onboard.

Can I use a service account instead of my personal account?

Yes. The current implementation authenticates using a specific MSP admin user’s OAuth session. If you prefer, you can use a dedicated service account within your MSP tenant. The key requirement is that the account has the Admin Agent role in Partner Center and is a member of the security group assigned to your GDAP relationships.

What happens if a GDAP relationship expires?

Petra’s access to that tenant is revoked along with the relationship. The tenant will still appear in Petra, but new data will stop flowing until a new GDAP relationship is established and the tenant is reconsented.

Can I onboard tenants without Partner Center?

Yes. You can add tenants individually by clicking Add Tenant and choosing Add tenants individually. This uses a direct Microsoft OAuth flow where the client’s Global Admin consents to the Petra app. See Add Individually for the step-by-step guide.

Who in my organization can use Partner Center?

Any member with the Admin or Full Member role who has tenant management permissions can access the Partner Center page. External Guests and Billing members cannot.

Can I disconnect Partner Center?

Yes. Reauthenticate with a different account or contact support@petrasecurity.com to remove the connection entirely. Disconnecting does not remove tenants that have already been onboarded.

Do I need to turn on audit logs before onboarding?

Audit logs should be enabled on the client tenants you plan to onboard. They are free to turn on regardless of Microsoft licensing. If you manage the tenant, they are likely already enabled. Petra needs audit log data to detect and investigate threats.