Misconfigurations in the authenticating user or account will result in a CSP status of Error. The integration authenticating user must be: 

• A permanent Global Administrator of the CSP tenant 
• Prompted for Entra ID MFA during the integration process
• A member of the AdminAgents Group
• A member of any or all groups that have the below assigned roles

Note: It is strongly recommended that you use a dedicated service account to integrate with Syncro as changes to authentication mechanisms such as MFA or passwords can invalidate the integration's access tokens requiring reauthorization.

GDAP misconfigurations will result in a CSP Auth error in the Microsoft Tenant Integrations table. 

• The CSP tenant must have a GDAP Relationship with the child tenant. 
• The relationship must have either a Global Administrator role or ALL of the 12 required roles.
• A Security Group must be assigned to the GDAP Relationship.
• The above roles must be assigned to the Security Group.
• The integration authenticating user must be a member of the Security Group assigned to the relationship with the assigned roles.

Note: For simplicity, we recommend assigning these roles to the AdminAgents Security Group. However, the integration will work if multiple Security Groups are used as long as the integration authenticating user is a member of the Security Groups that have any combination of all of the roles detailed above. 

This error occurs when the authorizing user or account is not a member of the AdminAgents group in the CSP tenant:

The authenticating account is not a member of the AdminAgents group. Add the account to the AdminAgents group, then select Reauthorize CSP.

To fix this issue, log into the CSP tenant and add the authenticating user or account as a member to the AdminAgents group, then Reauthorize CSP in Syncro: 

1. Log in to the Entra ID Admin Center.
2. From the left navigation, click Groups.
3. From the left sub-navigation, click All Groups.
4. Click the AdminAgents security group.
5. From the left sub-navigation, click Members.
6. At the top of the screen, click “+Add members.”
7. Search for the authenticating user or account and check its box.
8. Click Select.
9. Navigate back to Syncro’s Microsoft Tenant Integrations page.
10. In the CSP tenant row, click the ellipsis menu and select Reauthorize CSP.

This error occurs when the authenticating user or account is not prompted for MFA during authentication:

The authenticating account was not prompted for Entra ID MFA. Update the account to prompt for MFA on every sign in, then select Reauthorize CSP.

To fix this issue, log into the CSP tenant and ensure that the authenticating account has MFA enforced for every login:

1. Configure MFA according to Important Information for CSP Microsoft Integrations.
2. Navigate back to Syncro’s Microsoft Tenant Integrations page.
3. In the CSP tenant row, click the ellipsis menu and select Reauthorize CSP.

Note: Changing the MFA mechanism after successful authentication will invalidate Syncro’s M365 access token requiring reauthorization. It is recommended to use a permanent MFA solution to resolve this issue. 

This error occurs when the CSP tenant does not have any customer admin relationships:

The CSP tenant has no customer relationships. Add customer relationships, then select Reauthorize CSP.

To fix this issue, follow these steps to log into the Microsoft Partner Center and add a customer admin relationship with the correct roles:

1. Log into the Microsoft Partner Center.
2. Click the Customers card.
3. Click “New relationship.”
4. Ask a Global Administrator at the customer tenant to: 
   1. Login to the customer tenant.
   2. Paste the URL from the Partner Center Page into a browser window.
   3. Wait 15-30 seconds for the Next button to be clickable.
   4. Click Accept.
5. Follow the steps in Configure GDAP in Microsoft Partner Center to configure the relationship correctly. 
6. Navigate back to Syncro’s Microsoft Tenant Integrations page.
7. In the CSP tenant row, click the ellipsis menu and select Reauthorize CSP.

This error occurs when a Microsoft 365 policy configuration is preventing the Syncro Application from properly authenticating.

To fix the issue, exclude the Syncro Enterprise Application from all existing policies:

1. Log into the Entra ID Admin Center.
2. From the left navigation, select Conditional Access.
3. From the inner side panel, select Policies.
4. Click the Policy Name for a Conditional Access policy shown at the bottom:
   
5. Click the hyperlinked text in the Target resources section.
6. Select the Exclude subtab.
7. Check the "Select resources" radio button, then click the hyperlinked text in the Select specific resources section:
   
8. Search for and select the Syncro Enterprise apps (Syncro-CSP and/or Syncro-Single-Tenant):
   
9. Click Select.
10. Click Save.
11. Repeat steps 2 through 9 for each Conditional Access policy.

This error occurs when there is a customer relationship between a CSP and customer tenant but there is no GDAP admin relationship between the CSP and customer tenant.  

To fix the issue, use Configure GDAP in Microsoft Partner Center to properly configure a GDAP admin relationship with the customer tenant.

This error occurs when there is a customer relationship and a customer GDAP admin relationship, but the relationship doesn’t have an assigned Security Group or the authenticating user/account isn’t a member of the assigned Security Group(s).

To fix this issue, ensure the authenticating user is a member of the AdminAgents security group. Use the Microsoft Partner Center to add the AdminAgents security group to the GDAP admin relationship. If there is a security group or groups assigned, ensure that the authenticating user or account is a member of the group(s).

1. Log into Microsoft Partner Center.
2. Click the Customers card.
3. Click on the customer name.
4. From the left navigation, select “Admin relationships.”
5. Click on an enabled admin relationship name. 
6. At the bottom of the page, If there are no Security groups, click “+ Add security group.” (If there are assigned security groups skip to step 11.)
7. Search for and check the box for AdminAgents.
8. Click Next.
9. Check the box next to each of the 12 required roles or Global Administrator.
10. Click Save.
11. Ensure that the authenticating user is a member of the AdminAgents security group.
    1. From the left navigation, select Groups.
    2. From the left sub-navigation, select “All groups.”
    3. Click the AdminAgents security group.
    4. From the left sub-navigation, select Members.
    5. Search for the authenticating user or account.
    6. If it’s not a member, at the top of the screen, click “+Add members.” 
    7. Search for the authenticating user or account and check its box.
    8. Click Select.

Notes: 

• The authenticating user must be given either the Global Administrator or all 12 required roles through security group membership in order for the integration to work. 
• Any number of security groups can be used to achieve all 12 required roles, but the authenticating user or account must be a member of security groups that have the combination of all 12 required roles. 
• If the admin relationship doesn’t have the 12 required roles, you may need to check another one (Step 5+ above), or you can make a new one with the correct roles by following the instructions in Configure GDAP in Microsoft Partner Center.

This error occurs when either the customer GDAP admin relationship doesn’t have the required 12 roles or the security groups assigned to the relationship aren’t assigned all 12 required roles.

To fix this issue, follow these steps:

1. Log into the Microsoft Partner Center.
2. Click the Customers card.
3. Click on the customer name.
4. From the left navigation, select “Admin relationships.”
5. Click an enabled admin relationship name. 
6. Under Microsoft Entra Roles, ensure that all 12 required roles or Global Administrator is there. 
7. If not, check the other admin relationships for the 12 required roles or Global Administrator role.

If you do find an admin relationship with the correct roles:

1. Click an assigned security group that contains the authenticating user or account as a member. 
2. Check the boxes of the 12 required roles or the Global Administrator role.

If you don’t find an admin relationship with the correct roles follow the steps in Configure GDAP in Microsoft Partner Center.