On Demand Global Settings Current - User Guide

Adding tenants

When you add a tenant, you must have Global Administrator credentials in Microsoft Azure since part of the process of adding a tenant is done in the Microsoft Azure portal.

The Azure Global Administrator role is the top level administrator role and has access to all features. By default, the person who signs up for an Azure subscription is assigned the Global Administrator role for the tenant. Additional users can be assigned to the Global administrator role.

If you are in the U.S. region, once you select Tenants and click Add Tenant, you must select the type of tenant you are adding, whether commercial, GCC, or GCC High. When you click Add Commercial or GCC Tenant (or Add GCC High Tenant) you are redirected to the Microsoft tenant administration login page where you must log in with the Global Administrator credentials for the tenant.

If you are in any other region, you select Add Tenant and are immediately redirected to the Microsoft tenant administration login page where you must log in with the Global Administrator credentials for the tenant. After successful authentication, the Consent Grant dialog is displayed. You must confirm the consent grant.

GCC or a GCC High tenants are available only for deployments in the U.S. region.

Microsoft 365 GCC tenants are typically used by US public sector organizations and the contractor organizations that service them.GCC High tenants provide Microsoft 365 services that adhere to additional US Department of Defense security requirements. Customer eligibility to GCC High tenants is restricted.

Admin consent is required to add a tenant to On Demand. Since only an Azure Global Administrator can grant admin consent, you must be able to provide Azure Global administrator credentials for the tenant you are adding.

NOTE: See About GCC and GCC High tenants for details.

At a later date, if you change the display name of the tenant or the default domain name in Microsoft Azure Active Directory, you can refresh the tenant in On Demand to immediately update the name. When you refresh the tenant, On Demand rereads the tenant information from your Azure Active Directory tenant to synchronize with the On Demand stored data.

To refresh the tenant, display the Tenants page and click the refresh icon that displays beside the tenant name on the tenant tile.

Managing admin consent permissions

Once you add a tenant, you are redirected to a page that lists the permissions that will be granted. You must click Accept and provide admin consent for the On Demand application. Once the Global Administrator adds a tenant to On Demand, an application record is created in the tenant indicating that admin consent has been provided.

NOTE: Global Admin credentials are only required to grant admin consent for the minimal list of permissions required by On Demand. Global Admin credentials are not stored, shared, or used for any other purpose.

For security, when you first add a tenant, only the minimum permission settings are granted. Some modules require additional permissions for specific activities. Once a tenant has been added to On Demand, you can grant additional permissions on the Tenant Consents page.

On May 19, 2022, On Demand introduced a new consent experience using Microsoft Authentication Library (MSAL) which required that consent be regranted for modules that use delegated permissions. For details about MSAL, see About the Microsoft Authentication Library (MSAL) .

To open the Tenant Consents page, click Tenants in the navigation page and click Edit Consents on the tenant tile.

You can view the specific permissions for each On Demand application by clicking View Details. You can also see the last time that consent was granted and which On Demand user granted the consent.

About admin consent status

On the Tenant Consents page, you can view the module admin consent status for each tenant that you have added. The process of approving the use of an application for the Microsoft Azure AD organization by the Microsoft Global administrator is referred to as admin consent. A Microsoft Global administrator must provide admin consent when granting consents to any application listed on the page.

When a tenant is first added, On Demand requests base admin consent permissions. Some modules can function using the base permission set while other require a higher level of admin consent permissions.

When you grant consent in On Demand, a service principal is created in your tenant. Some On Demand modules require that a role be assigned to the service principal. The role is needed to support specific module functionality. For example, after granting consent for the Exchange Online PowerShell consent type, you must assign the Exchange Admin Role. This role is needed to perform Exchange tasks such as linking mailboxes to users and deleting mail-enabled groups.

Granting and regranting admin consent

You must grant specific admin consents for each On Demand tenant. For example, if you grant access for MyCompany tenant in organization A, and add the MyCompany tenant to organization B, you must grant consent for organization B. In some situations, you might have to regrant consent for an application used by your tenant.

For some consent types, you might also have to assign a role after you grant consent.

NOTE: Granting admin consent to modules and features with delegated permissions, must be done using work and school accounts. Microsoft personal accounts are not supported.

NOTE: If you assign a role and immediately refresh the page, the Assignment state might be displayed as "Not Assigned" for a short time until you refresh the page again.

NOTE: If additional admin consent permissions are required to perform specific tasks within a module, these consent types are listed below the core or basic consent type for the module.

For the following scenarios, you would click Grant Consent or Regrant Consent in the Status and Actions column.

The Microsoft Authentication Library (MSAL) is the recommended library that replaces the deprecated Azure Active Directory Authentication Library (ADAL). MSAL provides improved security, is resilient, and allows tokens to be generated with a very granular scope. Since MSAL supports generated tokens with a granular scope, On Demand can use tokens with a narrowed scope when accessing your tenant.

This feature provides a more secure and granular approach for accessing your data. For more information, see Permissions and consent in the Microsoft identity platform.

For the License Management module, to use Self Server License Reporting, you must grant additional permissions over the Base permissions.

Sometimes, when you grant consent for Self Service License Reporting, you might see an error that indicates that the app requires access to a service that your organization has not subscribed to or enabled. This error occurs if the Microsoft M365 License Manager API, required to gather self-service policy data, is not enabled in the tenant by default. You can resolve the error by enabling the M365 License Manager API in the tenant.

After you complete these steps, you can complete the Grant Consent for Self Service License Reporting without errors.