With GDAP, you consent to the Neo app on behalf of your customers — no admin action needed in each tenant. Once connected, the tenant works exactly the same as Direct Consent.
How it works
- Your MSP has an existing GDAP relationship with a customer tenant, including roles like Cloud Application Administrator (required to consent apps)
- In the Neo Dashboard, you configure which permission categories Neo should request (e.g., User Management, Security, Email) — see M365 Permissions
- You use your GDAP access to consent the Neo app in the customer tenant — no customer admin involvement needed
- Neo grants only the permissions matching your selected categories — nothing more
Prerequisites
Before connecting customer tenants via GDAP, ensure:- You have active GDAP relationships with your customer tenants in Partner Center. If you don’t have GDAP set up yet, follow Microsoft’s GDAP guide first.
- Your GDAP relationships include the right roles — you need at least Cloud Application Administrator to consent apps on behalf of customers, plus the operational roles for Neo’s actions.
- You have admin access to your MSP’s partner tenant (the Entra ID tenant enrolled in CSP).
Recommended roles
Your GDAP relationships should include these roles depending on what you want Neo to automate:| Role | Required for |
|---|---|
| Cloud Application Administrator | Consenting the Neo app in customer tenants (required for GDAP onboarding) |
| User Administrator | Create, update, delete users; reset passwords; manage group membership |
| Exchange Administrator | Shared mailboxes, email forwarding, mailbox delegation, distribution lists |
| License Administrator | Assign and remove Microsoft 365 licenses |
| Groups Administrator | Manage security groups and Microsoft 365 groups |
| Intune Administrator | Manage devices, deploy apps, retrieve BitLocker keys |
| Privileged Role Administrator | Add new permission categories to already-connected tenants without re-consent |
| Privileged Authentication Administrator | Reset MFA, revoke sessions for admin accounts |
| Conditional Access Administrator | Manage conditional access policies |
Connecting customer tenants via GDAP
Go to End Companies in the Neo Dashboard
Navigate to
https://dashboard.neoagent.io/end-companies and select a company, or create a new one.Connect via GDAP
Click the GDAP connect option. Neo will consent only the permissions matching your M365 permission profile — no action needed from the customer’s admin.
GDAP vs Direct Consent
| GDAP | Direct Consent | |
|---|---|---|
| Who consents | MSP admin, using GDAP access — no customer involvement | A tenant admin in each customer tenant |
| CSP enrollment required | Yes | No |
| Adding permissions later | Automatic — no customer action needed | Customer admin must re-approve |
| Best for | MSPs managing many tenants — onboard customers without waiting for their admin | Individual tenants, or non-CSP scenarios |
Troubleshooting
Consent fails for a customer tenant
Consent fails for a customer tenant
- Verify the GDAP relationship is Active in Partner Center
- Ensure your GDAP relationship includes the Cloud Application Administrator role — this is required to consent apps on behalf of the customer
- Check that the GDAP relationship hasn’t expired (maximum duration is 730 days)
Neo can't perform actions after GDAP consent
Neo can't perform actions after GDAP consent
- Verify the GDAP relationship includes the required operational roles (e.g., Exchange Administrator for mailbox operations)
- Check the company permissions in the Neo Dashboard — missing roles will show as unavailable operations
GDAP relationship expired
GDAP relationship expired
GDAP relationships have a maximum duration of 730 days. When a relationship expires, create a new one in Partner Center with the same roles, then re-consent via the Neo Dashboard.