You can still use Cloud User Hub to manage your customer even where they have denied you access to their tenant through your partner service account. For example, they have removed the admin relationship, introduced additional security settings, or you already have GDAP permissions.
In this scenario, you would require customer consent to manage the customer through Cloud User Hub.
To achieve this, ask the customer to log into their tenants and create a dedicated service account to use in Cloud User Hub for configuring their services. This provides the least privileged access to the specific customer tenant. After creating the service account, work with the customer to verify the account settings.
The customer signs into the Azure Active Directory Admin Center
Click New user > Create new user
Populate the required User name and Name fields.
We recommend using a username that easily identifies this user as the Cloud User Hub service account
Click on the User link beside "Roles"
Select any of the roles that you would like to manage in Cloud User Hub
For example, to manage "Teams" in Cloud User Hub, find and assign the "Teams" roles
Set a Usage location
Click Create to add the service account
Verify the Cloud User Hub service account settings
Sign into the Azure Active Directory Admin Center with the newly created Cloud User Hub service account
Update your password when prompted
Ensure MFA is configured
Once MFA is configured, you are directed to the Microsoft Partner Center portal
Choose your Cloud User Hub service account
Click Assigned roles
Ensure the user is assigned the relevant roles. From the above example, these would be the roles related to "Teams"
Now that you have configured the customer-specific service account, you can work with the customer to add their tenant in Cloud User Hub. Once onboard, you can manage the customer in exactly the same way as you would in a partner-managed scenario.