Scenarios that may limit partner access

There can be situations where the customer may limit your access as a partner to their tenant. These can include additional security policies, conditional access, or granular delegated admin privileges (GDAP). 

Partner Relationships: delegated access removal 

One of the most common scenarios is where the customer removed your delegated admin permissions for the tenant. So, you cannot use your partner service account to manage the customer. 

In this case, you can still use Cloud User Hub, but you will require permission from the customer to manage on their behalf. 

External Identities: External collaboration settings 

Another issue may occur when the customer sets their external collaboration settings to the most restrictive for external guest accounts. For example: 

If the "No one in the organization can invite guest users including admins (most restrictive)" is enabled, then Cloud User Hub's automatic configuration will fail because your service account will be prevented from accessing the customer. 

Similarly, where "Allow invitations only to specific domains (most restrictive)" is enabled this will prevent access unless your domain as a partner account is not on the allow list. 

If you encounter these scenarios, you can either ask the customer to add your specific domain to their allow list or allow guest access to the customer's tenant or use the settings to configure Cloud User Hub on the customer's behalf. These are touched on in the "Create a specific customer service account (customer consent)" section.