Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            Partner Center Connector: Why There Are Two Consent Steps

            Modified on Thu, Mar 5 at 9:35 AM

            Applies To: Work 365 v4.5+, Dynamics 365 / Dataverse, Microsoft Entra ID, Microsoft Partner Center (Direct-bill CSP)


            Overview

            Work 365’s Partner Center connector uses two permission models because Partner Center access typically involves both:

            • a tenant-level approval for the application, and

            • a signed-in user context for certain Partner Center operations and token acquisition.

            If either step is completed in the wrong tenant or in the wrong browser session/account, the connector can be created successfully but still fail during synchronization or API calls.

            Key Concepts

            • Tenant-wide Admin Consent (Entra ID): Grants app permissions for the whole organization; a privileged admin operation.

            • Partner Center “App + User” authentication: Some Partner Center scenarios rely on a signed-in user and interactive consent.

            • MFA requirement (Partner Center APIs): Microsoft has communicated mandatory MFA enforcement for Partner Center API access starting April 1, 2026.

            • Integration account (Work 365): A dedicated user used for Partner Center consent and ongoing token generation; Work 365 indicates it should not be a normal employee account and should be separate from global admin accounts.

            Before You Begin (Requirements Checklist)

            You’ll need:

            • Work 365 v4.5+ and you’re configuring the Microsoft Partner Center integration.

            • A licensed Work 365 user with the Work 365 Admin security role.

            • Access to the Entra tenant that hosts Partner Center (Direct-bill CSP only).

            • An authorized Entra administrator to complete the Admin Consent step (Work 365 calls out Global Administrator).

            • A dedicated Partner Center integration user with the required Partner Center role (Work 365 calls out Admin agent).

            • MFA configured for the integration user as Work 365 describes:

              • MFA must be enabled

              • MFA can’t be conditional

              • MFA must trigger on every login

            Note (GCC tenants): Work 365 has a separate Partner Center (GCC) integration article—use that if your Partner Center tenant is GCC.

            How It Works (The Two Consent Actions in Work 365)

            In the connector settings, Work 365 provides two consent actions:

            1. Generate Admin Consent Redirect Link (Admin Consent)

            2. Generate User Consent Redirect Link (Integration User Consent)

            Solution Steps (Work 365 Recommended Flow)

            Step 1 — Create the Partner Center Integration Account

            In Partner Center, create a dedicated integration user (not tied to a person and separate from global admin accounts). Work 365 specifies selecting Admin agent under “Assists your customers as.”

            Licensing tip: Work 365 indicates the integration account doesn’t need CRM licensing because it should never be used to sign in to Work 365 or Dataverse.

            Step 2 — Enforce MFA for the Integration Account

            Work 365 requires MFA to be enabled for the integration user, and configured so it triggers on every login (not conditional).

            Work 365’s documented approach uses Per-user MFA in the Entra admin center and expects the status to show Enforced.

            Step 3 — Create the Connector in Work 365

            Navigate to:
            Administration area → Admin Hub → Integrations → Add New → Microsoft Partner Center → Create

            Step 4 — Complete Admin Consent (Generate Admin Consent Redirect Link)

            1. Open the connector settings and select Generate Admin Consent Redirect Link.

            2. Copy the Admin Consent link.

            3. In a browser session already signed in to the Partner Center tenant as a Global Administrator, paste the link and complete the consent prompt.

            4. Return to Work 365 and do not click Save yet.

            Step 5 — Complete Integration User Consent (Generate User Consent Redirect Link)

            1. Select Generate User Consent Redirect Link and copy the User Consent link.

            2. Open a Private/Incognito browser window to avoid mixing your admin session with the integration user session.

            3. Sign in as the integration user and complete the consent prompt.

            Step 6 — Finalize and Save the Connector

            After both consents are completed, finish any remaining connector configuration and click Save.

            Quick Validation (The “Big Questions”)

            1. Were both consent steps completed in the same Entra tenant as Partner Center?
              Work 365 requires both Admin and User consent in the tenant that hosts Partner Center.

            2. Is the integration user configured correctly (role + MFA)?
              Work 365 requires MFA enabled for the integration user and configured to trigger every login.

            Troubleshooting Guide

            Issue: “Generate User Consent Redirect Link” is disabled

            • Work 365 notes you may need to return to the connector list, reopen the connector settings, and click Edit again (without saving mid-way) for the User Consent option to enable.

            Issue: Consent prompt says “Need admin approval”

            • You’re likely trying to complete tenant-wide Admin Consent with an account that can’t grant tenant-wide consent. Use an authorized Entra admin account (Work 365 calls out Global Administrator).

            Issue: Consent completed, but Work 365 still can’t connect

            Most common causes:

            • Consent completed in the wrong tenant/directory (must be the Partner Center tenant).

            • Session confusion between admin identity and integration identity (use Private/Incognito for user consent).

            • MFA not configured as Work 365 requires for the integration user.

            Issue: Integration user can sign in, but API calls fail later

            Confirm that:

            • The integration user completed interactive consent successfully.

            • MFA requirements are met (and keep an eye on Microsoft’s API enforcement communications).

            FAQs / Common Questions

            Does the integration user need a Work 365 or Dataverse license?
            Typically no—Work 365 states this account isn’t meant to sign in to Work 365/Dataverse and doesn’t need CRM licensing in that scenario.

            Can the Global Admin complete both consents?
            Work 365 separates the steps: Admin Consent is performed as Global Administrator, and User Consent is performed as the integration user (and Work 365 strongly recommends separate browser sessions).

            Why does Work 365 emphasize Private/Incognito for the User Consent step?
            To avoid mixing the Entra admin session with the integration user session, which can cause the connector to be “consented” with the wrong identity context. 

            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select at least one of the reasons
            CAPTCHA verification is required.

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0