Azure NCE FAQs

MCA Partner Attestation FAQs

What will be the impact of GDAP implementation in the case of subscriptions for new customers?

When a new customer creates a subscription, a GDAP (Granular Delegated Admin Privileges) request is sent for approval. This request includes roles required for value-added services such as Azure Lighthouse and other features provided by the Azure NCE connector.

However, because the GDAP request is sent after the purchase is approved, some necessary roles may be missing at the time of subscription provisioning. As a result, certain features will not be enabled automatically and must be configured manually.

Impacted Features

  • Subscription Renaming

    • The Azure NCE connector cannot rename the subscription when it is created.

  • Owner Role Assignment

  • Azure Lighthouse

    • The connector cannot assign Lighthouse capabilities automatically.

    • Customers must request their service provider to enable this manually.

  • Current Cost Estimates

    • The Current Estimate Spending button will not function until the GDAP request is accepted.

  • Subscription Cancellation

    • The connector cannot cancel the subscription unless the GDAP relationship is approved.

  • Domain Validation

    • Automatic domain validation will fail without GDAP approval.

I can't see the subscription in the Partner Center. What can I do?

If you cannot see a subscription in Partner Center, it may be due to missing permissions during customer creation. Here is why and how to resolve it:

Why this happens

When a new customer is created, they are not automatically assigned the Owner role. This is because the customer has not yet accepted the GDAP (Granular Delegated Admin Privileges) request. Without this acceptance, the subscription will not appear in Partner Center.

What to do

Once the purchase request is approved, the customer will receive a GDAP request via email. After they approve it, follow these steps to gain visibility and assign the necessary roles:

  1. Enable Access Management for Azure Resources

    1. Sign in as a Global Administrator.

    1. Go to Azure Active Directory > Properties.

    2. Set Access management for Azure resources to Yes.

    3. This grants you the User Access Administrator role at the root scope, allowing you to assign roles across all subscriptions.

    4. Sign out and sign back in to apply the changes. You will now see the subscriptions that you did not have access to previously, but you still do not have the owner role.

  2. Assign the Owner Role

    1. Go to the relevant Azure subscription > Access Control (IAM).

    2. Click Add > Role Assignment.

    3. Select the Owner role.

    4. Enter the user’s name or email address and click Save.

    5. The subscription will now be visible in Partner Center for that user.

  3. Revert Elevated Access (Optional but Recommended)

    1. Return to Azure Active Directory > Properties.

    2. Set Access management for Azure resources back to No.

    3. This removes the elevated User Access Administrator role from your account.

Why do I get an error when clicking on the GDAP request link?

The GDAP request link is intended for customers only. If a provider attempts to access the link in the GDAP request, an error will be displayed and this is the expected behavior.

How long are Microsoft refresh tokens valid for?

Refresh Tokens will be valid for 90 days.

Does CloudBlue support NCE Azure for United States Government Community Cloud (GCC)?

No, NCE Azure for US GCC is not generally available from CloudBlue. It is a candidate for implementation.

Do Microsoft direct billed provider partners need billing and invoicing relationships to transact new Azure business?

Yes, and the CloudBlue platform will validate that a Microsoft-issued Partner Invitation Link (PIL) has been requested and accepted.

Do Microsoft direct-billed provider partners need billing and invoicing relationships to onboard their existing Azure business to CloudBlue (i.e. platform-to-platform partner transfer)?

Yes, for all standard business scenarios, a billing and invoicing relationship is required.

No, in the exceptional case of compliant Microsoft partner self-consumption of NCE Azure services. However, even in this edge case, maintaining an active billing and invoicing relationship is considered best practice to uphold the integrity of the CSP partner-led field channel.

What is changing with MCA Partner Attestation?

Microsoft will retire the legacy Partner Attestation methods (Partner Center UI and old API) on January 5, 2026. After this date, only the Enhanced MCA Partner Attestation API and direct customer acceptance will be supported.

Do partners need to integrate with the new API?

No. CloudBlue will manage the integration through its Microsoft connectors. Partners will automatically see the updated purchase flows without needing to take action.

What changes in the CloudBlue purchase flow?

If a customer has not accepted the MCA, the purchase flow will display an attestation link. The customer must review and accept Microsoft's terms before the order can proceed.

Alternatively, existing Microsoft customers may provide direct acceptance through the Microsoft Admin Portal.

What happens if a customer has already accepted the MCA?

If the MCA was accepted after April 1, 2023, no further action is needed.

Why is this change happening?

Microsoft audits revealed compliance gaps where partners could not prove true customer acceptance. The new API ensures stronger compliance and traceability.

© 2026 CloudBlue, LLC. All Rights Reserved. Privacy Policy and Terms of Use