{"id":9392,"date":"2025-12-03T03:53:39","date_gmt":"2025-12-03T03:53:39","guid":{"rendered":"https:\/\/pariswells.com\/blog\/?p=9392"},"modified":"2025-12-03T03:53:42","modified_gmt":"2025-12-03T03:53:42","slug":"cross-tenant-access-settings-organization-deleted","status":"publish","type":"post","link":"https:\/\/pariswells.com\/blog\/research\/cross-tenant-access-settings-organization-deleted","title":{"rendered":"Cross-tenant Access Settings Organization Deleted"},"content":{"rendered":"\n<ul class=\"wp-block-list\">\n<li><strong>ExtTenantDeleted<\/strong> (Deleted External Tenant ID): b4c546a4-7dac-46a6-a7dd-ed822a11efd3<\/li>\n\n\n\n<li><strong>InitiatingAppName<\/strong>: EntraGDAP<\/li>\n\n\n\n<li><strong>InitiatingAppServicePrincipalId<\/strong>: bc2f2da0-9048-42a2-877f-1996a4f6ae5c<\/li>\n\n\n\n<li><strong>InitiatingUserPrincipalName<\/strong>: (empty \u2013 app-initiated action)<\/li>\n\n\n\n<li><strong>InitiatingAadUserId<\/strong>: (empty)<\/li>\n\n\n\n<li><strong>InitiatingIpAddress<\/strong>: (empty)<\/li>\n\n\n\n<li><strong>InitiatingAccountName<\/strong>: (empty)<\/li>\n\n\n\n<li><strong>InitiatingAccountUPNSuffix<\/strong>: (empty)<\/li>\n<\/ul>\n\n\n\n<p>This event would trigger an alert under the rule, as it exceeds the threshold of 0 occurrences within the query period.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Interpretation of the Log<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What Happened<\/strong>: A partner-specific cross-tenant access policy was deleted for the external tenant b4c546a4-7dac-46a6-a7dd-ed822a11efd3. The home tenant (where the log was generated) is 80002dae-06b4-411a-b24b-1630a9a5365b.<\/li>\n\n\n\n<li><strong>Initiator<\/strong>: The action was performed by the &#8220;EntraGDAP&#8221; application. GDAP (Granular Delegated Admin Privileges) is a Microsoft security feature for partners, enabling least-privileged, time-bound access to customer tenants following Zero Trust principles. &#8220;EntraGDAP&#8221; appears to be an internal app name used for managing these privileges in Microsoft Entra ID.<\/li>\n\n\n\n<li><strong>Deleted Tenant Context<\/strong>: The tenant ID b4c546a4-7dac-46a6-a7dd-ed822a11efd3 is associated with Microsoft&#8217;s support infrastructure, specifically the &#8220;Office365ConciergeSupport.onmicrosoft.com&#8221; domain (a concierge\/support tenant used for customer assistance). This suggests the deletion revoked access for Microsoft support engineers, likely as part of closing a support case.<\/li>\n\n\n\n<li><strong>Why This Occurs<\/strong>: When a Microsoft 365 support case is created, temporary cross-tenant access is granted to Microsoft engineers for diagnostics. Upon case closure (or after 30 days), access is automatically revoked, logging this exact activity type initiated by EntraGDAP. This is a standard, non-suspicious operation unless unexpected in your environment (e.g., no recent support cases).<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>This event would trigger an alert under the rule, as it exceeds the threshold of 0 occurrences within the query period. Interpretation of the Log<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-9392","post","type-post","status-publish","format-standard","hentry","category-research"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/9392","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/comments?post=9392"}],"version-history":[{"count":1,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/9392\/revisions"}],"predecessor-version":[{"id":9393,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/9392\/revisions\/9393"}],"wp:attachment":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/media?parent=9392"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/categories?post=9392"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/tags?post=9392"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}