Your licenses are provided by Microsoft through the distributor Ingram Micro SL and resold to you by PARALELEMERGENTE UNIPESSOAL LDA (clouderama.net) as your local reseller. To deliver them into your tenant — and optionally manage them — you authorize PARALELEMERGENTE UNIPESSOAL LDA as your reseller and grant delegated access. After your first purchase, all further license orders are handled through our internal portal.
- Authorize us as your CSP reseller
- Grant delegated access (GDAP)
- Microsoft 365 Lighthouse (management)
- Azure Lighthouse (Azure management)
1. Authorize us as your CSP reseller
Accepting the invitation establishes the reseller relationship that lets PARALELEMERGENTE UNIPESSOAL LDA provision licenses into your tenant.
- You need a user with the Global Administrator role in your Microsoft 365 tenant.
- Complete your billing account address first — otherwise the acceptance link will not work: Billing accounts.
Then open the invitation link below to accept the offer and authorize us as your reseller:
2. Grant delegated access (GDAP)
To deliver and manage licenses we use Granular Delegated Admin Privileges (GDAP) — Microsoft's current least-privilege delegated-access model, which replaced the legacy DAP. When you accept our GDAP request, you approve a specific set of Microsoft Entra roles, for a limited duration. A Global Administrator approves the request in the Microsoft 365 admin center.
We request only the least-privilege roles needed for licensing and support, for a fixed duration:
Relationship name: clouderama.net – Managed Services
Duration: <e.g. 365 days, auto-extend>
Entra roles:
- License Administrator
- User Administrator (optional, for support)
- Helpdesk Administrator (optional, for support)
- Global Reader (read-only oversight)3. Microsoft 365 Lighthouse (management)
For ongoing management of your Microsoft 365 environment we use Microsoft 365 Lighthouse. An active GDAP relationship (step 2) is a prerequisite.
Your tenant must meet these requirements:
- An active GDAP relationship with us.
- At least one Microsoft 365, Office 365, Exchange Online, Windows 365 Business, or Microsoft Defender for Business subscription (Business, Enterprise, Frontline, or Education).
- No more than 2,500 licensed users.
- The same geographic region (European Union) as our organization.
Once GDAP is in place we onboard your tenant in Lighthouse. It can take up to 48 hours for your tenant data to appear.
Tenant: <your-tenant>.onmicrosoft.com
Delegated access: GDAP (from step 2)
Onboard in: Microsoft 365 Lighthouse → Tenants
Baselines: <to be defined: MFA, security defaults, …>
Data load: up to 48 hours4. Azure Lighthouse (Azure management)
To manage your Azure subscriptions we use Azure Lighthouse (Azure delegated resource management). You deploy a small ARM template that delegates a specific scope — a subscription or a resource group — to our managing tenant with defined least-privilege roles. Our staff then manage your resources from our tenant without needing accounts in yours.
-
A user with the Owner role (permission
Microsoft.Authorization/roleAssignments/write) on the Azure subscription or resource group you want to delegate.
Onboarding ARM template — parameters (placeholder, to be finalized):
{
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/subscriptionDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"mspOfferName": { "value": "clouderama.net – Managed Services" },
"mspOfferDescription": { "value": "Managed by PARALELEMERGENTE UNIPESSOAL LDA" },
"managedByTenantId": { "value": "<CLOUDERAMA_MANAGING_TENANT_ID>" },
"authorizations": {
"value": [
{
"principalId": "<CLOUDERAMA_GROUP_OBJECT_ID>",
"principalIdDisplayName": "clouderama.net Operations",
"roleDefinitionId": "<BUILT_IN_ROLE_ID>"
}
]
}
}
}
Deploy at subscription or resource-group scope. Common built-in role IDs: Reader
acdd72a7-3385-48ef-bd42-f606fba81ae7, Contributor
b24988ac-6180-42a0-ab88-20f7382dd24c. The managing tenant ID and principal (group) object ID
will be provided by us before onboarding.