Best Practices for Microsoft Integrations

Overview

Understanding Microsoft integrations can be complex due to the multitude of products and services involved. This section provides a comprehensive guide to the recommended setup for Rewst, detailing aspects such as account usage, multi-factor authentication (MFA), DAP/GDAP groups, and Conditional Access Policies. Proper implementation as described herein ensures smooth integration with the Microsoft CSP, Microsoft Graph, or Microsoft Exchange Online integrations. Failure to adhere to these instructions may result in integration issues.

Setup & Authorization

  1. Create a Dedicated Account: Establish a dedicated account with Global Administrator permissions during the setup process.

    • Name: Rewst Integration

    • Username: rewst@domain.tld

    • Role: Assign Global Administrator permissions during setup (can be revoked after)

  2. Roles and Permissions:

    • DAP: If still using DAP, add the Rewst user to the AdminAgents group.

    • GDAP: If you are using GDAP, the Rewst user must be added to the groups you've assigned for GDAP as well as the AdminAgents group (AdminAgents does not give any roles in a GDAP environment, but it gives access to the partner center and related APIs).

  3. MFA Requirements:

    • Enforcement: Implement Microsoft multi-factor authentication (MFA) for each login, either via Conditional Access when available or via Per User MFA.

    • Exclusion and Length Policies: No excluded locations may be applied nor authentication length policies. Refer to the chapter on conditional access for proper configuration.

    • Authentication Provider: Only Microsoft authentication is permissible. providers like Duo are incompatible. For more information, see Microsoft's page on Supported MFA options.

Conditional Access

Ensuring secure access to your tenants with Rewst requires careful configuration of Conditional Access policies. Follow the guidelines below for both your organization and your clients:

Setup Your Policies

  1. Browse to Azure: Navigate to the Conditional Access Policies blade in Azure..

  2. Exclude Rewst Service Account: Remove the Rewst service account from existing policies.

  3. Create a New Policy:

    • Include Rewst User: Add the Rewst user to the policy.

    • Enforce MFA: Mandate Azure Multi-factor Authentication for each login and application.

    • Policy Name: Save this policy under the name "Rewst Conditional Access Policy".

Setup Clients' Policies

DAP and GDAP are influenced by your clients' conditional access policies. To ensure seamless access to your clients using your Rewst integration user, follow these steps:

  1. Browse to Client's Azure: Navigate to your client's Conditional Access Policies blade in Azure.

  2. Modify Policies: For each policy listed, add an exclusion to Users and Groups with these settings:

    • Guest or external users

    • Service Provider Users

    • Tenant ID: Enter your tenant ID. If unknown, find it at What Is My Tenant ID.

Note: Excluding the MSP from the Conditional Access Policy is recommended as per Microsoft's GDAP Documentation.

Post-Modification Behavior

  • Propagation Time: Changes may take up to an hour to become active in the Rewst environment.

  • Quick Refresh: Click the blue shield icon next to the client's name on the Graph/CSP/Exchange Integration page in Rewst to expedite propagation.

Consent to client permissions involves recognizing different group structures like GDAP (Granular Delegated Admin Privileges) and DAP. GDAP allows more controlled tenant access by creating groups and assigning permissions, aligning with Rewst's requirements.

The table below outlines the recommended roles in your Azure environment for Rewst, describing what each role enables. Click on the Role Name to navigate to Microsoft's Azure AD built-in roles page for detailed information about each specific role.

Role NameWhat it allows for

Can create and manage all applications, service principals, app registration, enterprise apps, consent requests. Cannot manage directory roles, security groups.

Manages all aspects of users, groups, registration, and resets passwords for limited admins. Cannot manage security-related policies or other configuration objects.

Manages all aspects of Intune, including all related resources, policies, configurations, and tasks.

Manages all aspects of Exchange Online, including mailboxes, permissions, connectivity, and related settings. Limited access to related Exchange settings in Azure AD.

Can read security information and reports, and manages security-related features, including identity protection, security policies, device management, and threat management in Azure AD and Office 365.

Manages all aspects of the Defender for Cloud App Security in Azure AD, including policies, alerts, and related configurations.

Enables, disables, deletes devices in Azure AD, reads Windows 10 BitLocker keys. Does not grant permissions to manage other properties on the device.

Manages all aspects of Microsoft Teams, including telephony, messaging, meetings, teams, Microsoft 365 groups, support tickets, and service health.

Manages all aspects of SharePoint Online, Microsoft 365 groups, support tickets, service health. Scoped permissions for Microsoft Intune, SharePoint, and OneDrive resources.

Sets/resets authentication methods for all users (admin or non-admin), deletes/restores any users. Manages support tickets in Azure and Microsoft 365. Restrictions on managing per-user MFA in legacy MFA portal.

Configures authentication methods policy, MFA settings, manages Password Protection settings, creates/manages verifiable credentials, Azure support tickets. Restrictions on updating sensitive properties, deleting/restoring users, legacy MFA settings.

Manages role assignments in Azure AD, Azure AD Privileged Identity Management, creates/manages groups, manages all aspects of Privileged Identity Management, administrative units. Allows managing assignments for all Azure AD roles including Global Administrator.

Last updated