Best Practices for Microsoft Integrations

Overview

Understanding Microsoft integrations can be complex due to the multitude of products and services involved. This section provides a comprehensive guide to the recommended setup for Rewst, detailing aspects such as account usage, multi-factor authentication (MFA), GDAP groups, and Conditional Access Policies. Proper implementation as described herein ensures smooth integration with the Microsoft CSP, Microsoft Graph, or Microsoft Exchange Online integrations. Failure to adhere to these instructions may result in integration issues.

Setup & Authorization

Create a Dedicated Account: Establish a dedicated account with Global Administrator permissions during the setup process.
- Name: Rewst Integration
- Username: rewst@domain.tld
- Role: Assign Global Administrator permissions during setup (can be revoked after)
Roles and Permissions:
- The Rewst user must be added to the groups you've assigned for GDAP as well as the AdminAgents group (AdminAgents does not give any roles in a GDAP environment, but it gives access to the partner center and related APIs).
MFA Requirements:
- Enforcement: Implement Microsoft multi-factor authentication (MFA) for each login, either via Conditional Access when available or via Per User MFA.
- Exclusion and Length Policies: No excluded locations may be applied nor authentication length policies. Refer to the chapter on conditional access for proper configuration.
- Authentication Provider: Only Microsoft authentication is permissible. providers like Duo are incompatible. For more information, see Microsoft's page on Supported MFA options.

Conditional Access

Ensuring secure access to your tenants with Rewst requires careful configuration of Conditional Access policies. Follow the guidelines below for both your organization and your clients:

Setup Your Policies

Browse to Azure: Navigate to the Conditional Access Policies blade in Azure..
Exclude Rewst Service Account: Remove the Rewst service account from existing policies.
Create a New Policy:
- Include Rewst User: Add the Rewst user to the policy.
- Enforce MFA: Mandate Azure Multi-factor Authentication for each login and application.
- Policy Name: Save this policy under the name "Rewst Conditional Access Policy".

Setup Clients' Policies

Granular access is influenced by your clients' conditional access policies. To ensure seamless access to your clients using your Rewst integration user, follow these steps:

Browse to Client's Azure: Navigate to your client's Conditional Access Policies blade in Azure.
Modify Policies: For each policy listed, add an exclusion to Users and Groups with these settings:
- Guest or external users
- Service Provider Users
- Tenant ID: Enter your tenant ID. If unknown, find it at What Is My Tenant ID.

Note: Excluding the MSP from the Conditional Access Policy is recommended as per Microsoft's GDAP Documentation.

Post-Modification Behavior

Propagation Time: Changes may take up to an hour to become active in the Rewst environment.
Quick Refresh: Click the blue shield icon next to the client's name on the Graph/CSP/Exchange Integration page in Rewst to expedite propagation.

Recommended Roles for GDAP

Consent to client permissions involves recognizing different group structures like GDAP (Granular Delegated Admin Privileges), which allows more controlled tenant access by creating groups and assigning permissions, aligning with Rewst's requirements.

The table below outlines the recommended roles in your Azure environment for Rewst, describing what each role enables. Click on the Role Name to navigate to Microsoft's Azure AD built-in roles page for detailed information about each specific role.

Role Name

What it allows for

Last updated 5 months ago