Securing Microsoft 365 Service Provider Access
The Microsoft 365 Settings screen configures the Service Provider access to the customer's Microsoft 365 platform. Access is required by the Service Provider for initial onboarding and for Day Two management. Access is secured using token-based authentication. The token is generated upon customer consent to access their Microsoft 365 platform. In Day One Onboarding, customers are onboarded either by providing their username and password to the Service Provider or by Token authentication only triggered by an email link sent to the Customer administrator (see Request Consent from End Customer).
The following authentication methods can be used:
| ■ | Username and Password: Using this option, the connection is secured using both the provided username and password and a Microsoft Graph access token that is claimed based on the configured user name and password. For implementing this option, select the Grant Consent option in the Microsoft 365 Settings screen (see Grant Consent). This option is relevant for the following scenarios: |
| ● | Customers onboarded prior to version 8.0.450 with M365 user and password authentication must upgrade to use Token based authentication as a result of enhanced Microsoft Security policies. |
| ● | Customers decide to switch from Token-based authentication to Password-based authentication (see Switching to User Password), then they must Grant Consent again to generate a new token based on the username and password. |
| ■ | Token-only: Using this option, the connection is secures using only Token-based authentication (see Switching to Token Authentication). This is the recommended method. |
Server-side GetCsOnlineUser filters can be configured in the UMP-365 database to enhance database performance. For example, a global corporation has 50,000 worldwide users and a filter is configured to only retrieve users in the Italy office e.g. 5000 users. See Get-CsOnlineUser (Microsoft Teams PowerShell).
| ➢ | To configure Microsoft 365 settings: |
| 1. | In the Service portal Navigation pane, select Configuration > M365 Configuration. |
| ● | If you added the customer using Admin Username and password, the following screen appears: |
| ● | If you added the customer using Token only, the following screen appears: |
| 2. | Configuration the Microsoft 365 credentials as described in the table below. |
Microsoft 365 Settings
|
Parameter |
Description |
|---|---|
|
Username |
M365 Global Admin or Service account username used to establish the Token connection. |
|
Password |
M365 Global Admin or Service account password used to establish the Token connection. |
|
Validate Authentication |
Validates the Global Admin or Service account credentials used to establish the M365 Token connection. |
|
Send Invitation |
Sends invitation including link to Token Invitation wizard to the email account of the Global Admin or Service account. |
|
Refresh Token Now |
Opens the Token Invitation wizard for generating a new token (see Secure Token Connection). |
|
Save Microsoft 365 settings |
Saves the settings updated in this screen. |
|
Switch to auth token |
Enables customer authentication by sending link to Global Admin or Service account for authentication (see Switching to Token Authentication). |
|
Grant Consent |
Enables customer to automatically grant consent to Service Provider administrator. For using this feature, Ensure that the Client Id of the Token Authentication Registration is configured in the Authentication Status screen (see Authentication Status). |