Background

This article provides a walkthrough on connecting a Microsoft 365 / Entra ID tenant to CyberQP. It covers two options: assigning the CyberQP Enterprise App directly to a built-in Entra ID role (Option 1), or assigning it through a security group (Option 2). Option 1 includes steps for tenants with and without Privileged Identity Management enabled.

Pre-requisites

• Customers have been created in CyberQP, either manually or by importing from IT Glue or Hudu.
• A Global Admin account for the M365 / Entra ID tenant to be connected.
• Alternatively, use Microsoft CSP / Partner access to roll this out to customers:
  https://support.getquickpass.com/hc/en-us/articles/31168923391255-How-to-setup-M365-CSP-Integration-GDAP

Table of Contents

• Option 1 - Add CyberQP Enterprise App directly to a built-in Entra ID role
  • Without Privileged Identity Management
  • With Privileged Identity Management
  • Continue Entra ID / M365 Setup
• Option 2 - Add CyberQP Enterprise App to a built-in or custom Entra ID role using a security group
• Next Steps

Option 1 - Add CyberQP Enterprise App directly to a built-in Entra ID role

NOTE: No Entra ID license required.

1. Locate the CyberQP customer to connect to your Entra ID / M365 tenant. Click the Connect M365 option from the three-dot menu on the right side of the customer row.

   

   connect m365 option in customer three-dot menu

2. On the Microsoft sign-in page, select or enter the email address for the M365 Global Admin account for the customer tenant. Enter the password and click Sign In.

   

   microsoft 365 global admin sign-in page

3. Click Accept to approve the permissions requested by CyberQP.

   

   cyberqp permissions consent screen

   CyberQP redirects you to the customer screen.

4. Click the Go to Azure Portal button in the CyberQP dashboard, or open the Entra ID Roles and administrators menu directly.

   

   go to azure portal button in cyberqp dashboard

   NOTE: Microsoft has recently altered the Entra ID Roles and Administrators experience for tenants that have Privileged Identity Management enabled. If PIM is enabled on this tenant, click here for the PIM setup steps. Otherwise, continue with the steps below.

Without Privileged Identity Management

5. In the Roles and administrators menu, type Privileged in the search field to locate the Privileged Authentication Administrator role. Double-click the role name to open it.

   

   search results for privileged in roles and administrators

   NOTE: Due to updated guidance from Microsoft on the Privileged Authentication Administrator role, the KB has been updated to reflect least privilege concepts. Alternate role options are available with the following limitations:

   • Privileged Authentication Administrator role - Reset the password for any account in the tenant, including Global Admin accounts. Block / Unblock sign-in for any account in the tenant, including Global Admin accounts.
   • Password Administrator / Helpdesk Administrator role - Reset the password for accounts not assigned to any privileged role, and not in the Password Administrator or Helpdesk Administrator group. Block / Unblock sign-in for non-privileged accounts not in those groups.

6. In the Privileged Authentication Administrator | Assignments window, click + Add assignments.

   

   add assignments button in privileged authentication administrator

7. Type CyberQP in the search field, select CyberQP from the results, and click Add.

   

   cyberqp selected in add assignments search

   NOTE: The Entra ID Enterprise app may be named Quickpass if it was pushed into the tenant before CyberQP's name change, or if a previous MSP had integrated with the solution.

8. Confirm the CyberQP Enterprise Application is now listed as a member of the Privileged Authentication Administrator role.

   

   cyberqp enterprise application listed in privileged authentication administrator role

9. NOTE: If you intend to use the Entra ID Just in Time feature, repeat steps 5-7 for the Privileged Role Administrator role.

   

   privileged role administrator in roles and administrators search

   

   add assignments button for privileged role administrator

   

   cyberqp added to privileged role administrator role

Continue to the next section.

With Privileged Identity Management

5. In the Roles and administrators menu, type Privileged in the search field to locate the Privileged Authentication Administrator role. Double-click the role to open it.

   

   privileged authentication administrator in roles and administrators with pim

   NOTE: Alternate role options are available with the following limitations:

   • Privileged Authentication Administrator role - Reset the password for any account in the tenant, including Global Admin accounts. Block / Unblock sign-in for any account in the tenant, including Global Admin accounts.
   • Password Administrator / Helpdesk Administrator role - Reset the password for accounts not assigned to any privileged role, and not in the Password Administrator or Helpdesk Administrator group. Block / Unblock sign-in for non-privileged accounts not in those groups.

6. In the Privileged Authentication Administrator | Add Assignments window, click the link under Select Members.

   

   select members link in add assignments wizard

7. On the Select a Member screen, type CyberQP in the search box. Click the CyberQP Enterprise App in the results and click Select.

   cyberqp enterprise app in select a member search

   cyberqp enterprise app selected

8. Confirm the CyberQP Enterprise Application appears in the wizard. Click Next.

   

   cyberqp shown in add assignments wizard

9. On the Assignment settings screen, set the assignment type to Active, enable Permanently assigned, and fill in the Justification field. Click Assign.

   

   assignment settings with active and permanently assigned selected

10. Wait a few minutes or refresh the screen until the CyberQP Enterprise Application appears in the role.

    

    cyberqp enterprise application listed in role

11. NOTE: If you intend to use the Entra ID Just in Time feature, repeat steps 6-9 for the Privileged Role Administrator role.

    

    privileged role administrator selected for repeat jit assignment

Continue Entra ID / M365 Setup

Return to the CyberQP admin dashboard and click the Go to User List button in step 5 of the Microsoft 365 setup.

go to user list button in cyberqp m365 setup

end user accounts list after m365 connection

You can now onboard M365 / Entra ID users in CyberQP. NOTE: Password reset functionality requires permission propagation in M365 / Entra ID. This may take up to 15 minutes.

Option 2 - Add CyberQP Enterprise App to a built-in or custom Entra ID role using a security group

NOTE: Entra ID Premium P1 license required.

• Assign at least one Entra ID P1 license to an account on the M365 / Entra ID tenant being connected to CyberQP. This license does not need to be applied to every M365 account. 
  

  entra id p1 license assigned to an account

1. Locate the CyberQP customer to connect to your Entra ID / M365 tenant. Click the Connect M365 option from the right-hand menu of the customer row.

   

   connect m365 option in customer three-dot menu

2. On the Microsoft sign-in page, select or enter the email address for the M365 Global Admin account for the customer tenant. Enter the password and click Sign In.

   

   microsoft 365 global admin sign-in page

3. Click Accept to approve the permissions requested by CyberQP.

   

   cyberqp permissions consent screen

   CyberQP redirects you to the customer screen.

video walkthrough

4. Open the Entra ID Groups screen in the Azure portal. This step is required to grant CyberQP permission to reset passwords in the M365 / Entra ID tenant.

   

   groups screen in entra id portal

5. Click the New group button near the top of the screen.

   

   new group button in groups screen

6. In the New Group window, set Group type to Security, enter CyberQP Enterprise App as the Group Name, and set Azure AD roles can be assigned to the group to Yes.

   

   new group settings with security type and role assignment enabled

   NOTE: If the Azure AD roles can be assigned to the group option is not visible, at least one Entra ID P1 license has not yet been applied to the tenant, or the change has not taken effect.

7. Click the No members selected link in the New Group window.

   

   no members selected link in new group window

8. In the Add members window, type CyberQP in the search field. Select the CyberQP Enterprise App from the results and click Select.

   

   cyberqp enterprise app in add members search

   NOTE: The Enterprise app will not appear unless you search for it by name.

9. Click the no roles selected link in the Roles section of the New Group window.

   

   no roles selected link in new group window

10. Type global administrator in the search box. Check the box next to Global Administrator and click Select.

    

    global administrator selected in role search

    NOTE: Alternate role options are available with the following limitations:

    • Global Admin role - Reset the password for any account in the tenant. Block / Unblock sign-in for any account in the tenant.
    • Privileged Authentication Administrator role - Reset the password for any account in the tenant, including Global Admin accounts. Block / Unblock sign-in for any account in the tenant, including Global Admin accounts.
    • Password Administrator / Helpdesk Administrator group - Reset the password for accounts not assigned to any privileged role, and not in the Password Administrator or Helpdesk Administrator group. Block / Unblock sign-in for non-privileged accounts not in those groups.

11. Click Create at the bottom of the New Group window.

    

    create button to complete new group setup

12. Click Yes to confirm.

    

    yes button confirmation for role-assignable group

13. Return to the CyberQP admin dashboard and click the Go to User List button for the new M365 customer.

    

    go to user list button in cyberqp m365 setup

    

    end user accounts list after m365 connection

    You can now onboard M365 / Entra ID users in CyberQP. NOTE: Password reset functionality requires permission propagation in M365 / Entra ID. This may take up to 15 minutes.

NOTE:

• Disable the built-in M365 password expiry notification to reduce end-user confusion from receiving notifications from both CyberQP and M365. 
  

  disable built-in password expiry notification setting

• For cloud-only M365 accounts, the only modifiable password policy setting is the number of days until passwords expire. All other M365 password policies cannot be changed for cloud-only accounts. 
  

  m365 cloud-only account password policy options

Next Steps

• Manually enabling CyberQP Active Directory to Entra ID / M365 sync:
  https://support.getquickpass.com/hc/en-us/articles/4403754565527-Enabling-Office-365-Synchronization-for-End-User-Accounts-to-Existing-Quickpass-Customer
• Additional security for Entra ID emergency access accounts:
  https://support.getquickpass.com/hc/en-us/articles/17810557790743-Additional-Security-for-Entra-Break-Glass-Emergency-Access-Accounts

end of article