Prerequisites
- You have created customers in Quickpass either manually or by importing from IT Glue or Hudu via integration.
ITGlue
Hudu
Manually - A Global Admin account for the M365/Azure Tenant to be connected to.
Option 1 - Add CyberQP Enterprise App directly to a built in Azure AD role
**Note**: No Azure AD License required
1. Locate the Quickpass customer you will use to connect to your Azure / Microsoft 365 tenant account. Then click the Connect M365 option from the three dot menu on the right side of the Quickpass customer line.
2. In the Microsoft Login Page select or enter the email address associated with the Microsoft 365 Global Admin account you use for your customers tenant account. Then type the password and select Sign In.
3. Click Accept button to approve the permissions requested by Quickpass.
You will now be re-directed back to the Quickpass Customer screen.
4. Click the Go to Azure Portal button in the Quickpass dashboard or go click this link for the Azure AD Roles and administrators menu.
NOTE: Microsoft has recently altered the Azure Roles and Administrators for Tenants that have enabled Privileged Identity Management. Please click HERE to see the process if the Azure/M365 Tenant has PIM enabled.
Azure Active Directory Roles and Administrators without Privileged Identity Management Enabled
Azure Active Directory Roles and Administrators without Privileged Identity Management Enabled
5. In the Roles and administrators menu in the Azure Active Directory portal type Privileged in the search field to locate the Privileged authentication administrator role.
Double click the Privileged authentication administrator role name to open it.
Note: Due to some updated guidance from Microsoft on the function of the Privileged authentication administrator role, and in accordance with least privilege concepts, we have updated the KB to reflect those changes. There are some alternate options if you do not wish to add the group to the Privileged authentication administrator group with some exceptions.
Privileged Authentication Administrator Role
- Rotate / Reset the password for any account within the tenant including Global admin accounts.
- Block / Unblock sign in for any account within the tenant including Global admin accounts.
Password Administrator / Helpdesk Administrator Role
- Rotate / Reset the password for any account not added to any privileged roles or accounts in the Password Administrator or Helpdesk Administrator group
- Block / Unblock sign in for any non privileged account or accounts accounts in the Password Administrator or Helpdesk Administrator group
6. In the Privileged Authentication Administrator | Assignments window click the + Add assignments button
7. Type CyberQP in the search field, select CyberQPfrom the search results and click Add button at the bottom when done.
8. You will now see the CyberQP Enterprise Application as a member of the Privileged Authentication Administrator built in role.
9. NOTE: In the event that you intend to leverage the Azure/Entra/M365 Just in Time Feature, it is imperative to ensure the activation of the Enterprise App within this additional role. Repeat steps 5-7 for the Privileged Role Administrator role.
Click HERE to continue the process.
Azure Active Directory Roles and Administrators with Privileged Identity Management Enabled
Note: Due to some updated guidance from Microsoft on the function of the Privileged authentication administrator role, and in accordance with least privilege concepts, we have updated the KB to reflect those changes.
- In the Roles and administrators menu in the Azure Active Directory portal type Privileged in the search field to locate the Privileged authentication administrator role. Then double click the Privileged authentication administrator role to open it.
Note: There are some alternate options if you do not wish to add the group to the Privileged authentication administrator role with some exceptions.
Privileged Authentication Administrator Role
- Rotate / Reset the password for any account within the tenant including Global admin accounts.
- Block / Unblock sign in for any account within the tenant including Global admin accounts.Password Administrator / Helpdesk Administrator Role
- Rotate / Reset the password for any account not added to any privileged roles or accounts in the Password Administrator or Helpdesk Administrator group
- Block / Unblock sign in for any non privileged account or accounts accounts in the Password Administrator or Helpdesk Administrator group - In the Privileged authentication administrator | Add Assignments window click the link at the bottom under Select Members
- On the Select a Member screen click in the Search Box and type CyberQP. Click on the CyberQP Enterprise App, and click Select
- Once the CyberQP Enterprise Application has been selected, the Application will be shown in the Wizard. Click Next.
- You will then be prompted to specify the Assignment settings. Ensure that Active, Permanently Assigned, and the Justification box are populated. Click Assign
- Wait a few minutes or refresh the screen until the CyberQP Enterprise Application is listed in the Role that you selected.
-
NOTE: In the event that you intend to leverage the Azure/Entra/M365 Just in Time Feature, it is imperative to ensure the activation of the Enterprise App within this additional role. Repeat steps 6-9 for the Privileged Role Administrator role.
Continue Azure AD/M365 Setup
9. Return back to the Quickpass web admin console and click Go to User List button in step 5 of the Microsoft 365 setup in Quickpass.
You can now start to on-board M365 / Azure users in Quickpass. Password reset functionality must wait until propagation of these permissions have taken affect in M365 / Azure. This may take up to 15 mins to complete.
Option 2 - Add CyberQP Enterprise App to a built in or custom Azure AD role using a security group
**Note**: Azure AD Premium P1 License required
- Assign at least one Azure AD P1 license to an account on the M365 / Azure AD tenant that you are connecting with Quickpass. There is no need to purchase this license for all M365 accounts.
1. Locate the Quickpass customer you will use to connect to your Azure / M365 tenant account. Then click the Connect M365 option from the right hand menu of the Quickpass customer.
2. In the Microsoft Login Page select or enter the email address associated with the M365 Global Admin account you use for your customers tenant account. Then type the password and select Sign In.
3. Click Accept button to approve the permissions requested by Quickpass.
You will now be re-directed back to the Quickpass Customer screen.
4. Go to the Azure Groups screen within the Azure AD tenant. This step is required to add the ability for Quickpass to reset passwords in the M365 / Azure AD tenant.
5. In the Azure portal groups screen click New group button near the top of the window
6. In the New Group window select Security for Group Type, type in the name CyberQP Enterprise App for the Group Name and most importantly select Yes for Azure AD roles can be assigned to the group.
Note: If you don't see the Azure AD roles can be assigned to the group option that means you haven't added at least one Azure AD P1 license to an account in the tenant yet or the change has not taken affect.
7. Click the No members selected link in the New Group window
8. In the Add members window type CyberQP in the search field, select the CyberQP Enterprise App as shown in the screen shot then click Select button at the bottom when done.
Note: If you don't type quickpass in the search window the enterprise app will not show.
9. Click the no roles selected link in the Roles section of the New Group window.
10. Type in global administrator in the search box, click the check box next to Global Administrator and lastly click the Select button at the bottom.
Note: There are some alternate options if you do not wish to add the group to the global admin group with some exceptions.
Global Admin Role
- Rotate / Reset the password for any account within the tenant.
- Block / Unblock sign in for any account within the tenant
Privileged Authentication Administrator Role
- Rotate / Reset the password for any account within the tenant.
- Block / Unblock sign in for any account within the tenant including global admin accounts
Password Administrator / Helpdesk Administrator Group
- Rotate / Reset the password for any account not added to any privileged roles or accounts in the Password Administrator or Helpdesk Administrator group
- Block / Unblock sign in for any non privileged account or accounts accounts in the Password Administrator or Helpdesk Administrator group
11. Click the Create button at the bottom of the New Group window to complete the process.
12. Click the Yes button
13. Return back to the Quickpass web admin console and click Go to User List button in the new M365 Customer in Quickpass.
You can now start to on-board M365 / Azure users in Quickpass. Password reset functionality must wait until propagation of these permissions have taken affect in M365 / Azure. This may take up to 15 mins to complete.
Note:
- We recommend you disable the built-in Azure / M365 password expiry notification options to reduce confusion for end-users by getting notifications from Quickpass and M365.
- The only property that can be changed from the Azure / M365 cloud only account password policy is days until passwords expire. The remaining M365 password policies cannot be changed for cloud only accounts.
Next Steps
- Manually enabling CyberQP Active Directory to Azure/M365 sync
https://support.getquickpass.com/hc/en-us/articles/4403754565527-Enabling-Office-365-Synchronization-for-End-User-Accounts-to-Existing-Quickpass-Customer - Additional Security for Azure/Entra Emergency Access Accounts:
https://support.getquickpass.com/hc/en-us/articles/17810557790743-Additional-Security-for-Entra-Break-Glass-Emergency-Access-Accounts
Comments
1 comment
Updated 10.27.2023
Please sign in to leave a comment.