This guide is intended to provide steps for creating and configuring an Enterprise App for GCC High Tenants that will allow you to match with a CyberQP Customer. If you are looking to configure this for a standard Entra/M365 tentant, please use this guide instead.
Prerequisites
Global Admin account in the O365 tenant
Customer exists in the CyberQP dashboard
Primary, Super, Manager, or Engineer Level Permissions to the CyberQP Dashboard
Initiate Connection on CyberQP Dashboard
On the Customers table, press the actions button and select "Connect GCC High"
-
You will be presented with the following modal, which will include a
-
Redirect URL to copy into Entra/M365
Redirect URL:
https://admin.getquickpass.com/customers/office-connect
a field for your Application ID from your GCC High Enterprise App
a field for you Application Secret from your GCC High Enterprise App
-
Configuring the App Registration in your M365 GCC High Tenant
Login to your Microsoft Azure portal (https://portal.azure.us)
Navigate to App Registrations
-
Add a new App Registration, and configure it as follows
Name: CyberQP GCC High
Supported Account Types: Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant)
Redirect URL: Copy from dashboard connect modal
-
In the "Select a Platform" dropdown, Select "Web"
Click Register when you're ready.
Copy the Application ID of the app you just registered and store it securely you will need it later; this can be found on the Overview page of the App Registration
Adding Permissions to the App Registration
We are going to be adding 7 permissions to the App Registration - after finishing, the permissions API permissions page should look like this:
Adding the Application-level Permissions
We are going to do the following steps 5 times, once for each of the following permissions:
Application.ReadWrite.All
Directory.ReadWrite.All
Domain.ReadWrite.All
User.ReadWrite.All
UserAuthenticationMethod.ReadWrite.All
Policy.ReadWrite.AuthenticationMethod
Click the Add a permission button
Select Microsoft Graph
Click Microsoft Graph > Application Permissions
Search for Application.ReadWrite.All, and put a checkmark on it
Click the Add Permissions button
Adding the Delegated-level Permissions
Click the Add a permission button
-
Click Microsoft Graph > Delegated Permissions
Search for User.read, and put a checkmark beside it
-
Click the Add Permissions button
Granting Admin Consent
-
Click the Grant Admin Consent button
Assign Privileged Roles to Enterprise App
- In the Roles and Administrators menu in the Azure Active Directory portal type Privileged in the search field to locate the Privileged authentication administrator role.
-
Double click the Privileged authentication administrator role name to open it.
Note: There are some alternate options if you do not wish to add the group to the Privileged authentication administrator group with some exceptions.
Privileged Authentication Administrator Role
- Rotate / Reset the password for any account within the tenant including Global admin accounts.
- Block / Unblock sign in for any account within the tenant including Global admin accounts.
Password Administrator / Helpdesk Administrator Role
- Rotate / Reset the password for any account not added to any privileged roles or accounts in the Password Administrator or Helpdesk Administrator group
- Block / Unblock sign in for any non privileged account or accounts in the Password Administrator or Helpdesk Administrator group
- In the Privileged Authentication Administrator | Assignments window click the + Add assignments button
- Type "CyberQP GCC High" in the search field, select CyberQP GCC High from the search results and click Add button at the bottom when done.
8. You will now see the CyberQP GCC High Application as a member of the Privileged Authentication Administrator built in role.
9. NOTE: In the event that you intend to leverage the Azure/Entra/M365 Just in Time Feature, it is imperative to ensure the activation of the Enterprise App within this additional role. Repeat steps 5-7 for the Privileged Role Administrator role.
Creating a Client Secret
-
Within the App Registration, navigate to Manage -> Certificates & Secrets, and add a new Client Secret
NOTE: The Certificates & Secrets menu is only available from the App Registration resource directly.
-
Copy the Value and store it securely, you will need it later
NOTE: You are to copy the 'Value', not the 'Secret ID'. The 'Value' field is visible only at creation time, failure to copy the 'Value' at creation time will require a new client secret creation.
Entering the data in CyberQP Dashboard
-
Copy and paste values for Application ID and Application secret (the 'Value' copied in the step above) into the dashboard connection screen
After entering your Application ID and Application Secret (the 'Value' copied in the step above), press continue and your customer will now be matched to their GCC High Tenant.
Related content
Comments
0 comments
Please sign in to leave a comment.