Setting up a Microsoft 365 tenant with a technical account that operates without admin rights offers enhanced security and streamlined operations. This approach minimizes the risk associated with granting extensive permissions and ensures that tasks are performed with the least privilege necessary.
By following this method, organizations can maintain tighter control over their environment while still enabling necessary functionalities.
Table of Contents
- Prerequisites
- Configuring User Consent Settings
- Requesting and Granting Admin Consent
- Assigning Full Access Permissions to Room Mailboxes
- Troubleshooting and Considerations
1. Prerequisites
- A Microsoft 365 tenant with appropriate licenses.
- Access to the Microsoft Entra admin center.
- PowerShell installed on your machine.
- A Microsoft Technical Account for Comeen (ℹ️ This account does not require any Microsoft 365 license)
- Credentials for an account with the necessary administrative privileges to approve consent requests.
2. Configuring User Consent Settings
For Administrators:
To allow users to request admin consent for applications, enable the admin consent workflow:
- Sign in to the Microsoft Entra admin center.
- Navigate to Identity > Applications > Enterprise applications > Consent and permissions > Admin consent settings.
- Set Users can request admin consent to apps they are unable to consent to to Yes.
- Designate reviewers (users, groups, or roles) who will evaluate consent requests.
- Save the configuration.
This setup allows users to request admin approval for applications when they lack the necessary permissions.
3. Requesting and Granting Admin Consent
For End Users (Technical Account):
- Log in to your Comeen space as an administrator and navigate to Settings > Integrations.
- Under "Microsoft 365", click on "Sign In with Microsoft" for the scope you wish to request admin consent for.
- Log in with your Microsoft Technical Account.
- When prompted for permissions, justify the access request and submit a request for admin approval.
- After the admin grants consent, you can return to Comeen and reauthorize the scope
For Administrators:
- Sign in to the Microsoft Entra admin center.
- Navigate to Identity > Applications > Enterprise applications > Admin consent requests.
- Review pending requests and approve Comeen request
- The user will receive a notification regarding the decision.
4. Assigning Full Access Permissions to Room Mailboxes
For Administrators:
To grant the technical account full access to a room mailbox, use PowerShell:
- Open PowerShell and connect to Exchange Online:
Connect-ExchangeOnline -UserPrincipalName <admin_account>@<domain>.com
- Execute the following command to grant full access:
Add-MailboxPermission -Identity "room-mailbox@domain.com" -User "technical-account@domain.com" -AccessRights FullAccess -InheritanceType All
- Replace
"room-mailbox@domain.com"
with the email address of the room mailbox. - Replace
"technical-account@domain.com"
with the email address of the technical account.
This command assigns the specified technical account full access to the room mailbox, allowing it to perform necessary operations without requiring admin rights.
5. Troubleshooting and Considerations
- Delayed Approvals: If there's a delay in approval, follow up with the designated reviewers or administrators.
- Permission Errors: Ensure that the technical account has been granted the appropriate permissions and that there are no conflicting policies. Permission changes may take up to 24 hours to propagate
- Security Best Practices: Regularly review permissions and access logs to maintain security and compliance.
By following this guide, you can effectively set up your Microsoft 365 tenant with a technical account that operates without admin rights, ensuring both security and functionality.
Comments
0 comments
Please sign in to leave a comment.