Roles:

There are two Roles in MSP Process - Admin, and Technician. By default, users who are invited to the platform are given the Admin role. Here are the differences between the two Roles:

Permissions:

There are two permissions that can be applied to any User in MSP Process, regardless of what Role (Admin or Technician) they have been assigned:

• The Use MFA option forces that user to setup MFA
• The Allow Access to UI option offers you two choices:
  • If Disabled, the user can only login to the ConnectWise/Halo/Autotask pod, and cannot login to the main https://app.mspprocess.com website
  • If Enabled, the user can login to both the ConnectWise/Halo/Autotask pod and the main https://app.mspprocess.com website

Editing The Roles/Permissions of a User:

To edit a user's Role, or the Permissions assigned to that user, navigate to the Teams -> Users page, and then click the pencil icon for that user:

You'll then be presented with a screen that will allow you to edit that user's Roles and Permissions:

Introduction

The MSP Process platform can sync contacts from a variety of sources, including many common PSA platforms in the MSP market. Some MSPs don't use a supported PSA though - for example, they use an uncommon PSA, or they've built their own, homegrown solution. In other cases, Microsoft 365 is the "source of truth for a Contacts", and the PSA is downstream/synching contacts from Microsoft 365, so it makes sense to directly update those contacts in Microsoft 365, instead of in the PSA.

In those scenarios, MSPs can configure the MSP Process platform to directly sync Contacts with the end-user's Microsoft 365 contacts - allowing the MSP to leverage the End-user Verifcation, Secure Data Send, and Broadcast messaging features that are built into the platform.

Linking MSP Process with Microsoft 365

1. Login to the MSP Process UI
2. Navigate to the Integrations -> PSA Integrations menu
3. Click the Add button
   • 
4. Click on the Microsoft 365 option
   • 
5. Specify a name for the integation, and click the Submit button
   • 
6. Click on the Microsoft 365 card that is now listed on the PSA Integrations page
   • 
7. Click the Connect to Microsoft 365 button to link MSP Process to a Microsoft 365 tenant
   • 
8. Follow the Microsoft UI flow to deploy the MSP Process app
   • 
9. You're done! Repeat with any other Microsoft 365 tenants that you want to link to the MSP Process platform.

Interacting with Microsoft 365 Contacts in the MSP Process UI

Once you've integrated MSP Process with one or more Microsoft 365 tenants, you can view those Contacts from the Contacts menu:

From the Contacts page, you can view the Mobile Number and E-mail address of each contact. From the Actions column, you can open the MSP Process Pod, which will allow you to perform End-user Verification, securely send your customers data, and respond to Technician Verification requests.

Introduction:

By default, any e-mail sent by the MSP Process platform comes from noprely@mspprocess.com. For e-mails that are sent internally to an MSP, such as invites for technicians to join the MSP Process platform, this is a perfectly acceptable thing, but it's not ideal when dealing with e-mails that are sent to end-users, such as Opt-in forms and End-user Verification e-mails.

The MSP Process platform can be configured to send all of it's end-user facing e-mails through a Microsoft 365 shared mailbox - making it easy for any Partner to send our e-mails from a trusted Sender address of their choosing.

Configuring MSP Process to use a Microsoft 365 Shared Mailbox

1. Login to the MSP Process UI with an Admin account
2. Navigate to the Portal Settings -> Outgoing Mail page
3. Click the Start Setup button
   • 
4. Login to the Microsoft 365 tenant that owns the Shared Mailbox you wish to use
5. Approve the deployment of the MSP Process "Outbound Mail Module" application
   • 
6. You're now able to choose which mailbox you wish to use:
   • 
7. Click the Submit button to finish the setup process

Testing the Shared Mailbox Configuration

1. From the Portal Settings -> Outbound Mail page, click the Test button
   • 
2. You'll be brought to the Portal Settings -> Test E-mail page
3. Choose the "Opt-In Letter" as the e-mail to be sent, and specify the recipient's e-mail address
   • 
4. Click the Test button to send out the test e-mail
5. Confirm that the recipient received the e-mail, and that the Sender address is the Shared Mailbox

Deleting a Shared Mailbox Configuration

1. Navigate to the Portal Settings -> Outbound Mail page
2. Click the Delete button

E-mails that are sent through an M365 Shared Mailbox:

• Opt-in forms
• End-user verification - both codes and secure links
• Secure Data Send e-mails
• Invitations to the Client Portal

E-mails that are not sent through an M365 Shared Mailbox:

• Invites to join the MSP Process platform (sent via the Teams -> Invite Users page)
• Password reset e-mails
• E-mails from the "Notifications" feature

Introduction:

Several features in the MSP Process platform can send messages to Microsoft Teams channels:

• When a new text message is send to an SMS number
• When a new Live Chat is created
• When a new Client Portal chat is created

The goal of this KB article is to walk through how to setup a Workflow in Microsoft Teams that can accept the messages from the MSP Process platform, and to configure MSP Process so it knows about the Microsoft Teams channel.

Creating a Workflow in Microsoft Teams:

In the Microsoft Teams app, launch the Workflows feature by clicking on the ... menu item, and searching for "Workflows":

• In the Workflows app, click the button
• Click the button
• Create a workflow that looks like this:

Here's what the Parse JSON action should look like:

And here's the text that goes in the Schema field:

{

    "type": "object",

    "properties": {

        "text": {

            "type": "string"

        }

    }

}

Finally, here's how the "Post message in a chat or channel" action is configured:

Configuring a Microsoft Teams Connection in MSP Process:

1. Login to the MSP Process UI (https://app.mspprocess.com)
2. Navigate to the Portal Settings -> Teams Connections page
3. Click the Add button, and fill in the required fields:
   1. Give the connection a name
   2. In the URL field, paste the URL from the Microsoft Teams workflow
4. Click the Test button to ensure that the connection to your Microsoft Teams workflow is correctly setup
5. Click the Submit button to save the connection

Click the Test button; you should see the message "Hello, World" in the Microsoft Teams channel you specified in the Workflow.

Introduction

Microsoft Entra is a popular external Identity Provider (external IDP) that can be used to authenticate your technicians when they login to the MSP Process platform. The goal of this KB article is to walk through how to setup Single Sign-on (SSO) between the MSP Process platform and Microsoft Entra, to review what's created in your Azure tenant when you configure Microsoft Entra as an external IDP, and to outline some additional settings that you can configure to further secure this capability.

Linking the MSP Process Platform to Microsoft Entra

When you first login to the MSP Process platform, a wizard will prompt you to setup the integration with Microsoft:

The first person to take this step will be asked to install the MSP Process Enterprise Application - this Application is what facilitates an SSO login. You'll want to make sure that the Microsoft identity you use during this first step has sufficient rights to install Enterprise Apps in your M365 tenant.

Once that process has been completed, you'll have an "MSP Process" Enterprise Application in your Microsoft Azure environment:

When your colleagues then login to MSP Process, and they also link their MSP Process account to Microsoft using our Setup Wizard, they will (regardless of their permissions in Microsoft 365) have their account successfully linked to their identity in Microsoft 365. 

Further Securing the MSP Process Enterprise Application by Requiring User Assignment

By default a newly-created Enterprise Application in Microsoft Azure does not have the Assignment Required option enabled. This means that any user in Entra can - if they have the correct credentials - login to the MSP Process application using their Microsoft Entra credentials. By enabling the Assignment Required option, you can limit access to the MSP Process platform to only the users in your organization who require access to it.

1. Sign in to the Microsoft Azure portal.
2. Using the search field at the top of the page, look for Enterprise Applications.
3. Click on the MSP Process application.
4. Navigate to the Manage -> Properties tab
5. Enable the Assignment Required option
6. Click Save to save the change to the Application
7. Navigate to the Manage -> Users and Groups tab
8. Click the Add User/Group button to assign the appropriate users to the MSP Process application

That's it! You've now limited who can login to the MSP Process platform to only those in your organization who should have access to it.

Further Securing the Enterprise Application by Applying a Conditional Access Role

Limiting who can login to the MSP Process platform by requiring them to be explicitly assigned to the Enterprise Application in Azure is an excellent step. There's a further step that can be taken, which is to apply the Require phishing-resistant multifactor authentication for administrators Conditional Access Policy. Applying this policy ensures that only users who have already authenticated to Microsoft Entra using both a password and a phishing-resistant method of MFA - such as Windows Hello for Business, a FIDO2 security key, or Microsoft Entra certificate-based authentication - are able to login to the MSP Process platform. More details on phishing-resistant MFA can be found in this Microsoft KB article.

Instructions from Microsoft on what the Conditional Access Policy does and how it can be configured are available here. The steps specific to the MSP Process platform are:

1. Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator.
2. Browse to Protection > Conditional Access.
3. Select Create new policy.
4. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
5. Under Target resources > Cloud apps > Include, select the MSP Process Enterprise Application.
6. Under Access controls > Grant, select Grant access, Require authentication strength, select Phishing-resistant MFA, then select Select.
7. Confirm your settings and set Enable policy to Report-only.
8. Select Create to create to enable your policy.

To configure the default settings for the Secure Data Send feature, login to the main MSP Process UI (https://app.mspprocess.com), and navigate to the Portal Settings -> Secure Data Settings page. 

The Secure Data Settings page allows you to configure how sending both text and files will behave. You can also choose to lock down these settings, so they can't be modified by your Technicians. 

Disable technician ability to change link, logs and file settings on secure data page - This locks the settings that a technician sees when sending a customer data or text.

Enable File Sending - This enables the ability to securely send files to your customers. By default, it's enabled.

Single Use Link - This makes it so that the end-user can only access the text/data once.

Time to live for secure text send links - When sending text, this controls how long the link will be active. 

Save Logs to Ticket/Contact - This will save the actions of the tech and the user regarding the link. This includes when the tech sent it, and when the user opened it. 

Save logs to internal note - This will save logs of all actions to the internal note on your PSA instead of public discussion note section. 

Save data to internal note - Whatever password or text is sent to the user would be logged as an internal note. By default this option is disabled.

File save expiration period - Controls how long a file will be available. Default is 1 day.

File save location - Controls which region the file will be stored. By default this will be in the same country that was specified for your tenant with MSP Process. There is storage available in the following regions:

• One in Canada Central (located in Toronto)
• Another in Central US (located in Iowa)
• Another in Australia East (based in Sydney)
• And one in UK South (based in London)

Page Header Text - This is the header displayed to the user above the link when they receive the message and click the link. 

Message on Reveal Secure Data - This is a message is revealed once the user shows the data from the link. 

SMS Template - Messaging that is sent with the SMS link to the user. You can put text before and/or after the link. Do note remove the ${link} as this will break the functionality. 

Email Template - Same as above, you can add text before and/or after the link. 

Click on Portal Settings -> Settings. Then Select upload new Image.