Introduction

Microsoft's Authenticator app is a great tool to use when verifying someone's identity through the MSP Process platform - it's more secure than just sending an SMS message, it can leverage additional biometric security mechanisms like Apple's FaceID, and it's convenient - your end-users likely already have the Microsoft Authenticator app on their phone.

In order for the MSP Process platform to send a push notification to your end-users, there are configuration steps that must be taken within that end-user's M365 tenant. This KB article will guide you through using GDAP Relationships in your CSP-model M365 tenant to complete those steps.

Prerequisites

• Your end-user's M365 tenants must have an Entra P1 license (or higher) assigned to it
• You must have the credentials for a user account in your CSP-model M365 tenant that has Cloud Application Administrator permissions, and is a member of the AdminAgents group
• You must have access to your Microsoft Partner Center account

1. Adding Groups to Microsoft Entra

You need to create two new Groups in Microsoft Entra - we suggest calling one GDAP - Application Administrator and the other GDAP - User Administrator - and then associate that user account mentioned in the Prerequisites section to those two Groups.

1. Login to the Microsoft Entra Admin Center (https://entra.microsoft.com/)
2. Navigate to Groups -> All Groups
3. Click the New Group Button
4. Fill in the Group details as outlined below:
   1. Group Name: GDAP - Application Administrator
   2. Microsoft Entra roles can be assigned to the group: Yes
   3. Click the No Members Selected link, and select the user account mentioned in the Prerequisites section
   4. 
   5. Click Create
5. Repeat steps 3 and 4 for the GDAP - User Administrator group.

2. Requesting an Admin Relationship

For each M365 child tenant that you want to deploy the Microsoft Authenticator module into, you are required to create an Admin relationship from the Admin Relationships page in Partner Center.

• The GDAP - Application Administrator Group would get assigned the  Application Administrator Entra Role
• The GDAP - User Administrator Group would get assigned the  User Administrator Entra Role

1. Login to the Microsoft Partner Center (https://partner.microsoft.com/)
2. Click on the Customers card
3. In the menu structure on the left, click on the Administer menu item
4. Click the Request Admin Relationship button
5. Request a relationship that includes the Application Administrator and User Administrator Entra Roles
6. 
7. Click Finalize Request to complete the Admin Relationship request

3. Associating Entra Roles with the Correct Group

Now that an Admin Relationship has been created between your CSP M365 tenant and your client's M65 tenant, you must create an association between the Group created earlier in Entra and the Entra Roles specified in the Admin Relationship.

1. Login to the Microsoft Partner Center (https://partner.microsoft.com/)
2. Click on the Customers card
3. In the menu structure on the left, click on the Administer menu item
4. Click into the client's M365 tenant
5. Click into the Admin Relationship created in the last section
6. Click the  +Add Security Groups button
7. Choose the GDAP - Application Administrator group
   • 
8. Choose the Application Administrator Entra role
   • 
9. Click Save
10. Repeat steps 6 thru 8 for the GDAP - User Administrator group and User Administrator Entra role

4. Obtaining the Redirect URI for the App Registration

You'll be creating an App Registration in your CSP-model M365 tenant; as part of configuring that App Registration, you'll need a Redirect URI - let's grab that from MSP Process:

1. Login to the MSP Process UI (https://app.mspprocess.com)
2. Navigate to Integrations -> Security Integrations
3. Click the Add New Integration button
   • 
4. Click on Microsoft Authenticator
   
   • 
     
5. Click the CSP-model M365 Tenant button 
   • 
6. In the pop-up window that appears, click on the copy icon for the Link for Redirect URI parameter:
   • 
7. Leave the MSP Process window open; we'll be coming back to it in just a few minutes. 

5. Configuring the App Registration in your CSP-model M365 Tenant

1. 1. Login to your Microsoft Azure portal (https://portal.azure.com)
   2. Navigate to App Registrations
   3. Add a new App Registration, and configure it as follows (note that the URL will change, depending on the ID of your M365 integration):
      • Name: MSP Process: MS Authenticator Deployment App
      • Supported Account Types: Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant)
      • Redirect URI: Web; URI: This is the URI you copied from the previous step, in MSP Process
      • 
   4. Within the App Registration, go to Manage -> API Permissions
   5. Remove the ‘User.Read’ permission
   6. Click the Add a permission button
   7. Click Microsoft Graph > Application Permissions
      • 
        
      • 
        
   8. Search for DelegatedAdminRelationship.Read.All
      • 
        
   9. Click the Add Permissions button
   10. Now, let's add the second permission that is needed click the Add a permission button
   11. Go to the APIs my organization uses tab
       • 
   12. Search for fa3d9a0c-3fb0-42cc-9193-47c7ecd2edbd (this is the ApplicationID of the required permission)
   13. Click on the resulting Microsoft Partner Center entry
   14. Put a checkmark beside the user_impersonation permission
       • 
   15. Click the Add Permissions button
   16. Within the App Registration, navigate to Manage -> Certificates & Secrets, and add a new Client Secret. Copy that Client Secret, as you'll need it in just a moment
       • 
   17. Back in MSP Process, fill in the rest of the fields in that Connect to Microsoft 365 (GDAP) pop-up window:
       • The Domain Name of your M365 CSP tenant (this is the Primary Domain that you'd see on the Home page, in Microsoft Entra)
       • The Application ID of the app you just registered; this can be found on the Overview page of the App Registration
       • The Client Secret from step #5
       • 
   18. Click Submit
   19. In the Microsoft window that appears, sign-in to your CSP-model M365 tenant
   20. Follow the prompts to provide MSP Process with the required permissions:
       • 
   21. You'll be brought back to the MSP Process UI
   22. If you then click into the Microsoft Authenticator card, you'll see the child tenants we've been able to successfully setup:
       • 

At this point, you've setup MSP Process to use Microsoft Authenticator to verify the end-users in that M365 tenant with their Microsoft Authenticator app. You'll now see Microsoft Authenticator available as an option within your PSA:

ConnectWise/Halo PSA:

Autotask:

Introduction:

When you send a verification request to someone's Microsoft Authenticator app, you may see an error message in MSP Process saying that the user has a different "Preferred Auth Method" specified. In this situation, the user will not receive your verification request.

The goal of this KB article is to show you where in M365 you can go to modify a user's preferred authentication method.

Example of the Error:

Steps to resolving the Error:

1. Login to the Microsoft Entra admin center (https://entra.microsoft.com/?l=en.en-us) as a user who has the rights need to modify someone's identity in Entra
2. Navigate to Protection -> Authentication methods
   • 
     
3. Under the Monitoring section, click on User Registration Details
   • 
     
4. Click on the user who's preferred authentication method you want to modify
5. In the MFA Status card, click on Manage MFA Authentication methods
   • 
     
6. Click on the pencil icon that allows you do edit the Default sign-in method
   • 
7. Choose Microsoft Authenticator from the drop-down menu
   • 
8. Click the Save button, and you're done!

Introduction

Microsoft's Authenticator app is a great tool to use when verifying someone's identity through the MSP Process platform - it's more secure than just sending an SMS message, it can leverage additional biometric security mechanisms like Apple's FaceID, and it's convenient - your end-users likely already have the Microsoft Authenticator app on their phone.

In order for the MSP Process platform to send a push notification to your end-users, there are configuration steps that must be taken within that end-user's M365 tenant. This KB article will guide you through those steps.

Prerequisites

• Your end-user's M365 tenant must have an Entra P1 license (or higher) assigned to it
• You must have a set of credentials for your customer's M365 tenant that have Cloud Application Administrator permissions.

Configuring an M365 Tenant

The following steps must be done for each M365 tenant.

1. Login to the MSP Process UI (https://app.mspprocess.com)
2. Navigate to Integrations -> Security Integrations
3. Click the Add New Integration button
   • 
4. Click on Microsoft Authenticator
   
   • 
     
5. In the Microsoft window that appears, sign-in to your customer's M365 tenant
6. Follow the prompts to provide MSP Process with the required permissions
   • 
7. ; when that's completed, you'll be brought to the following page:
   • 
8. Click the Tap to finish onboarding button
9. You'll be brought back to the MSP Process UI

At this point, you've setup MSP Process to use Microsoft Authenticator to verify the end-users in that M365 tenant with their Microsoft Authenticator app. You'll now see Microsoft Authenticator available as an option within your PSA:

ConnectWise/Halo PSA:

Autotask: