Overview:

Onboarding and offboarding employees is something MSPs always look to make as efficient as possible. By taking advantage of Microsoft's support for the SCIM protocol, it's easy to provide your technicians with access to MSP Process simply by adding and removing them from Security Groups in Microsoft 365. This KB article will walk you through the steps you'll need to follow.

Creating the Enterprise Application in Microsoft Azure

1. Launch the Azure management portal (https://portal.azure.com)
2. Browse to Microsoft Entra ID.
3. On the left side select Enterprise applications.
4. At the top of the page select + New application.
5. Select the + Create your own application.
6. Add the name of the application, for instance MSP Process SCIM.
7. Select the radio button Integrate any other application you don't find in the gallery (Non-gallery) and click Create.
8. On the left side under Manage select Provisioning.
9. Again on the left side under Manage select Provisioning.
10. Change the Provisioning Mode to Automatic.
11. Expand Admin Credentials

Grabbing the Tenant URL and Secret Token from MSP Process

1. In a separate browser tab, login to the MSP Process platform (https://app.mspprocess.com) as an Admin-level user
2. Navigate to the Settings -> User Management -> SSO page and find the Tenant URL and Secret Token fields.
3. Come back to Azure portal

Finishing the Configuration of the Enterprise Application in Microsoft Azure

1. In the Admin Credentials section of the Enterprise application, make sure that Authentication Method is Bearer Authentication.
2. Paste the found Tenant URL and Secret Token to the fields under Authentication Method.
3. Click Test Connection.
4. If it’s successful, then Save the configuration.
5. Expand the Mappings section.
6. Click on Provision Microsoft Entra ID Groups, make it disabled and Save the change.
7. Click on Provision Microsoft Entra ID Users.
8. Make sure that the following attribute mappings are set:

 customappsso Attribute                       Microsoft Entra ID Attribute

               userName                                          userPrincipalName

             displayName                                              displayName

               externalId                                                       objectId

1. Click the Add New Mapping button at the bottom of the page
2. Configure it as shown below:
   • Mapping Type= Expression
   • Expression = SingleAppRoleAssignment([appRoleAssignments])
   • Target Attribute = roles[primary eq "True"].value 
   • 
     
3. Save the user mappings changes.
4. In a new browser tab login to Azure, go to App registrations and find the App Registration that's been created.
5. On the left side under Manage select App roles.
6. Remove the User role:
   1. Edit the User role, and uncheck the Do you want to enable this app role? option 
      • 
        
   2. Save the change
   3. Edit the User role again, and click the Delete button 
7. Add Admin and Technician roles - both the Display name and the Value here needs to exactly match "Admin" or "Technician", as this is what assigns the user a specific role in MSP Process.
   • 
     

Pushing Users from Microsoft Into MSP Process

1. In the other browser tab, where you were editing the Enterprise Application, click on the Manage -> Users and Groups tab. 
2. Click on + Add user/group.
3. Select the security group(s) to be provisioned.
4. Select the Role for the group and click Assign.
5. On the left side under Manage select Provisioning.
6. Click on the Start provisioning button.

Results!

It'll take anywhere from 10-40 minutes for Microsoft to provision users into MSP Process; it depends on how many users you've got in the Security Groups.

If you're interested in how Microsoft describes why provisioning through SCIM can take a bit of time, and what you should expect in your specific circumstance, check out this KB article:

Check the status of user provisioning

You can see how things are going from the Settings -> User Management -> Users page in MSP Process.

Logging in as as Provisioned User

Your technicians just need to click the Microsoft button on the MSP Process login page:

Introduction

DUO (https://duo.com) is a popular identity verification platform. You can use it in MSP Process to acheive two goals:

• To secure the login process of anyone looking to access your MSP Process account at https://app.mspprocess.com. This capability requires the DUO Web SDK to be configured. 
• During the end-user verification process; DUO can be used instead of sending the user a verification code via e-mail or SMS. This capability requires the DUO Auth API and Admin API to be configured. Click here for the KB article that outlines how to set this up.

This KB article will take you through all of the steps required to do the first scenario - to use DUO to secure how your technicians login to the MSP Process platform. 

Step 1: Configuring the Web SDK Entity in DUO

What is the DUO Web SDK? The Duo Web SDK adds the two-factor authentication screens and workflow to the MSP Process login flow.

How is the Web SDK Used? This module only needs to be setup if you want to use DUO to secure how you and your techs login to the MSP Process platform. It is not required if you only plan on using DUO for End-User Verification.

1. Login to the DUO Admin portal (https://admin.duosecurity.com/)
2. From the left-hand menu, navigate to Application -> Protect an Application
3. Search for "Web SDK" in the Search field
4. Click on the Protect button beside Web SDK
5. In the Details section, copy the Client ID, Client Secret and API Hostname; you'll need them later
6. In the Settings section, change Name field to say "MSP Process"
7. Under the Universal Prompt section, choose the Show traditional prompt option
   • 
8. Click Save
9. When prompted, choose No, thanks - you don't want to use the Universal prompt.
   • 

Step 2: Integrating MSP Process with DUO

1. Login to the MSP Process portal (https://app.mspprocess.com)
2. Navigate to Settings -> Integrations -> Security Integrations
3. Click the Add new integration button

     4. Click the DUO Web SDK button; specify a name, and then enter the Integration Key, Secret Key and API Hostname from Step #2.

     5. Click Submit when you're done.

Step 3: Configuring Your MSP Process User Account To Use DUO During The Login Process

1. From the MSP Process UI, click on the Profile button in the top right-hand corner of the UI
   • 
2. Enable the Link DUO feature
   • 
3. Follow the on-screen prompts from DUO that will link your MSP Process account to DUO
   • 
4. Once you've gone through the DUO screens, and have been returned to the MSP Process UI, click Submit

Congratulations! You're Done!

You've now setup the required entities in DUO and configured MSP Process with the information it needs to start using DUO to secure the login process to your MSP Process UI.

Roles:

There are two Roles in MSP Process - Admin, and Technician. By default, users who are invited to the platform are given the Technician role. Here are the differences between the two Roles:

Permissions:

There are two permissions that can be applied to any User in MSP Process, regardless of what Role (Admin or Technician) they have been assigned:

• The Use MFA option forces that user to setup MFA
• The Allow Access to UI option offers you two choices:
  • If Disabled, the user can only login to the ConnectWise/Halo/Autotask pod, and cannot login to the main https://app.mspprocess.com website
  • If Enabled, the user can login to both the ConnectWise/Halo/Autotask pod and the main https://app.mspprocess.com website

Editing The Roles/Permissions of a User:

To edit a user's Role, or the Permissions assigned to that user, navigate to the Teams -> Users page, and in the Actions column click the pencil icon for that user:

You'll then be presented with a screen that will allow you to edit that user's Roles and Permissions:

Context:

Recent changes made by DUO have made it so that their Universal Prompt cannot be rendered in an iframe. The main UI of the MSP Process platform is not affected by this change, but our PSA-embedded Pod (ConnectWise and Halo PSA) and Insight (Autotask) are affected, as they are iframes within the UI of those PSA platforms.

This KB article guides you through how to change your DUO configuration for MSP Process to use DUO's "traditional" prompt, which will allow you to continue to securely login to the MSP Process Pod/Insight when you've chosen to use DUO as your MFA provider.

Instructions:

1. Login to your DUO admin panel (the URL will be something like https://admin-.duosecurity.com/ )
2. Click on the Applications menu
   1. 
3. Find the Web SDK entry for MSP Process, and edit it
   1. 
4. Under the Universal Prompt section, choose the Show traditional prompt option
   1. 
5. At the bottom of the page, click the Save button

Conclusion:

You've now successfully configured your DUO tenant to use their traditional promp for the MSP Process platform. You'll find that your login experience does look different, as DUO's traditional prompt has a different look and feel:

FQDNs:

If you need to whitelist our IP or domains they are shown below: 

https://pod.mspprocess.com

https://app.mspprocess.com

https://api.mspprocess.com

IP address for https://app.mspprocess.com and https://pod.mspprocess.com:

20.118.48.12