Knowledge Base

Clear

Introduction

DUO (https://duo.com) is a popular identity verification platform. You can use it in MSP Process to acheive two goals:

  • To secure the login process of anyone looking to access your MSP Process account at https://app.mspprocess.com. This capability requires the DUO Web SDK to be configured. 
  • During the end-user verification process; DUO can be used instead of sending the user a verification code via e-mail or SMS. This capability requires the DUO Auth API and Admin API to be configured. Click here for the KB article that outlines how to set this up.

This KB article will take you through all of the steps required to do the first scenario - to use DUO to secure how your technicians login to the MSP Process platform. 

Step 1: Configuring the Web SDK Entity in DUO

What is the DUO Web SDK? The Duo Web SDK adds the two-factor authentication screens and workflow to the MSP Process login flow.

How is the Web SDK Used? This module only needs to be setup if you want to use DUO to secure how you and your techs login to the MSP Process platform. It is not required if you only plan on using DUO for End-User Verification.

  1. Login to the DUO Admin portal (https://admin.duosecurity.com/)
  2. From the left-hand menu, navigate to Application -> Protect an Application
  3. Search for "Web SDK" in the Search field
  4. Click on the Protect button beside Web SDK
  5. In the Details section, copy the Client ID, Client Secret and API Hostname; you'll need them later
  6. In the Settings section, change Name field to say "MSP Process"
  7. Under the Universal Prompt section, choose the Show traditional prompt option
  8. Click Save
  9. When prompted, choose No, thanks - you don't want to use the Universal prompt.

Step 2: Integrating MSP Process with DUO

  1. Login to the MSP Process portal (https://app.mspprocess.com)
  2. Navigate to Integrations -> Security Integrations
  3. Click the Add new integration button

     4. Click the DUO Web SDK button; specify a name, and then enter the Integration KeySecret Key and API Hostname from Step #2.

     5. Click Submit when you're done.

     

Step 3: Configuring Your MSP Process User Account To Use DUO During The Login Process

  1. From the MSP Process UI, click on the Profile button in the top right-hand corner of the UI
  2. Enable the Link DUO feature
  3. Follow the on-screen prompts from DUO that will link your MSP Process account to DUO
  4. Once you've gone through the DUO screens, and have been returned to the MSP Process UI, click Submit

Congratulations! You're Done!

You've now setup the required entities in DUO and configured MSP Process with the information it needs to start using DUO to secure the login process to your MSP Process UI.

 

Roles and Permissions in MSP Process Account Management and Security

Roles:

There are two Roles in MSP Process - Admin, and Technician. By default, users who are invited to the platform are given the Technician role. Here are the differences between the two Roles:

The Admin Role... The Technician Role....
  • has full access to all menus in MSP Process, and can create/edit/delete anything within the platform
  • can invite other users into the platform
  • can be assigned new Live Chats and new Client Portal chats
  • can use the features and capabilities setup by the Admin, but cannot Add, Edit or Delete anything
  • Does not have access to the following menus:
    • Integrations or Account Settings
    • Messaging -> Opt-in Settings
    • Messaging -> Configurations
    • Ticketing -> Company Mapping
    • Ticketing -> Ticket Templates
    • Verification -> Verification Settings
  • cannot invite other users into the platform
  • cannot be assigned new Live Chats or new Client Portal chats

 

 

Permissions:

There are two permissions that can be applied to any User in MSP Process, regardless of what Role (Admin or Technician) they have been assigned:

  • The Use MFA option forces that user to setup MFA
  • The Allow Access to UI option offers you two choices:

 

 

Editing The Roles/Permissions of a User:

To edit a user's Role, or the Permissions assigned to that user, navigate to the Teams -> Users page, and then click the pencil icon for that user:

You'll then be presented with a screen that will allow you to edit that user's Roles and Permissions:

Using DUO's "Traditional" Login Prompt Account Management and Security

Context:

Recent changes made by DUO have made it so that their Universal Prompt cannot be rendered in an iframe. The main UI of the MSP Process platform is not affected by this change, but our PSA-embedded Pod (ConnectWise and Halo PSA) and Insight (Autotask) are affected, as they are iframes within the UI of those PSA platforms.

This KB article guides you through how to change your DUO configuration for MSP Process to use DUO's "traditional" prompt, which will allow you to continue to securely login to the MSP Process Pod/Insight when you've chosen to use DUO as your MFA provider.

 

Instructions:

  1. Login to your DUO admin panel (the URL will be something like https://admin-.duosecurity.com/ )
  2. Click on the Applications menu
  3. Find the Web SDK entry for MSP Process, and edit it
  4. Under the Universal Prompt section, choose the Show traditional prompt option
  5. At the bottom of the page, click the Save button

 

Conclusion:

You've now successfully configured your DUO tenant to use their traditional promp for the MSP Process platform. You'll find that your login experience does look different, as DUO's traditional prompt has a different look and feel:

Introduction

Microsoft Entra is a popular external Identity Provider (external IDP) that can be used to authenticate your technicians when they login to the MSP Process platform. The goal of this KB article is to walk through how to setup Single Sign-on (SSO) between the MSP Process platform and Microsoft Entra, to review what's created in your Azure tenant when you configure Microsoft Entra as an external IDP, and to outline some additional settings that you can configure to further secure this capability.

 

Linking the MSP Process Platform to Microsoft Entra

When you first login to the MSP Process platform, a wizard will prompt you to setup the integration with Microsoft:

The first person to take this step will be asked to install the MSP Process Enterprise Application - this Application is what facilitates an SSO login. You'll want to make sure that the Microsoft identity you use during this first step has sufficient rights to install Enterprise Apps in your M365 tenant.

Once that process has been completed, you'll have an "MSP Process" Enterprise Application in your Microsoft Azure environment:

When your colleagues then login to MSP Process, and they also link their MSP Process account to Microsoft using our Setup Wizard, they will (regardless of their permissions in Microsoft 365) have their account successfully linked to their identity in Microsoft 365. 

Further Securing the MSP Process Enterprise Application by Requiring User Assignment

By default a newly-created Enterprise Application in Microsoft Azure does not have the Assignment Required option enabled. This means that any user in Entra can - if they have the correct credentials - login to the MSP Process application using their Microsoft Entra credentials. By enabling the Assignment Required option, you can limit access to the MSP Process platform to only the users in your organization who require access to it.

  1. Sign in to the Microsoft Azure portal.
  2. Using the search field at the top of the page, look for Enterprise Applications.
  3. Click on the MSP Process application.
  4. Navigate to the Manage -> Properties tab
  5. Enable the Assignment Required option
  6. Click Save to save the change to the Application
  7. Navigate to the Manage -> Users and Groups tab
  8. Click the Add User/Group button to assign the appropriate users to the MSP Process application

That's it! You've now limited who can login to the MSP Process platform to only those in your organization who should have access to it.

 

Further Securing the Enterprise Application by Applying a Conditional Access Role

Limiting who can login to the MSP Process platform by requiring them to be explicitly assigned to the Enterprise Application in Azure is an excellent step. There's a further step that can be taken, which is to apply the Require phishing-resistant multifactor authentication for administrators Conditional Access Policy. Applying this policy ensures that only users who have already authenticated to Microsoft Entra using both a password and a phishing-resistant method of MFA - such as Windows Hello for Business, a FIDO2 security key, or Microsoft Entra certificate-based authentication - are able to login to the MSP Process platform. More details on phishing-resistant MFA can be found in this Microsoft KB article.

Instructions from Microsoft on what the Conditional Access Policy does and how it can be configured are available here. The steps specific to the MSP Process platform are:

  1. Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator.
  2. Browse to Protection > Conditional Access.
  3. Select Create new policy.
  4. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
  5. Under Target resources > Cloud apps > Include, select the MSP Process Enterprise Application.
  6. Under Access controls > Grant, select Grant accessRequire authentication strength, select Phishing-resistant MFA, then select Select.
  7. Confirm your settings and set Enable policy to Report-only.
  8. Select Create to create to enable your policy.

IP Address info for MSP Process Account Management and Security

FQDNs:

If you need to whitelist our IP or domains they are shown below: 

https://pod.mspprocess.com

https://app.mspprocess.com

https://api.mspprocess.com

 

IP address for https://app.mspprocess.com and https://pod.mspprocess.com:

20.118.48.12

 

API / App Bots / Live Chat/ Client Portal Outbound IP Address:

64.236.54.139

 

MSP Process Engineering / Tech Support IP Address:

 
52.180.156.12