Configuring and Securing Single Sign-on (SSO) with Microsoft 365
Introduction
Microsoft Entra is a popular external Identity Provider (external IDP) that can be used to authenticate your technicians when they login to the MSP Process platform. The goal of this KB article is to walk through how to setup Single Sign-on (SSO) between the MSP Process platform and Microsoft Entra, to review what's created in your Azure tenant when you configure Microsoft Entra as an external IDP, and to outline some additional settings that you can configure to further secure this capability.
Linking the MSP Process Platform to Microsoft Entra
When you first login to the MSP Process platform, a wizard will prompt you to setup the integration with Microsoft:
The first person to take this step will be asked to install the MSP Process Enterprise Application - this Application is what facilitates an SSO login. You'll want to make sure that the Microsoft identity you use during this first step has sufficient rights to install Enterprise Apps in your M365 tenant.
Once that process has been completed, you'll have an "MSP Process" Enterprise Application in your Microsoft Azure environment:
When your colleagues then login to MSP Process, and they also link their MSP Process account to Microsoft using our Setup Wizard, they will (regardless of their permissions in Microsoft 365) have their account successfully linked to their identity in Microsoft 365.
Further Securing the MSP Process Enterprise Application by Requiring User Assignment
By default a newly-created Enterprise Application in Microsoft Azure does not have the Assignment Required option enabled. This means that any user in Entra can - if they have the correct credentials - login to the MSP Process application using their Microsoft Entra credentials. By enabling the Assignment Required option, you can limit access to the MSP Process platform to only the users in your organization who require access to it.
- Sign in to the Microsoft Azure portal.
- Using the search field at the top of the page, look for Enterprise Applications.
- Click on the MSP Process application.
- Navigate to the Manage -> Properties tab
- Enable the Assignment Required option
- Click Save to save the change to the Application
- Navigate to the Manage -> Users and Groups tab
- Click the Add User/Group button to assign the appropriate users to the MSP Process application
That's it! You've now limited who can login to the MSP Process platform to only those in your organization who should have access to it.
Further Securing the Enterprise Application by Applying a Conditional Access Role
Limiting who can login to the MSP Process platform by requiring them to be explicitly assigned to the Enterprise Application in Azure is an excellent step. There's a further step that can be taken, which is to apply the Require phishing-resistant multifactor authentication for administrators Conditional Access Policy. Applying this policy ensures that only users who have already authenticated to Microsoft Entra using both a password and a phishing-resistant method of MFA - such as Windows Hello for Business, a FIDO2 security key, or Microsoft Entra certificate-based authentication - are able to login to the MSP Process platform. More details on phishing-resistant MFA can be found in this Microsoft KB article.
Instructions from Microsoft on what the Conditional Access Policy does and how it can be configured are available here. The steps specific to the MSP Process platform are:
- Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator.
- Browse to Protection > Conditional Access.
- Select Create new policy.
- Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
- Under Target resources > Cloud apps > Include, select the MSP Process Enterprise Application.
- Under Access controls > Grant, select Grant access, Require authentication strength, select Phishing-resistant MFA, then select Select.
- Confirm your settings and set Enable policy to Report-only.
- Select Create to create to enable your policy.