Summary: This article contains step-by-step instructions on how to validate and configure the Microsoft 365 connection account manually.
Applies to: Cayosoft Administrator 6.3.1 or higher
ID: KB20200207-1
Overview
In January 2020, Microsoft announced the availability of Security defaults for Azure AD tenants. When enabled, this setting enforces multi-factor authentication (MFA) to all administrative role members, including sign-in attempts from scripts and applications running in the background. To automate various administrative actions, the Cayosoft Administrator requires a Microsoft 365 connection account to be a member of the Global Administrator role. Additional configuration steps, provided below, are required for the Cayosoft Administrator to be performed.
Exclude Microsoft 365 connection account from conditional access policies
Requirement
- Microsoft 365 connection account should be excluded from conditional access policies, including Baseline policies and custom policies.
Resolution
For step-by-step instructions please see Excluding Microsoft 365 connection account from Azure AD Conditional Access Policies article.
Exclude Microsoft 365 connection account from Security Defaults
Requirement
- Microsoft 365 connection account should be excluded from Security Defaults.
Resolution
- Check if Security Defaults is enabled:
- Sign in to the Microsoft Entra admin center as a user with a Global Administrator role assigned.
- Browse for Identity > Overview, and click the Properties tab.
- Select Manage security defaults.
- Check if Enable security defaults is set to Enabled.
- If Azure AD Security Defaults is enabled, the Microsoft 365 connection account should be excluded from the MFA enforcement. To do this, perform steps 1-7 from this article: Modern Authentication and Azure AD Security Defaults impact on Cayosoft Administrator – Cayosoft Help Center.
Note: Besides Security Defaults, Multi-factor authentication (MFA) can be enforced on connection accounts with Conditional Access Policies. See Validate Microsoft365 connection account for MFA enforcement section in the Troubleshooting connection to Microsoft 365 article.
Disable Legacy Multi-Factor Authentication (MFA) for Microsoft 365 Connection account
Requirement
- Multi-factor Authentication (MFA) should be disabled for the Microsoft 365 connection account.
How to resolve
- Navigate to https://login.microsoftonline.com
- Open the Microsoft 365 Admin Center, open the list of Active users, and select the Microsoft 365 connection account in the list.
- Click Multi-factor authentication.
- In the list of accounts, locate the connection account and make sure the Multi-factor Auth Status column states "Disabled", as shown in the screenshot below.
- Save changes.
- If you are not able to log on with the Microsoft 365 Administrator Account credentials, obtain credentials with the appropriate settings that allow you to log on to the Microsoft portal.
Comments
0 comments
Please sign in to leave a comment.