We now have a new feature called Web Accounts. This functionality allows an administrator or privileged user to create a Web Account to access M365 Products (Azure, Teams, etc) for a limited time. Let’s go over how this works.
Requirements
- User must have the proper role (see below)
- The user must belong to the user group associated with the web account.
- The user must have access to the tenant/customer.
- The user must have the Elevated Access License.
IMPORTANT NOTE: Web Accounts currently only work with an AzureAD/EntraID Directory and a Custom Group that is created that contains a user or users from that AzureAD/EntraID directory. Make sure that the directory you are selecting is the appropriate directory and the group you select is the custom group that is housing the user(s) that you are giving permission to check-out the Web Account. At this time you can only grant one User Group access to Web Accounts.
MS Entra Requirements
Evo M365 elevation provides IT administrators the capability to access Azure admin accounts securely, as Evo frequently rotates usernames and passwords.
- If Conditional Access (MFA feature) is enabled in your environment, ensure the Evo web account is whitelisted to disable MFA throughout the environment. (Note: When a new Web Account is created and whitelisted, it may take some time for any policy changes to propagate to the newly created account(s). This could take up to 30 minutes. Test login access before utilizing the account.)
- If Conditional Access is not utilized, Microsoft 365 Admin Center will be employed to manage user MFAs. Follow the subsequent steps to secure your environment while keeping the Evo web account's MFA disabled:
- Disable “Security defaults” on Entra ID. This option will disable all users’ MFAs.
- Navigate to Multi-factor authentication page and make sure the Evo web account is disabled. It’s disabled by default if you don’t have any MFA policy applied. Please make sure end-users MFAs are enabled or enforced.
- Make sure the proper Microsoft Graph Permissions are set. (For details, refer to the "Microsoft Graph permissions" section in our Sync with Azure AD (AAD) using Microsoft Entra admin center KB article)
- Disable “Security defaults” on Entra ID. This option will disable all users’ MFAs.
Using Web Accounts
First, let’s go over the Vault Page. If you are unfamiliar with the Vault Page, this is the new page that will house Domain Accounts (Previously named Shared Accounts), Local Accounts, and Web Accounts. It can be found by either clicking “My Company” or navigating to a customer that you wish to explore and clicking that customer.
On the Vault page, there is a new tab titled Web Accounts:
Roles Needed
If you do not see this tab, then that means you may be missing the required permissions. We have created a new Role-Based Permissions category named Web Accounts. To find Role-Based Permissions, click on the “Home” breadcrumb to return to your Evo Dashboard, then click “Access”. The first tab that is displayed should be Role-Based Permissions. Here, you can set up your required roles. Let’s go over them.
- Manage Web Accounts – This role will allow you to create and delete web accounts.
- Use Web Accounts- This role will allow you to check-in/check-out a web account.
You must also have the following roles to successfully create a Web Account as it requires you to select a Directory and a Group:
Create a Web Account
Now that we have the proper roles, let’s create a Web Account. Click on the Create Web Account button and we’ll get started with the Web Account creation drawer.
Make sure to provide the required fields:
- Display Name- The displayed name in the Webapp for the Web Account.
- Select Directory – This is where you will select the appropriate AzureAD Directory. NOTE: This dropdown will only appear if there are multiple AzureAD directories to choose from.
- Select User Group- This is where you will select the appropriate Custom User Group where the user(s) exist that you wish to grant access to use this Web Account.
- Select Roles – This is where you will select the role(s) within EntraID that you’d like to apply to the user group. You can select multiple.
There are also two (2) optional toggles a user can enable for their Web Account
- Immediately check out - Upon creation of the Web Account, the account will be checked-out and the check-out modal will appear for instant access.
- Create upon checkout and delete upon expiration - In Azure, this will continue to re-create and re-delete the user after expiring/checking out, cycling the username and password each time.
After you’ve provided the required information, click the Complete button and your Web Account will be created and listed in the table.
Example:
Clicking on the trash icon or selecting the checkbox and using the action drop-down menu will give you the option delete the Web Account.
"Check out" a Web Account
From the list you will see a button called Check Out . This button will allow your privileged user(s) to check out this account and provides the Username/Password for the created Web Account.
The new dialog box that opens allows you to select a duration from a 30-minute minimum to 24 hours as a maximum. Once it reaches the displayed End Time, the Web Account will become disabled.
Select your required duration and click complete.
If successful, you will now notice that your user has successfully “Checked out” the web account, and you now have the option to Copy a hidden Username and Password. These credentials will be used to access whatever M365 role or permission you’ve set for it.
Since this account has been successfully checked out (notice the greyed out box), this means that a user is currently accessing this account. If you are not the user that has checked out this account, you are unable to access the Username or Password, and you cannot delete the account until the account is Checked In or the duration expires.
Expire a Web Account
If you are the user that checked out the account and you wish to check it back in, you will notice an Expire button.
Clicking this button will display a dialogue box asking you to confirm if you wish to expire this and check this account back in (check-in).
After confirming, you have successfully checked the account back in.
Congratulations! You’ve completed the Web Account flow.