Some users may have issues creating a community account See more here.

kyle_wolff
Active participant

Microsoft 365 / Office 365 Adapter - FNMS 2019 R1 - Azure User Account Roles / Token Generation

I was stepping through the new Microsoft 365 adapter post FNMS 2019 R1 with a customer and the customer had some concerns with how the adapter was built with regards to the token generation. The current adapter uses a Azure User based account that requires Multi Factor Authentication to be turned off, Global Administrator and Cloud Application Administrator roles, and based on token generation policy, has to re-generate the token every time the adapter runs (considering their specific policy is set to require a refresh token every 8 hours).

My customer does not like the idea of the Global Admin and Cloud App Admin roles being a requirement for the adapter to work ongoing after the initial setup where these roles are required. No account in their enterprise has these roles. So we did some additional trial and error to see if there was a way around this requirement. Which, led my customer to point out that it appears this adapter was built in a non-standard way, against Microsoft's best practices. The typical way to would be to create "Secrets" or "Certificates" for an application (https://docs.microsoft.com/en-us/graph/auth-v2-service#4-get-an-access-token) using Graph Application Permissions. Having the FNMS Microsoft 365 adapter written to use Graph Application Permission "Secrets" or "Certificates", would negate the need for an Azure user account to need to keep the Global Admin and Cloud App Admin roles assigned to it as long as the adapter is running as it wouldn't require a refresh token daily. Using the method documented in the link above, one could create a "Secret" or "Certificate" to apps, with admin consent, had have their validity times set to 1 year, 2 years, indefinitely.

I noticed the document I linked above was written May 3rd 2019 and this FNMS Microsoft 365 adapter was create before then. So on behalf of my customer, considering this Microsoft Graph best practice information, could the adapter be re-written again using "Secrets" or "Certificates" to avoid the ongoing need for an Azure user account to have the Global Administrator  and Cloud App Admin roles to it? It goes against this customers every security policy so they are hoping for a solution.

Thank you in advance and appreciate any information and input.

Labels (1)
12 Replies