Please note that the “Tenants” section is not available in the Configuration Manager SaaS version. Onboarding is managed via CoreView or the PartnerApp.
The authentication method determines how Configuration Manager authenticates into the tenant during a Sync in order to perform a backup, deploy changes, and any additional tasks.
In Configuration Manager you have the option to:
- Enable user account authentication (authenticating via delegated authentication) and Service Principal authentication
- Authenticate with only a Service Principal
Enable user account delegated authentication
The “Enable user account authentication” checkbox allows you to decide the method the Sync will authenticate with. When this box is checked, you can choose to authenticate via delegated authentication:
In this case, in addition to a Service Principal authentication, a user account is required.
Option 1: delegated authentication and service principal
With this option, Configuration Manager authenticates into the tenant using an Entra ID user of your choice (usually a pre-existing Global Administrator in the tenant or a user with custom permissions). Read here about roles for Delegated Authentication.
- During the initial Sync, Configuration Manager will ask you to sign in as this user. Configuration Manager generates a refresh token for the user you authenticate with and then authenticates into the tenant using this refresh token.
- This method allows authentication with a user who is subject to MFA, Conditional Access, and other security policies.
- Should the refresh token become invalidated, you'll need to log into the Configuration Manager app and re-authenticate to generate a new refresh token. The token can become invalidated for various reasons, such as changes in Conditional Access policies or sign-in policies, re-enrollment in MFA, or because of a short token expiration policy. It's important to note that these are examples and not an exhaustive list.
- Certain MFA enforcement types, like location-based enforcement, may not be compatible with delegated authentication unless using a self-hosted agent where the device location is under your control.
Option 2: use service principal only
If you choose to disable the “Enable user account authentication” box, you can install your tenant with a service principal only:
When the “Enable user account authentication” option is disabled, the Sync will authenticate with only a service principal. This prevents the need to authenticate a user account but reduces the number of configurations supported by the Sync.