To enable the “Management service account” to delegate management action execution to other operators without providing them with the credentials for the Admin Center, follow the steps below:
Step 1: preparing for the activity
Check the policy
To resolve this problem, you need to check what is the policy that is currently blocking the access of our management account by using the what if analysis on 4ward365.admin/coreview.admin account
Configure allowed IPs
Then, please follow a simple manual procedure to configure allowed IPs for our management user (4ward365.admin/coreview.admin) and MFA will be mandatory outside of it.
Note: in case the policy is enabled, you won't see that the MFA is enabled for the users from the Azure Active Directory Admin center.
Step 2: Enable the management session
To enable the management sessions follow the steps below:
Instructions to enable the management session
Enable the management session
Follow these instructions if the management session has not been enabled in your tenant. For further information refer to the CoreView Management Session documentation.
The management session needs to be active when performing management actions, custom actions, and workflows.
To initialize the CoreView management session, there are two configuration methods available. It is advised to create a management service account, as this option increases security by eliminating the need to distribute Global Admin credentials to delegated operators. The other method involves using Microsoft Global Admin credentials; however, it necessitates disabling MFA, which might not be suitable for every scenario. This article will guide you through both procedures to activate the CoreView management session.
Option 1: Create a management service account (recommended)
Creating a management service account is the preferred method for enabling a management session in CoreView. Follow these steps to create a management service account for the first time:
Step 1: Select the “Use management service account” option.
- Navigate to the “Management OFF” tab at the top of the screen.
- Choose the “Use management service account” option.
- Click the blue “Create service account” button to begin the process. You'll see a loading screen, and the process may take a few minutes.
Step 2a: Turn on the management session
- After the process finishes, your management service account will be shown as created.
- Ensure that the MFA for the service account is disabled or a conditional access policy is in place. This step is essential for the process to succeed.
- Once confirmed, click the green “Turn on management session” button.
Step 2b: Troubleshooting service account creation
If the message “CoreView doesn't have permission to create a service account on your tenant” appears, click the “Retry service account creation” blue button below to attempt again. Should the issue persist, please contact the CoreView Support team for assistance.
Step 3: Auto-enable management session
Turn on the “Auto-enable management session” toggle to allow the management session to activate automatically whenever operators perform management actions, regardless of their current management status.
You are now set to carry out management actions, custom actions, and workflows. To deactivate the management session, click the red “Turn off management session” button.
Be aware that selecting “Disable advance management” will delete your management service account.
Option 2: Use Microsoft Global Admin credentials with MFA disabled
To activate the management session for the first time with a Microsoft Global Admin account and MFA disabled, follow these steps:
- Enter the credentials of a Global Admin without Multi-Factor Authentication (MFA) enabled.
- Select the green “Turn on management session” button.
Enabling the management session can require some time, normally a few minutes. Once it is enabled, the header will show the “Management ON” message. Clicking on that, operators can view further details and turn it off.
