The authentication method determines how Configuration Manager authenticates into the tenant during a Sync in order to perform a backup, deploy changes, and any additional tasks.
In Configuration Manager you have the option to:
- Enable user account authentication (authenticating via delegated authentication or Service Account) and Service Principal authentication
- Authenticate with only a Service Principal
Enable user account authentication: choose the authentication method
The “Enable user account authentication” checkbox allows you to decide the method the Sync will authenticate with. When this box is checked, you can choose to authenticate either via delegated authentication or to use a Service Account:
In this case, in addition to a Service Principal authentication, a user account is required, either through Delegated Authentication or Service Account Authentication.
Before proceeding…
If you haven't chosen the authentication method between delegated authentication or Service Account, read this article. It will highlight the importance of choosing the right authentication method and help you select the option that best fits your organization's security strategy, detailing the pros and cons of the different solutions.
Option 1: delegated authentication
With this option, Configuration Manager authenticates into the tenant using an Entra ID user of your choice (usually a pre-existing Global Administrator in the tenant or a user with custom permissions). Read here about roles for Delegated Authentication.
- During the initial Sync, Configuration Manager will ask you to sign in as this user. Configuration Manager generates a refresh token for the user you authenticate with and then authenticates into the tenant using this refresh token.
- This method allows authentication with a user who is subject to MFA, Conditional Access, and other security policies.
- Should the refresh token become invalidated, you'll need to log into the Configuration Manager app and re-authenticate to generate a new refresh token. The token can become invalidated for various reasons, such as changes in Conditional Access policies or sign-in policies, re-enrollment in MFA, or because of a short token expiration policy. It's important to note that these are examples and not an exhaustive list.
- Certain MFA enforcement types, like location-based enforcement, may not be compatible with delegated authentication unless using a self-hosted agent where the device location is under your control.
Option 2: use Service Account
This option creates an Entra ID user named Microsoft 365 Management Service, with the UPN:
simeon@tenantdomainname in the tenant where you're installing.
Configuration Manager then authenticates into the tenant as this user. Since no refresh token is used, changes to sign-in policies within the tenant generally won't affect the service account user's access.
- The service account user is assigned the Global Administrator role upon creation.
- Configuration Manager generates a random 128-character password and securely stores it, along with the username, in an encrypted pipeline variable.
- You will need to exclude the service account from any Conditional Access policies that could limit Configuration Manager's access to the tenant, including MFA policies.
Option 3: use service principal only
If you choose to disable the “Enable user account authentication” box, you can install your tenant with a service principal only:
When the “Enable user account authentication” option is disabled, the Sync will authenticate with only a service principal. This prevents the need to authenticate a user account but reduces the number of configurations supported by the Sync.