Introduction to management sessions

  • Last update on September 11th, 2023

CoreView management session allows operators to execute:

  • management actions
  • custom actions
  • and workflows. 

The management session needs to be enabled using Microsoft 365 Global Admin credentials.  

 

What is a management session?

CoreView's “Management” is a tool that establishes a PowerShell channel to your Microsoft 365 portal, allowing the execution of actions. Most actions necessitate that the “Management” is turned on for execution, although some actions require the API Graph instead.

The management session can be enabled by every operator with the “Management” role.  

 

Configurations

There are two possible configurations for CoreView management sessions:

Default – Microsoft Global Admin without MFA enabled credentials required 

CoreView creates an interactive PowerShell session with Office 365. As there isn't a good way to feed the token value into this session the Global Admin account used to activate management session must NOT have MFA enabled.  

 
 

Advanced - No credentials required. Service account needed. 

This feature enables lower-level admins and help-desk operators to make delegated changes to defined user accounts, as no Microsoft credentials are used to enable this type of management session. 

 
 

What is the difference between the two configurations?

Enabling CoreView management session “Default” and “Advanced” configuration is quite similar. The difference for delegated operators is the need to enter credentials when using the “Default“ configuration. This way, you can delegate management action execution to other operators, without providing them with the credentials for the Microsoft 365 Admin Center.

Why enable “Advanced” management session?

As we have just said, CoreView management sessions have two different configurations: “Default” and “Advance”. If you are a tenant administrator, you can change this setting and enable the “Advanced” management session.  

This “Advance” configuration is the preferred one as:

  1. it prevents the sprawl of administrative accounts on Microsoft, while keeping everything within CoreView;
  2. ensures that delegated operators have the required permissions to perform management action at all times, as permissions themselves are set only on CoreView (other than on Microsoft as well)
  3. automatically turns on the session when operators execute actions if the session happens to be off.  

How “Advanced” management session works

CoreView creates a service account with the following Administrative roles: 

  • Authentication Administrator
  • Exchange Administrator
  • Global Reader
  • Reports Reader
  • SharePoint Administrator
  • Teams Administrator
  • and User Administrator. 

The credentials for this account are stored within Microsoft Azure Key Vault and changed once a week

What is Key Vault and why it's important

Key Vault is a hardware security module specifically designed to store highly confidential information such as passwords and credit card information. With the credentials stored in Key Vault, CoreView can elevate its privileges without ever having access to the password itself. In addition, Key Vault automatically changes the password each week. The password length is 16 characters, and its complexity is composed by:

  • Upper and lower case letters  
  • Special characters  
  • Numbers

Key Vault allows CoreView to gain access to an authorization token on demand, allowing it to elevate the rights of the service account and perform the action requested by the operator. This allows you to delegate very specific actions to an operator who would otherwise need to be entrusted with Global Admin credentials. All operations are audited by Microsoft Azure directly.