Microsoft Integration: Entra ID password rotation

NAVIGATION  Admin > Integrations > Microsoft > Microsoft 365

SECURITY  Manager or Administrator

BEFORE YOU BEGIN  To review prerequisites and learn how to fully set up an integration with Microsoft in IT Glue, refer to Microsoft Integration.

Configuring Microsoft Entra ID password rotation

Configuring the password rotation to Microsoft Entra ID consists of the following two parts:

• Assigning the necessary permissions
• Assigning the necessary roles

NOTE  This is required for both the main tenant (the tenant within which the application was created and used for integration with IT Glue) and for other tenants.

IMPORTANT  The main tenant should always be the MSPs tenant that has the GDAP/DAP relationship with its downstream clients (side tenants).

Connecting the rotation for the main tenant

To rotate passwords in the Microsoft Entra ID, you need to add the following permissions for the tenant:

• User.ManageIdentities.All
• User.EnableDisableAccount.All
• User.ReadWrite.All
• Directory.ReadWrite.All
• Directory.AccessAsUser.All

A list of these permissions, provided by Microsoft, is needed to perform a user update.

Assigning API permissions

1. Open page https://entra.microsoft.com/#home.
2. Expand the Application section in the menu on the left and click App registration.
3. In the main window with a list of all applications, select by name the one that is used for Microsoft integration in IT Glue.
4. Click API permission. A list of all permissions which the application already has is displayed. To add new permission, click + Add a permission.
5. Select Microsoft Graph, and add all the permissions listed at the beginning and click Add permissions. The window from step 6 will open again.
6. With newly added permissions, now you need to click on the button Grant Admin consent for <Tenant name>.

Now, all the necessary permissions for updating passwords will be added.

Adding roles

The application must have at least the User Administrator role to update passwords for regular users. The following are the roles that can be assigned:

• User Administrator - to rotate only ordinary users (users who do not have a single role containing "Administrator" in the name)
• Global Administrator - to rotate all admins including the global admin

To assign such a role to the application, the client will need to follow the link.

https://entra.microsoft.com/#view/Microsoft_AAD_IAM/RolesManagementMenuBlade/~/AllRoles?Microsoft_AAD_IAM_legacyAADRedirect=true

1. Open page https://entra.microsoft.com/#home
2. Click Show more in the menu on the left.
3. Expand Roles & admins from the sections and click on the sub-section Roles & admins.
4. Search for User Administrator role and click on it.
5. Click Add Assignments.
6. Enter the name of the application that is used for Microsoft integration in IT Glue and click Add.

NOTE  You may need to enter "Enter justification" where you need to enter the reasons why this role is given to the application, for example 'to allow it glue to rotate passwords inside the Entra'

To rotate administrator passwords, you need to add the Global Administrator role by repeating all the steps. But only in step 4 select Global Administrator role instead of User Administrator.

After completing these steps, the Microsoft integration in IT glue will have permissions and a role to rotate the passwords of ordinary users in the main tenant.

Connect among multi-tenants

To connect among multi-tenants, you have the following two connection options:

• When several tenants are connected through the Microsoft admin center
• When several tenants are available in Entra

When several tenants are connected through the Microsoft admin center:

1. Open page https://admin.microsoft.com/Adminportal/Home#/homepage
2. Choose All tenants in the menu on the left
3. Select the tenant in which you want to enable rotation
4. Click Show All in the menu on the left.
5. If you have Admin Center section in the left menu,
   1. Click Endpoint Manager.
   2. Go through authentication in the window that appears - as a result, the Azure Intune window will open.
   3. Select the Tenant Administration section in the menu on the left.
   4. Choose Microsoft Entra Privileged Identity Management.
   5. Select Microsoft Entra roles.
   6. Select Roles in the Manage section.
   7. Repeat steps 4 to 6 from the main tenant section for each role (User Administrator and Global Administrator if you want to rotate admin users' passwords)
   8. In the added role window, the Assignment Licenses tab and in the list click on the uid of the integration.

      IMPORTANT  DO NOT click on the name, specifically on the uid

6. If the Admin Center section does not appear, and if this tenant is not needed in the rotation, skip it and if needed to connect, complete the following steps:
   1. Expand the Billing section and select Licenses.

   2. In the list of licenses that opens, check whether there is a connected Microsoft 365 E5 Developer license (at least Microsoft 365 E5 Developer(without Windows and Audio Conferencing) or Microsoft Entra ID Governance or Microsoft Entra ID P2 - if at least one of them is available, go to step 6.6.

      NOTE  If you have a direct access to multi-tenants, you do not need any P1 or P2 Microsoft licenses.
      
      

   3. If there are no licenses from the previous point - select one of them from the list of all licensees. Go through all the steps to purchase it.
   4. After the purchase, select the Licenses subsection again and assign a new license to the selected user (any user from this tenant)
   5. Follow the direct link to go to Azure Intune - https://endpoint.microsoft.com/domain.com?ref=AdminCenter where instead of domain.com indicate the tenant's domain (Example: ITGlue.onmicrosoft.com)
   6. Go through the authentication in the window that appears which opens the Azure Intune window.
   7. Repeat steps 5.3-5.10 from point a) of this section (when there is an admin center) for each role.

When several tenants are available in Entra:

Adding permissions and roles follow the same scenario as for the main tenant, only with the few initial steps:

1. Open page https://entra.microsoft.com/#home.
2. Open section Identity > Overview in the menu on the left.
3. Select Manage Tenants from the menu at the top.
4. Select the desired tenant. The Entra window for the selected tenant will open, for which you need to repeat all the steps from the main tenant section (all steps starting from step 2) and then do all steps starting from step 2.

To synchronize the rotation between Entra and AD on instances where after rotating a password in one place, it is synchronized to another, the client must configure Microsoft Connect.

Link to all "Microsoft Connect" documentation -

whatis-azure-ad-connect-v2

Link with an example of setting up password synchronization -

tutorial-password-hash-sync

Link explaining how synchronization works -

how-to-connect-password-hash-synchronization

Add permissions and roles to multi-tenants in ‘onmicrosoft’ domain

Some clients might experience issues in getting the password rotation information for multi-tenants if they have ‘onmicrosoft’ domain. In such cases, to add permission and roles to each tenant, do the following steps:

To add permissions to multi-tenants in ‘onmicrosoft’ domain:

1. For each tenant, create the following link:https://login.microsoftonline.com/<tenant-id>/adminconsent?client_id=<app-id>

   where <tenant-id> is the ID for tenant for which you possibly wish to grant permission to rotate users' passwords and, <app-id> is the application ID for the integration.

2. Login to your administrator account.
   
   
3. Grant permissions to the tenant.
   
   
4. Repeat steps 1 to 3 for each tenant for which you want to grant access for password rotation.

To add roles to multi-tenants:

1. Login to Entra by accessing https://entra.microsoft.com/
2. Click on the right corner on user icon or directory name:
   
   
3. Click Switch Directory from the dropdown menu.
   
   
4. Click Switch for the chosen client.
   
   
   
   If you could not find the tenant for which you want to add roles, then you will be available to find it from the Microsoft admin center:
   1. Login to https://admin.microsoft.com/
   2. Choose All tenants in the menu on the left.
      
      
   3. Select the tenant in which you want to add role.
      
      
5. If you have Admin Center section in the left menu, Click Endpoint Manager.
   
   
   
   If not you need to create the URL https://endpoint.microsoft.com/<tenant-domain>?ref=AdminCenter where <tenant domain> is the full domain name of your tenant.
6. In the Azure Intune window, click Tenant Administration.
   
   
7. Click on Microsoft Entra Privileged Identity Management.
   
   
8. Click on Microsoft Entra Roles.
   
   
9. Click Roles.
   
   
10. Type the role name as Global Administrator in search field and click on the role name in the list.

    NOTE  If you do not want to add the Global Administrator role and need to rotate only non-admin users in the tenant enter User Administrator role.

    
    
    

11. Click Add Assignments.
    
    
12. Click No member selected.
    
    
13. In the Search field, type your integration name and click on the integration that appears in the list.
    
    
14. Click on the Add button and provide your justification for adding the role for the integration (this is necessary as the other administrators can view the reason and would not delete it) and click Assign.
    
    

Add Global Admin roles to tenants using PowerShell

When configuring the Microsoft Integration to be able to rotate Entra ID passwords, there are some cases where you may not be able to add global admin roles to your tenants if you have not purchased P1 or P2 licenses. To address this issue, you can add global admin roles to tenants in Microsoft with the help of PowerShell.

1. Install Azure AD PowerShell Module.Install the Azure Active Directory PowerShell module using the guide available on this link, if you haven't already.
   
   https://learn.microsoft.com/en-us/powershell/azure/active-directory/install-adv2?view=azureadps-2.0.
2. Connect to Azure AD using the PowerShell. Connect to each tenant individually, run in PowerShell next command:
   
   Connect-AzureAD
   
   You will be prompted to enter your Global Admin credentials for each tenant.
3. Find the Enterprise Application:
   
   Identify the Enterprise Application (service principal) that represents your integration in each tenant and run in the PowerShell next commands
   
   $appId = "<ApplicationId>" # Replace with the Application (Client) ID of your Enterprise Application. It can be found in Entra.
   1. Open the enterprise application.
   2. Find your application in the list and click on it. You will see the application ID as shown on the screenshot below:
      
      
      
      $enterpriseApp = Get-AzureADServicePrincipal -Filter "AppId eq '$appId'"
4. Find Role ID:
   
   Run in PowerShell next commands:
   
   $roleName = "Global Administrator"

$role = Get-AzureADDirectoryRole | Where-Object

{$_.DisplayName -eq $roleName}



   If you want to assign a User Administrator Role, then run in PowerShell next commands:
   
   $roleName = "User Administrator"

$role = Get-AzureADDirectoryRole | Where-Object

{$_.DisplayName -eq $roleName}

5. Assign role:
   
   Once you identify the service principal, you can assign the Global Admin role to it using PowerShell.
   
   Add-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $enterpriseApp.ObjectId
   
   '$role.ObjectId' is the Object ID of the Global Admin role in the tenant which you retrieved in point 3 (usually 62e90394-69f5-4237-9190-012177145e10 for Global Admin but it can be different).
   
   $enterpriseApp.ObjectId retrieves the Object ID of the service principal representing your integration.
6. Repeat the steps for each tenant:
   Disconnect from the current tenant (if needed) and connect to the next tenant using Connect-AzureAD, then repeat step 3-5 for each tenant.
   To reconnect to a new tenant, use the following command:
   Connect-AzureAD -TenantId "tenantId"
   'tenantId' is the ID for the multi-tenant to which you want to add role. To find it you can go to link:
   https://endpoint.microsoft.com/<tenant-domain>?ref=AdminCenter
   

   NOTE  <tenant-domain> is the full domain of your tenant.

   On this page, click on the settings icon in the top right corner (near the notification icon). In the list you can see the Directory ID of your tenant. This is the 'tenantId'.