This article will cover how to enable and configure CoreView management sessions.
CoreView Management Session Overview
CoreView management session allows operators to execute management actions, custom actions, and workflows. The management session needs to be active when performing actions. The management session needs to be enabled using Microsoft 365 administrator credentials.
There are 2 possible configurations for CoreView management sessions:
Default - Microsoft Global Admin without MFA enabled credentials required
CoreView creates an interactive PowerShell session with Office 365. As there isn't a good way to feed the token value into this session the Global Admin account used to activate management session must NOT have MFA enabled.
Advanced - No credentials required. Service account needed.
This feature enables lower-level admins and help-desk operators to make delegated changes to defined user accounts, as no Microsoft credentials are used to enable this type of management session.
How to enable CoreView management session
One of the key features enabled by CoreView is the ability for lower level admins and help desk to make delegated changes to defined user accounts. As these entitlements are managed from within CoreView, a service account must be used to perform the changes on behalf of the operator. This is because typically, lower level admins and help desk personnel do not have access to credentials allowing them to make changes to objects within Office 365.
CoreView creates a service account with Global Admin privileges. The credentials for this account are stored within Microsoft Azure Key Vault and changed once a week. Key Vault is a hardware security module specifically designed to store highly confidential information such as passwords and credit card information. With the credentials stored in Key Vault, CoreView can elevate its privileges without ever having access to the password itself. In addition, Key Vault automatically changes the password each week. The password length is 16 characters, and its complexity is composed by:
- Upper and lower case letters
- Special characters
Key Vault allows CoreView to gain access to an authorization token on demand, allowing it to elevate the rights of the service account and perform the action requested by the operator. This allows you to delegate very specific actions to an operator who would otherwise need to be entrusted with Global Admin credentials. All operations are audited by Microsoft Azure directly.
This is the preferred method because it prevents the cases that can happen when the operators activate management using their own administrative account that do not have enough permissions to perform certain actions. This is the reason why activating management on our portal using own account leads to seeing some management actions in grey without possibility to execute them on our portal. In the long run we'll get rid of service users that will be replaced by temporary created users where needed or by Management Users where possible.
To change management type, please activate a management session using the option 'Use different account' and inserting entering Global Admin credentials with MFA temporarily disabled.
To do that follow these steps:
- Choose 'My Organization' under your profile
- Go to Settings tab and choose Management
- choose which management type should be used. In case of advanced management please assure that auto enable management session option is turned on as it will allow the management session enablement whenever your operators will launch management tasks. The management box is visible only to operators with Tenant admin role on our portal.
- Click Save
Once the change management type task is finished, you will see an update on progress bar. It means the management type was switched correctly and new management user was created. So, please disable the management session and enable it again using now advanced mode.
Credentials used to activate the management in the advanced mode will not not have MFA enabled because they are used behind the scenes by back-end services. But the management user could be covered by the company policies or conditional access enabled that requires MFA for all the Global Admin and privileged accounts, including the 4ward365.admin/coreview.admin account. This will also cause issues when trying to activate the Management Session.
To resolve this problem, you need to check what is the policy that is currently blocking the access of our management account by using the what if analysis on 4ward365.admin/coreview.admin account: How to use the What If tool to check Azure AD conditional access policies
Then, please follow a simple manual procedure to configure Allowed IP for our management user (4ward365.admin/coreview.admin and MFA will be mandatory outside of it. You can find the steps in the article below: How to Configure Allowed IP Addresses for CoreView Service Accounts (MFA Enabled)
Note: In case the policy is enabled, you won't see that the MFA is enabled for the users from the Azure Active Directory Admin center.