Appearance

Conditional Access Best Practices 🔐

To make sure Triggr is able to access your tenants securely we recommend the usage of Conditional Access. Both your, and your clients Conditional Access Policies will need to be configured for optimal usage.

Setup of Your Conditional Access Policies

  1. Browse to the Conditional Access Policies blade in Azure.
  2. Exclude the Triggr service account from each existing policy, this way we have a dedicated policy for the Triggr service account
  3. Create a new policy and include the Triggr service account user. Enforce Azure Multi-factor Authentication for each logon (set sign in frequency under session to every time) and for all cloud applications, do not add any exclusions or trusted locations.
    1. If you have trusted locations under the classic MFA portal you must always remove those.
  4. Save this policy under the name "Triggr Service Account Conditional Access Policy"

Setup of Clients Conditional Access Policies

GDAP is affected by your clients conditional access policies. To make sure you can access your clients using your Triggr Service Account user we recommend excluding the MSP from the Conditional Access Policy per Microsoft's Documentation

  1. Browse to your client's Conditional Access Policies blade in Azure.
  2. For each policy listed. Add an exclusion to "Users and Groups" with the following settings: - Guest or external users - Service Provider Users - Selected, enter your tenantid. If you do not know what your tenant id is you can look this up at whatismytenantid.com

Troubleshooting

Common Issues

"Triggr service account is blocked by Conditional Access"

  • Ensure the service account is excluded from all existing policies
  • Verify the dedicated Triggr policy is active
  • Check that MFA is properly configured

"Cannot access client tenants"

  • Verify your tenant ID is excluded from client Conditional Access policies
  • Ensure you're using the correct tenant ID from whatismytenantid.com
  • Check that client policies include "Service Provider Users" exclusion

"MFA prompts not working"

  • Remove any trusted locations from classic MFA
  • Ensure MFA is enforced for every logon
  • Verify the service account has Microsoft MFA enabled

Need help? Your account manager can assist with Conditional Access configuration and ensure your Triggr integration is properly secured.