GDAP Service Account Setup 🔧

Why Setup GDAP?

Although setting up GDAP requires some initial effort, it enables automation at the MSP level and eliminates the need to configure and manage a separate Microsoft integration for each of your individual clients.

Creating The Triggr Service Account

This guide walks you through the process of setting up the Triggr Service Account.

Please follow the instructions on this page to the letter to ensure a seamless setup process down the line.

The Triggr service account will be the account used to execute any actions on your client's tenants via Triggr.

Before we get started, please note the following:

Administration Requirements

1. Must be a Global Administrator while setting up the integration. These permissions may be removed after the integration has been setup.
2. Must be added to the AdminAgents group. This group is required for connection to the Microsoft Partner API.

Multi-Factor Authentication

1. MFA Setup: This account must have Microsoft MFA enforced for each logon.
   • Use Conditional Access when available or via Per User MFA when not available.
2. Microsoft MFA is mandatory. Do not use alternative providers like Duo, and ensure it's setup before any login attempts.
   • Reference this article on Supported MFA options from Microsoft for more details.

Step-by-Step Setup

1. Navigate to Microsoft Entra Portal

To get started, head to the Microsoft Entra Portal's user overview at entra.microsoft.com

2. Create New User

1. Click on the 'New user' button
2. Create a new internal user in your organisation
3. Enter a username in the field. We recommend something recognisable such as 'TriggrServiceAccount'
4. Enter "Triggr Service Account" in the Display Name field. Set the password to something strong, and save this password in a secure location

3. Configure User Properties

1. Click on "Next: Properties"
2. Click on 'Next: Assignments'

4. Add Required Groups

1. If you are a Microsoft Partner, and want to manage all your client tenants, click on Add Group.

2. Select the AdminAgents group. This group is required for connection to the Microsoft Partner API.

3. Select your GDAP groups

   Ensure each group has the necessary roles for Triggr to work properly. For full details, see our Recommended Roles page.

5. Assign Roles

1. Click 'Add role'

2. Add the Global Administrator role

   Find the Global Admin role. This role is required for the Triggr application creation, and is recommended to be removed directly after installation.

6. Complete Setup

1. Click "Next: Review + Create"
2. Click on "Create". This creates the account.

Next Steps

Once your service account is created, you can proceed with:

• Ensuring conditional accesss doens't block the service account
• Configuring recommended roles

Security Best Practices

• Remove Global Admin after setup: The Global Administrator role should be removed after the initial setup is complete
• Use strong passwords: Ensure the service account has a strong, unique password
• Enable MFA immediately: Set up Microsoft MFA before any login attempts
• Regular access reviews: Periodically review and audit the service account permissions
• Secure credential storage: Store the service account credentials in a secure password manager

Troubleshooting

Common Issues

"Access denied when trying to create the service account"

• Ensure you have Global Administrator permissions
• Check that you're in the correct tenant

"Cannot add to AdminAgents group"

• Verify you're a Microsoft Partner
• Contact Microsoft Partner Support if the group is not available

"MFA setup fails"

• Ensure you're using Microsoft MFA, not third-party providers
• Set up MFA before any login attempts

---

Need help? Your account manager can assist with the GDAP setup process and ensure everything is configured correctly for your Triggr integration.