In order to give RBAC delegates access to a tenant and to an on-prem Active Directory (hybrid tenants), you will need to set up valid credentials for a role.
If you want to manage more than one tenant through sapio365 RBAC roles, create a set of credentials to access each environment.
The steps that follow include the creation of:
A delegated user/service account
A registered application*
Configuration of PowerShell credentials
* The registered application in your Azure AD created automatically by sapio365 includes the highest permissions for maximum access. You can restrict this application by removing permissions that you may deem unnecessary for the roles that you will use with this credential set.
Start by going to the sapio365 tab of the main window, and go to ‘RBAC – Configuration’ to set up the credentials to use for the roles you will create. You can also clone an existing set of credentials.
1 - Enter a unique name and description for the credentials you’re setting up. If you’re using sapio365 RBAC to manage several tenants, you’ll need to do this for each tenant.
2 - Create a new, RBAC-dedicated user account and a new registered application.
Although a sapio365 RBAC credential can be that of an existing user account, we strongly suggest to create a new one, dedicated to sapio365 RBAC.
Note that the new user will be added to a global admin role, and does not require assignment of any Microsoft 365 license for sapio365 RBAC.
If you have application restrictions set, make sure to add this user account to the group or approved list of users who can use sapio365.
Click on the button ‘Create New Admin & Application’. Confirm by clicking on OK.
(Optional) You can use credentials of an existing global admin and application (example: on a second machine) by filling out the related fields, and entering the target tenant. If consent was already given, you will not need to do it again.
3 - Consent to the permissions of the applications. You must be a global admin to do so.
4 - (Optional, hybrid tenants) Add connection information for accessing the local on-prem Active Directory (AD) connected to the tenant the same way as you would connect to on-prem AD in a sapio365 session. Make sure to toggle ‘Use On-Premises?’ to 'True' before clicking OK.
Set the cache on a SQL server (optional)
If you want to centralize the cache used by sapio365 for your role, you can set up its storage in a SQL database in your network. Learn about requirements here.
Set ‘Use SQL Server’ to True.
You can test the connection by clicking on the button.
If you manage several tenants, you can use an existing set of credentials to prefill the fields of a new one.
Select and right-click, and click on ‘Clone Credential’.
Then you can edit field values by “unlocking” them first.
Edit an existing set of credentials by selecting one and clicking on 'Edit'. You can edit fields by unlocking them first.
Select one or more sets of credentials to delete them from sapio365 with the ‘Delete’ button. You will be asked for confirmation to avoid mistakes.
Deleting a set of credentials from the RBAC list does not remove them from Azure Active Directory.