Web Accounts – Evo Security

We now have a new feature called Azure Web Accounts. This functionality allows an administrator or privileged user to create a Web Account to access M365 Products (Azure, Teams, etc) for a limited time. Let’s go over how this works.

Note: With Microsoft's new MFA requirements, permanent web accounts are the preferred method for setting up web account access.

Requirements

User must have the proper role (see below)

The user must belong to the user group associated with the web account.

The user must have access to the tenant/customer.

The user must have an Elevated Access License.

Review the permissions from the Azure Sync article. Make sure the Enterprise Application has the right roles and grants to it or Web Accounts may not function correctly.

Make sure that the directory you are selecting is the appropriate directory and the group you select is housing the user(s) that you are giving permission to check-out the Web Account. At this time you can only grant one User Group access to Web Accounts.

MS Entra Requirements

Evo M365 elevation provides IT administrators the capability to access Azure admin accounts securely, as Evo frequently rotates usernames and passwords.

If Conditional Access (MFA feature) is enabled in your environment, ensure the Evo web account is whitelisted to disable MFA throughout the environment. (Note: When a new Web Account is created and whitelisted, it may take some time for any policy changes to propagate to the newly created account(s). This could take up to 30 minutes. Test login access before utilizing the account.)

If Conditional Access is not utilized, Microsoft 365 Admin Center will be employed to manage user MFAs.

Using Web Accounts

First, let’s go over the Vault Page. If you are unfamiliar with the Vault Page, this is the new tab that will house Domain Accounts (Previously named Shared Accounts), Local Accounts, and Web Accounts.

On the Vault tab, there is a tab titled Web Accounts:

Roles Needed

If you do not see this tab, then that means you may be missing the required permissions. We have created a new Role-Based Permissions category named Web Accounts. To find Role-Based Permissions, click on the “Evo Admin” and then “Permissions”. Under here you will choose the desired role and hit the pencil icon to edit this role. Within here you will find the “Web Accounts” Section. From Here, you can set up your required roles. Let’s go over them.

Manage Web Accounts - This role will allow you to create and delete web accounts.

Use Web Accounts - This role will allow you to check-in/check-out a web account.

You must also have the following roles to successfully create a Web Account as it requires you to select a Directory and a Group. You will also need to select the View People Section in the Users tab:

Create a Web Account

Now that we have the proper roles, let’s create a Web Account. Click on the Create Web Account button and we’ll get started with the Web Account creation drawer.

Make sure to provide the required fields:

Display Name: The displayed name in the Webapp for the Web Account.

Select Directory : This is where you will select the appropriate AzureAD Directory. NOTE: This dropdown will only appear if there are multiple AzureAD directories to choose from.

Select User Group: This is where you will select the appropriate Custom User Group where the user(s) exist that you wish to grant access to use this Web Account.

Select Roles – This is where you will select the role(s) within EntraID that you’d like to apply to the user group. You can select multiple.

There are also two (2) optional toggles a user can enable for their Web Account

Immediately check out Upon creation of the Web Account, the account will be checked-out and the check-out modal will appear for instant access.

Create upon checkout and delete upon expiration In Azure, this will continue to re-create and re-delete the user after expiring/checking out, cycling the username and password each time.

After you’ve provided the required information, click the Complete button and your Web Account will be created and listed in the table.

Example:

Clicking on the trash icon or selecting the checkbox and using the action drop-down menu will give you the option delete the Web Account.

"Check out" a Web Account

From the list you will see a button called Check Out . This button will allow your privileged user(s) to check out this account and provides the Username/Password for the created Web Account.

The new dialog box that opens allows you to select a duration from a 30-minute minimum to 24 hours as a maximum. Once it reaches the displayed End Time, the Web Account will become disabled.

Select your required duration and click complete.

If successful, you will now notice that your user has successfully “Checked out” the web account, and you now have the option to Copy a hidden Username and Password. These credentials will be used to access whatever M365 role or permission you’ve set for it.

Since this account has been successfully checked out (notice the greyed out box), this means that a user is currently accessing this account. If you are not the user that has checked out this account, you are unable to access the Username or Password, and you cannot delete the account until the account is Checked In or the duration expires.

Check In a Web Account

If you are the user that checked out the account and you wish to check it back in, you will notice an “Check In” button.

Clicking this button will display a dialogue box asking you to confirm if you wish to check this account back in.

After confirming, you have successfully checked the account back in.

Congratulations! You’ve completed the Web Account flow.