SOLVED

CSP access to MCAS

%3CLINGO-SUB%20id%3D%22lingo-sub-858388%22%20slang%3D%22en-US%22%3ECSP%20access%20to%20MCAS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-858388%22%20slang%3D%22en-US%22%3E%3CP%3EHello%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20a%20Cloud%20Service%20Provider%2C%20I%20can%20access%20all%20my%20customers%20services%20with%20my%20CSP%20user%20technical%20account%20(who%20is%20Global%20Admin%20via%20guest%20integration%20in%20AD%2C%20by%20default)%3C%2FP%3E%3CP%3EHowever%2C%20the%20one%20and%20only%20service%20I%20can't%20join%20is%20the%20Cloud%20App%20Security%20with%20the%20following%20error%3A%3C%2FP%3E%3CP%3E%3CSPAN%3EIt%20seems%20like%20you%20can't%20access%20Microsoft%20Cloud%20App%20Security%20right%20now.%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3EIf%20you're%20a%20new%20user%20or%20were%20recently%20assigned%20credentials%2C%20please%20wait%2015%20minutes%20and%20try%20again.%3C%2FSPAN%3E%3CBR%20%2F%3E%3CBR%20%2F%3EI%20have%20to%20create%20a%20Global%20Admin%20account%20in%20the%20customer%20AD%20to%20connect%2C%20and%20it's%20NOT%20the%20way%20it%20should%20be.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20is%20a%20workaround%20this%20error%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-858388%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-858502%22%20slang%3D%22en-US%22%3ERe%3A%20CSP%20access%20to%20MCAS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-858502%22%20slang%3D%22en-US%22%3EDon%60t%20think%20so!%20I%20have%20the%20same%20issue%20for%20my%20customers.%20but%20one%20way%20to%20get%20around%20it%20is%20to%20be%20granted%20%22security%20reader%22%20with%20a%20guest%20account%20or%20a%20dedicated%20user%20in%20Azure%20AD%20-%20not%20a%20good%20sollution%20but%20it%20should%20work%20to%20get%20insights.%20bur%20for%20working%20with%20the%20alerts%20etc.%20you%20need%20to%20a%20higher%20role.%20preffered%20is%20to%20use%20PIM%20to%20elevate%20the%20users%20up.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-860633%22%20slang%3D%22en-US%22%3ERe%3A%20CSP%20access%20to%20MCAS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-860633%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F410155%22%20target%3D%22_blank%22%3E%40Timil75%3C%2FA%3EI%20had%20a%20chat%20with%20Microsoft%20about%20this%2C%20as%20there%20are%20things%20you%20cannot%20reach%20this%20way.%20This%20includes%20things%20in%20the%20security%20and%20compliance%20consoles%20and%20mcas.%20The%20feedback%20I%20received%20was%20that%20this%20will%20not%20change%2C%20and%20that%20it%20was%20by%20design.%20My%20customer%20had%20to%20create%20users%20in%20the%20individual%20tenants%20to%20get%20around%20this%2C%20and%20that%20is%20not%20a%20great%20solution%20as%20you%20say.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-869211%22%20slang%3D%22en-US%22%3ERe%3A%20CSP%20access%20to%20MCAS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-869211%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F410155%22%20target%3D%22_blank%22%3E%40Timil75%3C%2FA%3E%20You%20can%20invite%20the%20external%20admin%20directly%20to%20MCAS%20though%20the%20%22manage%20admins%22%20settings.%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Fmanage-admins%23invite-external-admins%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Fmanage-admins%23invite-external-admins%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-871533%22%20slang%3D%22en-US%22%3ERe%3A%20CSP%20access%20to%20MCAS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-871533%22%20slang%3D%22en-US%22%3E%3CP%3EThat%20is%20interesting%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F76512%22%20target%3D%22_blank%22%3E%40Dima%20Donhin%3C%2FA%3E%20That%20can%20solve%20part%20of%20our%20problem%2C%20but%20not%20the%20part%20with%20the%20other%20unreachable%20portals%20like%20security%20and%20compliance%20portal.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1150473%22%20slang%3D%22en-US%22%3ERe%3A%20CSP%20access%20to%20MCAS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1150473%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F175066%22%20target%3D%22_blank%22%3E%40P%C3%A5l%20Winther%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20you%20want%20to%20access%20to%20Microsoft%20365%20portals%20with%20guest%20user%20credential%2C%20you%20will%20ask%20you%20the%20password%2C%20for%20example%20if%20you%20the%20mail%20address%20of%20your%20guest%20user%20is%20guest%40contoso.com%20the%20credential%20to%20use%20is%20guest_contoso.com%23ext%23%40organizationname.onmicorosoft.com%20where%20ogranizationname%20is%20the%20name%20of%20the%20organization%20that%20invites%20you.%20So%20this%20password%20must%20be%20configured%20by%20an%20office%20365%20administrator%2C%20if%20you%20try%20to%20define%20this%20password%20directly%20from%20the%20Azure%20AD%20portal%20we%20will%20get%20an%20error%20message.%3C%2FP%3E%3CP%3ESo%20to%20configure%20this%20password%20follow%20these%20steps%20%3A%3C%2FP%3E%3CP%3EOpen%20a%20session%20as%20gloabl%20admin%20in%20admin.microsoft.com%3C%2FP%3E%3CP%3EGo%20to%20Active%20Users%20and%20select%20the%20guest%20user.%3C%2FP%3E%3CP%3EDefine%20a%20password%20and%20confirm.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAfter%20you%20can%20give%20your%20guest%20user%20the%20role%20that%20you%20want%20from%20Azure%20AD%20Portal.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Efor%20me%20that%20work%20very%20fine.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBest%20Regards%2C%3C%2FP%3E%3CP%3EAdil%20WAAZIZ%3C%2FP%3E%3C%2FLINGO-BODY%3E
Senior Member

Hello

 

As a Cloud Service Provider, I can access all my customers services with my CSP user technical account (who is Global Admin via guest integration in AD, by default)

However, the one and only service I can't join is the Cloud App Security with the following error:

It seems like you can't access Microsoft Cloud App Security right now.
If you're a new user or were recently assigned credentials, please wait 15 minutes and try again.

I have to create a Global Admin account in the customer AD to connect, and it's NOT the way it should be.

 

Is there is a workaround this error?

 

Regards

5 Replies
best response confirmed by Timil75 (Senior Member)
Solution
Don`t think so! I have the same issue for my customers. but one way to get around it is to be granted "security reader" with a guest account or a dedicated user in Azure AD - not a good sollution but it should work to get insights. bur for working with the alerts etc. you need to a higher role. preffered is to use PIM to elevate the users up.

@Timil75I had a chat with Microsoft about this, as there are things you cannot reach this way. This includes things in the security and compliance consoles and mcas. The feedback I received was that this will not change, and that it was by design. My customer had to create users in the individual tenants to get around this, and that is not a great solution as you say. 

@Timil75 You can invite the external admin directly to MCAS though the "manage admins" settings.

https://docs.microsoft.com/en-us/cloud-app-security/manage-admins#invite-external-admins

That is interesting @Dima Donhin That can solve part of our problem, but not the part with the other unreachable portals like security and compliance portal.

@Pål Winther 

Hello,

 

When you want to access to Microsoft 365 portals with guest user credential, you will ask you the password, for example if you the mail address of your guest user is guest@contoso.com the credential to use is guest_contoso.com#ext#@organizationname.onmicorosoft.com where ogranizationname is the name of the organization that invites you. So this password must be configured by an office 365 administrator, if you try to define this password directly from the Azure AD portal we will get an error message.

So to configure this password follow these steps :

Open a session as gloabl admin in admin.microsoft.com

Go to Active Users and select the guest user.

Define a password and confirm.

 

After you can give your guest user the role that you want from Azure AD Portal.

 

for me that work very fine.

 

Best Regards,

Adil WAAZIZ