How to enable and configure CoreView management session
Modified on Tue, 12 Sep 2023 at 12:24 PM
- CoreView Release Notes September 2023
- CoreView Release Notes August 2023
- CoreView Release Notes July 2023
- CoreView Release Notes June 2023
- CoreView Release Notes May 2023
- CoreView Release Notes April 2023
- CoreView Release Notes March 2023
- CoreView Release Notes February 2023
- CoreView Release Notes January 2023
- CoreView December 2022 Release Notes
- CoreView November 2022 Release Notes
- CoreView October 2022 Release Notes
- September 2022 Release Notes
- August 2022 Release Notes
- Release 22.06 Key Features
- Release 22.05 Key Features
- Release 22.04 Key Features
- Release 22.03 Key Features
- Release 22.01 Key Features
- Release 21.12 Key Features
- Release 21.11 Key Features
- Release 21.10 Key Features
- Release 21.09 Key Features
- Release 21.08 Key Features
- Release 21.07 Key Features
- Release 21.05 Key Features
- Release 21.04 Key Features
- Release 21.03 Key Features
- Release 21.02 Key Features
- Release 21.01 Key Features
- Release Information
- Getting Started with Customer Care
Getting Started with CoreView
- Configuration Overview
- Creating CoreView Tenant Administrators
- CoreView Operator Uses Cases & Dependencies
- Creating a License Pool
- Understanding Virtual Tenants
- "Send As" DNS Requirements for CoreAdoption Campaigns (Optional)
- How to enforce MFA on CoreView service accounts
- Creating a License Pool
- How to ensure security for CoreView service accounts
- Disabling MFA for CoreView service accounts
- Set Conditional Access to grant access only inside the CoreView data center
- How to check and analyze the Message Trace
- How To Configure Email Forwarding
- How to convert a Shared Mailbox to a User Mailbox
- How to convert a user mailbox to a shared mailbox in Exchange Online
- How to Create Microsoft 365 Groups for Improved Collaboration
- How To Create Shared Mailbox
- How To Create User Mailbox
- How To Grant Access To Mailbox
- How to List all the Mailboxes a User has access to in Microsoft 365
- How to remove delegates from Mailbox
- How to remove user access to Mailbox
- How to review and manage Exchange online mailbox permissions
- How to verify if a user has updated the Password
- Read Permission for Mailbox
- What are security groups and How to create it
- What is a Distribution Group and How to create it
- Exchange Online
- Custom Actions Library
- Getting Started with CoreHybrid
Understanding CoreView - Quick Start Guides.
- CoreView Quick Start Guide Overview and Index - Tenant Admins
- CoreView Quick Start Guide Overview and Index - Operators
- Understanding CoreView Tenant Configuration – Management
- Understanding the CoreView Operator Profile
- Understanding CoreView Operator Roles (New UX)
- Understanding CoreView Operator Roles
- Understanding CoreView Operator Delegation
- Understanding CoreView - Report Column Filtering
- Understanding CoreView Tenant Configuration - V-Tenant User Filters
- Understanding CoreView Tenant Configuration - Portal Information
- Understanding CoreView Tenant Configuration Options
Troubleshooting Common Issues
- Unable to see OneDrive, SharePoint and Exchange Data
- Remote Office 365 PowerShell session can Conflict CoreView Management Actions
- Why I cannot save the changes on existing License pool?
- Error when attempting to perform a Management Action
- Unable to modify the Assigned Licenses in my License Pool Report
- Enabling Permission for Endpoint Manager Actions
- How to enable permission for BitLocker keys report
- How to recreate Admins Read-only
- How to add an operator to the portal?
- How to enable and configure CoreView management session
- How to provide a consent to activate Azure AD Reports Feature and activate Partial Import?
- Tips & Tricks: Leverage Pivot Reports to Prototype License Pool Criteria Filter
- Tips & Tricks - How to manage email notifications for newly added Operators.
- Disable MFA from Read Only Service Accounts
- How To: Report on "Consumed Portal Licenses"
- How to Configure Allowed IP Addresses for CoreView Service Accounts
- Tips & Tricks: How to merge License Pools
- How to Use CoreView's Global Report Filters
- How to use the What If tool to check Azure AD conditional access policies
- How to Configure Allowed IP Addresses for CoreView Service Accounts
- How to Archive a Teams Group
- How to Restore a Teams Group
- On-demand Import for a Single Device in Endpoint Manager (Intune)
- Custom Actions using the Microsoft Graph API
- How to set up your tenant for the switch to Microsoft Graph API
- GraphAPI configuration: How to get Client ID and Client Secret
- How to provide consent to import exchange information
Reporting and Analytics
- How do I Check and Manage Calendar Permissions for a User?
- How CoreView can help you with your Microsoft 365 Chargeback Goals.
- New UX: Understanding the new License Centers
- Understanding the Savings Opportunities Dashboard
- Understanding the License Optimization center
- Understanding License Pool Snapshots report
- Understanding Call quality dashboard
- Understanding Call quality report
- Understanding User call quality report
- Understanding Teams groups activity report
- Understanding Teams Adoption Growth Report
- Understanding Endpoint Manager reports
- Understanding Teams dashboard
- Understanding Risky Users report
- Understanding Storage Dashboard
- Troubleshoot Active Users (License Usage) data
- Legacy Protocol Management
- Report Columns: Is active 30/60/90
- Quarantined Messages Report - Understanding The Reports
Managing and Administration
- Teams Voice: Direct Routing Support
- How to enable management function?
- Forward SMTP Address vs Forward Address management actions
- How to add the users in bulk while executing Users management actions?
- How to Create & Manage Custom Actions
- How to schedule a report to be sent automatically, and how to modify its scheduling options?
- How to schedule an alert report for the License Count
- Tips & Tricks – How to read and modify license pool report?
- Overview of CoreView Workflow
- How to delegate Workflow management using roles
- How to configure CoreView and ServiceNow integration
- How to Enable Multi Factor Authentication for Operators and Admins who Access the CoreView Portal
- How Can I Migrate from Group-Based Licenses to Direct Licenses Managed by CoreView?
- Naming convention rules
- Custom Actions: Forbidden and Warning Values
- How to add users to Distribution Group in bulk using via CSV
- Not able to manage licenses error
- Using custom action json output as an input in the workflow
- Setting the Sensitivity Label on SharePoint as a Mandatory Field
- DistinguishedName vs OnPremisesDistinguishedName
- Understanding CoreView - Quick Start Guides.
- CoreView Product Manual
- Health Check
- Configuring predefined policies
- Edit policy settings: Set and monitor thresholds
- Edit remediation settings: Manual and automatic remediation
- Edit remediation settings: Configure attestation
- Remediation settings: Security & Identity policies
- Remediation settings: Teams Management policies
- Remediation settings: License Management policies
- Remediation settings: SharePoint & OneDrive Management policies
- Remediation settings: Exchange Management policies
- Out-of-the-Box playbooks
- Learning Platform
- Internal Customer Care Resources
- Webinars and Events
- Internal Support
This article will cover how to enable and configure CoreView management sessions.
Note: To activate Password Rotation, Admin roles are needed. More information in the "How it works: CoreView Admin Account" article.
CoreView Management Session Overview
CoreView management session allows operators to execute management actions, custom actions, and workflows. The management session needs to be active when performing actions. The management session needs to be enabled using Microsoft 365 administrator credentials.
There are 2 possible configurations for CoreView management sessions:
- Default - Microsoft Global Admin without MFA enabled credentials required
CoreView creates an interactive PowerShell session with Office 365. As there isn't a good way to feed the token value into this session the Global Admin account used to activate management session must NOT have MFA enabled.
- Advanced - No credentials required. Service account needed.
This feature enables lower-level admins and help-desk operators to make delegated changes to defined user accounts, as no Microsoft credentials are used to enable this type of management session.
How to enable CoreView management session
The management session can be enabled by every operator with the ‘Management’ role.
Enabling CoreView management session ‘Default’ and ‘Advanced’ configuration is quite similar, the difference for delegated operators is the need to enter credentials when using the ‘Default’ configuration.
When the username and password have been filled in (or the ‘Advanced’ management session is enabled), operators can start the management session clicking on the ‘Turn on management session’ button.
Enabling the management session can require some time, normally a few minutes. Once it is enabled, the header will show the ‘Management ON’ message. Clicking on that, operators can view further details and turn it off.
How to configure the CoreView management session
CoreView management sessions have two different configurations. If you are a tenant administrator, you can change this setting and enable the ‘Advanced’ management session.
This configuration is the preferred one as it prevents the sprawl of administrative accounts on Microsoft, while keeping everything within CoreView. This also ensures that delegated operators have the required permissions to perform management action at all times, as permissions themselves are set only on CoreView (other than on Microsoft as well). Finally, the ‘Advanced’ management configuration automatically turns on the session when operators execute actions if the session happens to be off.
CoreView creates a service account with the following Administrative roles: Authentication Administrator, Exchange Administrator, Global Reader, Reports Reader, SharePoint Administrator, Teams Administrator, and User Administrator. The credentials for this account are stored within Microsoft Azure Key Vault and changed once a week. Key Vault is a hardware security module specifically designed to store highly confidential information such as passwords and credit card information. With the credentials stored in Key Vault, CoreView can elevate its privileges without ever having access to the password itself. In addition, Key Vault automatically changes the password each week.
The password length is 16 characters, and its complexity is composed by:
- Upper and lower case letters
- Special characters
Key Vault allows CoreView to gain access to an authorization token on demand, allowing it to elevate the rights of the service account and perform the action requested by the operator. This allows you to delegate very specific actions to an operator who would otherwise need to be entrusted with Global Admin credentials. All operations are audited by Microsoft Azure directly.
To enable the ‘Advanced’ management session, first turn on the session using the ‘Default’ mode and Microsoft Global Admin without MFA enabled credentials.
Once the management session is active, open the management session section to reveal the configuration. Turn on the ‘Enable Advanced management’ and the ‘Auto-enable management session’ toggles to fully take advantage of this feature.
Credentials used to activate the management in the ‘Advanced’ mode will not not have MFA enabled because they are used behind the scenes by back-end services. But the management user could be covered by the company policies or conditional access enabled that requires MFA for all the Global Admin and privileged accounts, including the 4ward365.admin/coreview.admin account. This will also cause issues when trying to activate the Management Session.
To resolve this problem, you need to check what is the policy that is currently blocking the access of our management account by using the what if analysis on 4ward365.admin/coreview.admin account:
How to use the What If tool to check Azure AD conditional access policies
Then, please follow a simple manual procedure to configure Allowed IP for our management user (4ward365.admin/coreview.admin and MFA will be mandatory outside of it. You can find the steps in the article below:
Note: In case the policy is enabled, you won't see that the MFA is enabled for the users from the Azure Active Directory Admin center.