If you’ve already read our “Why can’t I create an Azure subscription?” article, you may have noticed that Microsoft have recently released a preview feature to support allowing access to service providers (like SoftwareOne) through Conditional Access policies.
More information on this can be found in Microsoft’s documentation here: https://learn.microsoft.com/en-us/azure/active-directory/external-identities/authentication-conditional-access#conditional-access-for-external-users.
Prerequisites
Your SoftwareOne reseller tenant IDs
To exclude SoftwareOne and PyraCloud from your blocking Conditional Access policies, you will need to know the Microsoft Tenant IDs of SoftwareOne’s reseller tenants that relate to you.
Even though SoftwareOne has over one hundred of these reseller tenants, only one or two will apply to you.
At this stage, the only way to find out the reseller tenant IDs you need to use is to log a support ticket with PyraCloud Support.
Configure Conditional Access
Determine which Conditional Access policies are blocking SoftwareOne and PyraCloud
Before you can exclude PyraCloud and SoftwareOne from your policies, you need to know exactly which policies are affecting access. You can do this using the “What If” capability of Conditional Access.
In the Azure portal, navigate to Azure AD Conditional Access.
Click What If in the top navigation bar.
Click No user or service principal selected to choose a user.
Choose the following settings:
- Select identity type: User
- Select: Guest or external users
- Select: Service provider users (preview)
- Select organization (preview)
- Click No tenant selected
- Enter the Tenant ID you obtained from Support at the start of this article
- Click the tenant that is found
- Click the Select button
Click What If.
At the bottom of the page, you will see the list of Policies that will apply. Make a note of these policies as these are the ones you will need to modify to exclude PyraCloud and SoftwareOne.
Exclude PyraCloud and SoftwareOne from a policy
Note: When modifying Conditional Access policy exclusions, do not remove any of your existing excluded users, groups, or other principals. With Conditional Access, there is a very real possibility of locking yourself out of your tenant. Only attempt the following steps if you are a Conditional Access expert and you are confident configuring them.
SoftwareOne cannot be held liable for damages caused by the misconfiguration of this feature.
In the Azure portal, navigate to Azure AD Conditional Access.
In the list of policies, click one of the policies that applied in the last step.
Under Assignments, click the Users section.
Click Exclude.
Select the Guest or external users checkbox.
Select the Select radio button
Click 0 Azure AD organizations selected
Enter the Tenant ID you obtained from Support at the start of this article, then select the checkbox next to the SoftwareONE reseller tenant.
Click Select
Note: When modifying Conditional Access policy exclusions, do not remove any of your existing excluded users, groups, or other principals. With Conditional Access, there is a very real possibility of locking yourself out of your tenant. Only attempt the following steps if you are a Conditional Access expert and you are confident configuring them.
SoftwareOne cannot be held liable for damages caused by the misconfiguration of this feature.
Note: At this point, you may wish to temporarily change the policy to Report-only to check whether existing access is still working correctly. If you do this, please remember to enable the policy again once you are confident it is working as expected.
Click Save.
Repeat the steps in this section for each policy that you noted in the previous section.