Please, if you wish to implement the steps below, read the article Use cases: introduction carefully before proceeding.
A leading American law firm with 3.000 Microsoft 365 users needed a secure way for its helpdesk to remove MacOS platform credentials without elevated Microsoft admin rights.
By leveraging CoreView Workflows and interacting with the Microsoft Graph API, the IT team developed an automated credential removal process within CoreView. This streamlined the routine task of MacOS platform credential removal, cutting resolution times down to mere minutes and minimizing escalations, all while upholding least‑privilege principles and enabling operators to work seamlessly within a single interface.
Customer profile
| Industry sector | Law firm |
|---|---|
| Company size | 3.000 |
| Region | United States |
This U.S. based law firm employs over 3.000 staff and operates in a Microsoft 365 environment with a significant Mac user base. Security and compliance are paramount given the sensitivity of client data. The service desk serves as the first line of support but has historically been limited in administrative access to safeguard the environment.
Business challenge
The firm’s Mac users occasionally require their MacOS platform credentials to be deleted — a necessary action for troubleshooting authentication and device management issues. Without elevated admin rights in Entra, helpdesk staff could not perform this task, forcing every request to be escalated to senior IT admins. This created delays and consumed valuable administrator time, while granting broad rights to helpdesk teams posed unacceptable security risks.
Pain points:
- No direct method for helpdesk to remove Mac OS platform credentials without elevated admin permissions.
- Dependency on tenant-wide admins for routine credential removal tasks.
- Slow ticket resolution for Mac users, impacting productivity.
- Potential exposure if helpdesk were given unnecessary high-level access.
- Frustration for both users and admins over repeated escalations.
CoreView products involved
- CoreView One: comprehensive Microsoft 365 management platform providing delegated permissions, automation, and granular control. It integrates with Microsoft Graph API to perform targeted administrative actions securely through pre-built or custom workflows.
Step-by-step solution guide
This solution enables secure, delegated removal of MacOS platform credentials using a CoreView workflow and Microsoft Graph API.
The process starts with accessing the CoreView portal and setting up a custom workflow that gathers the target user information. Next, the workflow uses Graph API to check for a MacOS platform credential for the specified user, then deletes it if one is found. Finally, the solution covers publishing, testing, and assigning secure, role-based permissions, completing a seamless, compliant process for helpdesk teams.
Step 1: access the CoreView portal
To begin the process, we first log in to the CoreView web portal. This is where all workflow design and management tasks will take place.
Log in to the CoreView web portal using your organization’s credentials.
If you do not possess an account, please contact your CoreView administrator to request access.
Step 2: navigate to the Workflows Section
In this step, we move to the dedicated area within CoreView where custom workflows are created and managed.
From the left-hand menu, navigate to “Actions > Manage workflows > Workflows”. This section allows you to design automation sequences.
Step 3: create a new Workflow
We start building our solution by creating a new, dedicated workflow that will automate the credential deletion process.
Click the “Create new” button to start the creation of a new workflow.
Step 4: name the Workflow and add Execution Inputs
Here, we give our Workflow a clear, descriptive name and set up an input field so operators can easily select which user's credentials to target.
Click the pencil icon next to the Workflow title and rename it to something that accurately reflects its purpose, e.g. “Delete MacOS Platform Credential”.
When editing the Workflow title or description, be sure to click the green check mark to save your changes.
Click the “Configure execution input” button to add an execution input for specifying the user whose platform credentials should be deleted.
On the Configure Execution Input page, click the “Target” drop-down and choose “No target (custom attribute)”.
then choose “Dropdown” from the “Type” list.
The dropdown Execution Input type is useful in situations where the operator who is executing the Workflow needs to select from a list of objects that exist in your environment.
Type “UserPrincipalName” in the “Insert name” field. This will be the name used to identify the execution input within the Workflow.
Select “UserPrincipalNames” from the “Value” drop-down menu.
When an operator executes the Workflow, this will produce a drop-down menu with a list of all the UserPrincipalNames in the organization which the signed-in operator has permission to see.
Click the checkbox “Is required” to make the execution input required.
Click the “Save” button in the bottom-right corner of the window to save your changes.
Step 5: add an HTTP API GET step
In this phase, we add an action to the Workflow that securely checks for MacOS platform credentials using the Microsoft Graph API.
Add an HTTP API GET step, which will use Graph API to fetch the MacOS platform credentials for the selected user.
Click the “Add” button, then click “Action”.
In the fly-out that appears, choose “HttpApi” from the “Action category” drop-down.
Select “HTTP API GET” from the “Select action” drop-down.
Under the “Settings” section to the right, click the “Fields” drop-down and enable the “Secret key for bearer token” and “Content-Type fields”.
Click off the “Fields” drop-down to hide it, delete “Yes” from the “Ensure success status code field”, and click the lightning bolt/action icon to set the field to “No”.
Selecting “No” on the “Ensure success status code” field prevents the step from resulting in a Failed status when the call returns a failure code. This allows you to handle the exception rather than the workflow failing altogether.
In the “Url” field, type in
https://graph.microsoft.com/v1.0/users/ and then click the lightning bolt/action icon. Ensure there are no spaces in the url.
Select "UserPrincipalName" from the list of inputs.
Click on the “Url” field, then type in
/authentication/platformCredentialMethods after the UserPrincipalName. Ensure there are no spaces.
Click the “Secret key for bearer token” field, then select Microsoft Graph Auth from the list of options. This instructs the action to use CoreView’s Graph token for the request.
Click the “Content-Type field”, then select “application/json” from the list of options.
Click the “Save” button in the bottom-right corner to save your settings.
Step 6: add a Dynamic Mapping
This step involves extracting the necessary information (the method ID) from the previous API call, so it can be used in later steps of the Workflow.
Create a Dynamic Mapping for passing the method id returned by the HTTP API GET action downstream. The ID will be used in the subsequent call to delete the platform credential method.
Click the drop-down next to the “Publish” button, then click “Set dynamic mapping”.
Click the “Add dynamic mapping” button to create a new dynamic mapping, then select the HTTP API GET action from the “Actions” drop-down.
In the “Name” field, type in “MethodID”, and type Response.value[0].id into the “Path name” field, then click “Save”.
Step 7: add an HTTP API DELETE step
With the required credential ID from the previous step, we now add an automated step to remove the MacOS platform credential through the Graph API.
Add an HTTP API DELETE step, which will take the platform credential method ID returned by the previous step and use it to delete the credential method.
Click the down arrow below the HTTP API GET step, then click “Action”.
Select “HttpApi” from the “Action” category drop-down, then select “HTTP API DELETE” from the “Select action" menu.
Similar to creating the HTTP API GET step, click the “Fields” drop-down and add the following fields:
- Secret key for bearer token
- Body
- Content-Type
Populate the fields as follows:
| Ensure success status code | Yes |
|---|---|
| Url | https://graph.microsoft.com/v1.0/users/UserPrincipalName/authentication/platformCredentialMethods/MethodID |
| Secret key for bearer token | Microsoft Graph Auth |
| Content-Type | application/json |
Click the “Save” button.
If you don’t want a failed HTTP API DELETE request to block the execution of additional actions, configure “Ensure success status code” to No.
Step 8: apply a Filter to the HTTP API DELETE step
We ensure our Workflow only tries to delete a credential if the previous check confirms one exists and is accessible, maintaining reliability.
Apply a Filter to the HTTP API DELETE step to ensure that it only runs if the GET step returned a successful status code.
Click the ellipses on the HTTP API DELETE step, then click “Filter”.
Click the “Property” field, then select the “StatusCode” output from the HTTP API GET step.
Select “Equals” in the “Operator” field and type “200” in the “Value” field, then click the “Save” button.
Applying this filter setting will ensure that the HTTP API DELETE step only executes when the HTTP API GET step returns a successful response, which means a platform credential method was found for the specified user.
Step 9: publish and test the Workflow
Next, we save, publish, and run the Workflow in a safe test scenario to confirm that it works as intended.
Click the “Save” button on the upper-right, then click “Save and publish”.
Test the workflow by clicking the ellipses button on the upper-right, then click “Run”.
On the “Workflow Run” screen, click the “User principal name” field and choose the user whose MacOS platform credential method you wish to delete.
You can use the search field to search for a specific user.
Click the “Next” button to proceed to the review page, then click “Submit” to run the Workflow.
You can click the bell icon in the ribbon at the top of the screen, then click “See workflow execution” to view the results.
Step 10: assign the Workflow to Permission Sets
Finally, we securely assign access to the Workflow only to appropriate operator roles in the helpdesk, ensuring delegated control and compliance.
Navigate to “Settings > Permissions”.
Find the permission set that you need to grant access to the new Workflow, then click the pencil icon.
You can search for a specific permission set by name using the column filter.
From the “Manage Permission” screen, navigate to the Workflows section, then find the new Workflow and check the box next to it to assign it to the permission set.
You can search for the Workflow by name using the column filter.
Click “Submit”, then “Confirm” to save the permission set.
Solution results
The law firm developed a CoreView Workflow that uses Microsoft Graph API to remove platform credentials for Mac devices. This workflow appears as a simple task in the CoreView portal, accessible to only the teams that need it thanks to CoreView Permissions.
Once implemented, helpdesk teams could complete MacOS platform credential removals in less than a minute, down from 10 - 15 minutes when escalation was required.
Removing MacOS credentials is no longer a complex process—our helpdesk can handle it fast and securely, and our IT admins can focus on higher-value work.
reported the Helpdesk Team Lead.
Achieved benefits
- Resolution time dropped from 10 – 15 minutes to under 1 minute.
- Secure exposure of Graph API actions without granting Entra admin rights.
- Clear audit trail of every credential removal in CoreView.
- Maintained tight compliance and role-based access policies.
- Improved helpdesk responsiveness and Mac user productivity.
This implementation proved that targeted Workflows can balance operational speed and security, yielding measurable ROI in time savings.
Lessons learned and best practices
- Limit Workflow execution to scoped roles via CoreView’s role-based access control.
- If necessary, use CoreView’s Virtual Tenants to limit an operator’s management scope to specific users, ensuring they can execute workflows only for those they are authorized to manage.
Additional resources
- CoreView Knowledge Center - HTTP API Workflow actions
- List platformCredentialAuthenticationMethods - Microsoft Graph v1.0 | Microsoft Learn
- Delete platformCredentialAuthenticationMethod - Microsoft Graph v1.0 | Microsoft Learn
- CoreView — Add new set of permissions
- CoreView — Virtual Tenants and permissions