Here we describe how to prepare for tenant installation and describe the impacts of each option applied during tenant installation.
What is tenant installation?
To manage a tenant with Configuration Manager, it first needs to be installed on the Configuration Manager platform.
The installation process provisions essential resources in the Azure DevOps backend. This includes:
- creating a dedicated repository for storing configuration data
- establishing a Sync pipeline for tenant synchronization
In addition, the installation process may make changes to your tenant depending on the options selected at install time. These options are described below.
Authentication method
During the installation process, you will need to choose an authentication method: Service Account or Delegated Authentication. We recommend choosing this in advance, following our guide, to select the method that adheres to the security practices and guidelines of your organization.
What happens when I install a tenant?
Depending on the options chosen during installation, the following modifications may occur to the tenant being installed:
Service Principal for authentication and management
Configuration Manager uses a Service Principal to authenticate the tenant and manage certain configurations.
By default, a service principal is created within the tenant during Configuration Manager installation. However, if you prefer not to use the default service principal, you have the option to use a custom service principal of your choosing.
Service Account authentication
Choosing Service Account authentication will result in the creation of an Entra ID user account within the tenant for Configuration Manager's use. The service account user is assigned the Global Administrator role. If you need further information on what a service account is, refer to our guide.
Please note that using a service account is optional and not required.
If you would prefer not to use the service account, you can choose the Delegated Authentication method, as no changes to user accounts will occur in the tenant as part of the installation process.
This account is designated as the M365 Management Service Account, with the UPN following this format:
simeon@tenantdomain.com
If you opt for the Delegated Authentication method and specify a custom service principal, Configuration Manager will not make any changes to the tenant during installation.
What are the prerequisites for installation?
Configuration Manager is compatible with most Microsoft M365 tenants, but there are specific requirements that need to be met before you can install a tenant on Configuration Manager:
- Your tenant must be hosted on either the global Azure or the Government Community Cloud (GCC).
Please note, Configuration Manager currently does not support GCC High and DoD environments.
- Ensure that your tenant has an active Microsoft 365 license. Configuration Manager supports all license SKUs.
- To deploy the Configuration Manager baseline configurations, we recommend at least a Microsoft F3 and Entra P2 license.
You can check your tenant's licenses in the Azure Portal under “All products”.