Tenant Configurations: choose your authentication method

To allow Configuration Manager to read and manage tenant configurations, an authentication method must be configured for each tenant installed on the platform.

During onboarding, you will be prompted to:

• Create the Configuration Manager app by using a service principal identity (application authentication).
• Create an Advanced Management Service Account (delegated authentication).

Application authentication method

Creating the Configuration Manager app is required to manage configurations through Configuration Manager. When application authentication is used, only a limited set of configurations is available.

Key points about this authentication method:

• Not all configurations can be synced, because Microsoft support for this method is limited.
• Configuration Manager uses the service principal to sync configurations wherever supported.
• For configurations that cannot be synced through the service principal, Configuration Manager falls back, where available, to delegated authentication.
• Using a service principal for supported configurations improves security because no user account is involved.

If the Configuration Manager app is not created during the onboarding process, it can be created later in the app under Settings > Organization Settings > Consent management by selecting “Create app” next to the “Create Configuration Manager app” banner.

Delegated authentication method

Delegated authentication, provided through the creation of an Advanced Management Service Account, is optional and gives access to additional configurations.

During onboarding, in the “Configurations” step, select “Create Management Service Account”. This creates the following service account in the tenant: 4ward365.admin@yourdomain.com.

This step can also be skipped during onboarding and completed later. In that case, the management session can be enabled later in the app. For more information, see configure the management session.