Overview
Service accounts are a specialized user type in mindzie Studio Enterprise that enable secure cross-tenant access. Unlike regular users who belong to a single tenant, service accounts can authenticate once and access multiple tenants where they have been granted permissions.
Key Benefits
For Organizations
- Simplified Management - One account instead of multiple per consultant
- Centralized Control - Manage access from a single location
- Audit Trail - Track cross-tenant activity from one identity
- Security - Controlled, auditable cross-tenant access
For Users
- Single Sign-On - Authenticate once, access multiple tenants
- Consistent Identity - Same credentials across all client tenants
- Streamlined Workflow - No need to switch between multiple accounts
Understanding Service Accounts
What Are Service Accounts?
Comprehensive guide explaining:
- When and why to use service accounts
- How they differ from regular accounts
- Security implications and benefits
- Common use cases and scenarios
Promote User to Service Account
Step-by-step instructions for:
- Identifying eligible users
- Performing the promotion
- Assigning home tenants
- Verifying the configuration
Manage Service Accounts
Ongoing management tasks:
- Viewing all service accounts
- Changing home tenant assignments
- Monitoring cross-tenant access
- Revoking service account status
Service Account Concepts
Home Tenant
Every service account has a designated "home tenant" where they authenticate:
- Service accounts always log in at their home tenant URL
- The home tenant manages the account's identity
- Authentication happens once at the home tenant
- Access tokens are then valid across permitted tenants
Cross-Tenant Access
After authentication, service accounts can access other tenants:
- Requires explicit permission grant in each target tenant
- Permissions are managed independently in each tenant
- Access can be revoked without affecting the account itself
- Activity is logged in both home and target tenants
Eligibility Requirements
Not all users can become service accounts:
- Eligible Roles: Tenant Admin, Administrator
- Ineligible Roles: Analyst, Developer, IT Admin
- This restriction ensures only high-privilege users get cross-tenant access
Common Use Cases
Consulting Firms
External consultants working with multiple clients:
- Single identity for all client engagements
- Easy switching between client tenants
- Centralized credential management
- Clear audit trail for compliance
Managed Service Providers
MSPs supporting multiple customer organizations:
- Support staff access multiple customers
- Technical consultants work across tenants
- Centralized identity management
- Simplified onboarding/offboarding
Enterprise Organizations
Large companies with multiple divisions:
- Corporate IT supporting all divisions
- Shared service teams accessing multiple units
- Auditors reviewing multiple tenants
- Executive oversight across organization
Service Account Workflow
1. Initial Setup
Administrator/Tenant Admin
|
v
Select Eligible User (Tenant Admin or Administrator role)
|
v
Enable Service Account Status
|
v
Assign Home Tenant
|
v
Service Account Created
2. Authentication Flow
Service Account User
|
v
Navigate to Home Tenant URL
|
v
Authenticate (Azure AD or Identity)
|
v
Access Home Tenant
|
v
Switch to Target Tenant (if permitted)
3. Access Management
Target Tenant Admin
|
v
Grant Permission to Service Account
|
v
Service Account Can Access
|
v
Monitor and Audit Access
|
v
Revoke When No Longer Needed
Security Considerations
Authentication Security
- Service accounts should use strong authentication
- Multi-factor authentication recommended
- Regular password/credential updates
- Monitor for unusual login patterns
Access Control
- Grant minimum necessary permissions
- Regular access reviews
- Document business justification
- Time-bound access when possible
Audit and Compliance
- All actions logged with service account identity
- Regular audit of cross-tenant access
- Compliance reporting capabilities
- Activity monitoring and alerts
Best Practices
Creating Service Accounts
- Document business need
- Verify user role eligibility
- Choose appropriate home tenant
- Configure with minimum permissions
- Enable additional security (MFA)
Managing Service Accounts
- Regular access reviews (quarterly)
- Prompt revocation when not needed
- Monitor activity logs
- Update documentation
- Training for service account users
Security Guidelines
- Limit number of service accounts
- Use dedicated accounts (not personal)
- Implement strong authentication
- Regular security audits
- Incident response planning
Troubleshooting
Cannot Create Service Account
- Check Role: User must be Tenant Admin or Administrator
- Permissions: Creating admin must have appropriate permissions
- Home Tenant: Verify home tenant is properly configured
Authentication Issues
- Wrong URL: Ensure using home tenant URL
- Credentials: Verify credentials are correct
- MFA: Complete multi-factor authentication if enabled
Access Problems
- Permissions: Verify granted in target tenant
- Session: Check if session expired
- Tenant Switching: Ensure proper tenant context
Frequently Asked Questions
Q: Can any user become a service account?
A: No, only users with Tenant Admin or Administrator roles can become service accounts due to security requirements.
Q: Can a service account's home tenant be changed?
A: Yes, administrators can change the home tenant assignment, but this should be done carefully to avoid authentication issues.
Q: How many tenants can a service account access?
A: There's no technical limit, but access must be explicitly granted by each tenant's administrator.
Q: Are service account actions audited?
A: Yes, all service account actions are logged in both the home tenant and any accessed tenants.
Related Documentation
- User Roles Guide
- Tenant Management
- Authentication Configuration
- Security Best Practices (Coming Soon)