User Management/service Accounts/manage Service Accounts

Overview

This guide covers the ongoing management of service accounts after they have been created. Learn how to view, modify, monitor, and maintain service accounts to ensure secure and efficient cross-tenant access.

Service Account Management Tasks

Quick Reference

• View All Service Accounts - See all service accounts in your organization
• Modify Home Tenant - Change where a service account authenticates
• Grant/Revoke Access - Manage which tenants a service account can access
• Monitor Activity - Track service account usage and actions
• Demote Service Accounts - Revert to regular user accounts
• Audit Access - Review permissions and usage patterns

Viewing Service Accounts

Method 1: Filtered User List

1. Navigate to Administration → User Management
2. Click the Filter dropdown
3. Select "Service Accounts Only"
4. The list will show only service accounts

Information Displayed:

• User name and email
• Current role
• Home tenant assignment
• Last login time
• Number of accessible tenants

![Service Account List View - Filtered to show only service accounts with relevant columns]

Method 2: Dedicated Service Account Dashboard

1. Navigate to Administration → Service Accounts
2. View the comprehensive service account dashboard

Dashboard Sections:

• Active Service Accounts - Currently enabled accounts
• Recent Activity - Latest cross-tenant access
• Access Matrix - Which accounts access which tenants
• Alerts - Unusual activity or required actions

![Service Account Dashboard - Comprehensive view of all service account activity]

Modifying Service Accounts

Changing Home Tenant Assignment

The home tenant is where a service account authenticates. To change it:

1. Access User Edit

   • Navigate to User Management
   • Click Edit next to the service account

2. Modify Home Tenant

   • Scroll to Service Account Settings
   • Click the Home Tenant dropdown
   • Select the new home tenant

3. Save and Notify

   • Click Save to apply changes
   • Notify the user of the change
   • Update any documentation

![Home Tenant Change - Shows the interface for modifying home tenant assignment]

Warning: Changing the home tenant will require the user to authenticate at the new location. Ensure they are informed before making this change.

Modifying Permissions

Service account permissions are managed in two places:

In Home Tenant (Identity Management)

Controls the account itself:

• Password resets
• MFA configuration
• Account enable/disable
• Role assignment

In Target Tenants (Access Management)

Controls what the account can do:

• Feature access
• Data permissions
• Administrative rights
• Temporal access limits

Granting Access to Additional Tenants

1. Log in to Target Tenant as administrator

2. Navigate to User Management

3. Add External User

   • Click "Add External User"
   • Enter service account email
   • Select "Service Account" as type

4. Configure Permissions

   • Assign appropriate role
   • Set specific permissions
   • Configure access duration if temporary

5. Activate Access

   • Click "Grant Access"
   • Service account can now access this tenant

![Grant Tenant Access - Process for adding service account to new tenant]

Monitoring Service Account Activity

Activity Logging

All service account actions are logged for audit purposes:

1. Access Activity Logs

   • Navigate to Administration → Audit Logs
   • Filter by "Service Accounts"

2. Review Log Entries Each log entry shows:

   • Timestamp of action
   • Service account identity
   • Target tenant accessed
   • Actions performed
   • Source IP address

![Activity Log View - Service account audit trail]

Setting Up Alerts

Configure alerts for important service account events:

1. Navigate to Alert Configuration

   • Go to Administration → Security → Alerts

2. Create Service Account Alerts Configure alerts for:

   • First-time tenant access
   • Failed authentication attempts
   • Unusual access patterns
   • Permission changes
   • After-hours access

3. Set Alert Recipients

   • Add security team emails
   • Configure notification methods
   • Set alert severity levels

Regular Access Reviews

Implement a review schedule:

Weekly Reviews

• Check for failed login attempts
• Review new tenant access grants
• Monitor unusual activity patterns

Monthly Reviews

• Audit all service account permissions
• Verify business justification still valid
• Check for inactive accounts
• Review access patterns

Quarterly Reviews

• Comprehensive permission audit
• Validate home tenant assignments
• Update documentation
• Revoke unnecessary access

Revoking Service Account Access

Removing Access from Specific Tenants

1. Log in to Target Tenant as administrator
2. Navigate to User Management
3. Find the Service Account
4. Click "Revoke Access"
5. Confirm Revocation

The service account immediately loses access to that tenant but remains active in other tenants.

![Revoke Tenant Access - Removing service account from specific tenant]

Temporary Suspension

To temporarily disable a service account:

1. Navigate to User Management in home tenant
2. Click Edit on the service account
3. Toggle "Account Enabled" to OFF
4. Save Changes

This immediately prevents authentication without deleting the account.

Complete Demotion

To revert a service account to a regular user:

1. Edit the User

   • Navigate to User Management
   • Click Edit on the service account

2. Disable Service Account Status

   • Uncheck "This is a service account"
   • The home tenant field will be disabled

3. Save and Confirm

   • Click Save
   • Confirm the demotion when prompted

4. Post-Demotion Actions

   • User loses cross-tenant access immediately
   • Existing permissions in home tenant remain
   • Must be re-granted access in other tenants as regular user

![Service Account Demotion - Converting back to regular user]

Best Practices for Management

Documentation Standards

Maintain documentation for each service account:

Service Account: support-team-alpha@company.com
Created: 2024-01-15
Home Tenant: Company HQ
Business Justification: Customer support across all client tenants
Accessible Tenants:
  - Client A (Read-only)
  - Client B (Support role)
  - Client C (Admin role - temporary until 2024-03-01)
Last Review: 2024-02-15
Next Review: 2024-03-15

Access Control Guidelines

1. Principle of Least Privilege

   • Grant minimum necessary permissions
   • Use role-based access where possible
   • Avoid blanket administrative access

2. Time-Bound Access

   • Set expiration dates for temporary needs
   • Review and renew rather than permanent grants
   • Automate revocation where possible

3. Segregation of Duties

   • Separate who can create vs. who can approve
   • Different admins for home vs. target tenants
   • Audit reviews by independent team

Security Monitoring

Real-Time Monitoring

• Failed authentication attempts
• Access from new IP addresses
• Privilege escalation attempts
• Mass data exports

Periodic Analysis

• Access pattern changes
• Dormant account detection
• Permission creep identification
• Cross-tenant access trends

Common Management Scenarios

Scenario 1: Employee Role Change

Situation: A consultant is promoted to internal staff and no longer needs service account access.

Actions:

1. Review current tenant access list
2. Demote from service account to regular user
3. Maintain access to home tenant only
4. Document the change
5. Notify affected tenants

Scenario 2: Temporary Project Access

Situation: A service account needs 30-day access to a new client tenant.

Actions:

1. Document business justification
2. Grant access with expiration date
3. Set calendar reminder for review
4. Configure alerts for this access
5. Automatically revoke after expiration

Scenario 3: Security Incident Response

Situation: Suspicious activity detected from a service account.

Actions:

1. Immediately suspend the account
2. Review recent activity logs
3. Reset credentials if compromise suspected
4. Investigate across all accessible tenants
5. Re-enable only after investigation complete

Scenario 4: Offboarding

Situation: User with service account is leaving the organization.

Actions:

1. Disable account immediately in home tenant
2. This automatically prevents all cross-tenant access
3. Review and transfer any critical responsibilities
4. After transition period, delete the account
5. Document in offboarding checklist

Troubleshooting Common Issues

Service Account Cannot Access Tenant

Diagnostic Steps:

1. Verify account is still active in home tenant
2. Check if access was granted in target tenant
3. Confirm no recent permission changes
4. Review any access expiration dates
5. Check for tenant-specific authentication issues

Excessive Access Alerts

Solutions:

• Review if access patterns are legitimate
• Adjust alert thresholds if too sensitive
• Consider time-zone differences
• Verify not automated/scheduled tasks
• Implement allowlisting for known patterns

Cannot Modify Service Account

Common Causes:

• Insufficient permissions (need admin role)
• Account locked due to security policy
• Database synchronization issues
• Concurrent edit by another admin

Automation and Integration

API Management

Service accounts can be managed programmatically:

GET /api/v1/serviceaccounts
POST /api/v1/serviceaccounts/{id}/grant-access
DELETE /api/v1/serviceaccounts/{id}/revoke-access
PUT /api/v1/serviceaccounts/{id}/home-tenant

PowerShell Management

Example scripts for common tasks:

# List all service accounts
Get-MindzieServiceAccounts -TenantId $tenantId

# Grant tenant access
Grant-MindzieTenantAccess -ServiceAccountId $id -TargetTenant $tenant

# Revoke tenant access
Revoke-MindzieTenantAccess -ServiceAccountId $id -TargetTenant $tenant

Scheduled Reviews

Automate compliance reviews:

• Monthly permission reports
• Quarterly access audits
• Annual justification reviews
• Dormant account detection

Compliance and Auditing

Audit Requirements

Maintain records of:

• All service account creations
• Permission modifications
• Access grants and revocations
• Authentication events
• Administrative actions

Compliance Reports

Generate reports for:

• Access Matrix - Who can access what
• Activity Summary - Usage patterns
• Permission Changes - Audit trail
• Incident Response - Security events

Retention Policies

• Activity Logs: Minimum 1 year
• Permission Changes: Minimum 3 years
• Security Incidents: Minimum 7 years
• Access Reviews: Minimum 3 years

Summary

Effective service account management requires:

• Regular Monitoring - Stay aware of usage patterns
• Periodic Reviews - Ensure access remains justified
• Clear Documentation - Track all decisions and changes
• Security Focus - Protect these powerful accounts
• Automation - Reduce manual overhead where possible

Related Documentation

• What Are Service Accounts?
• Promote User to Service Account
• User Roles Guide
• Audit Log Configuration (Coming Soon)
• Security Best Practices (Coming Soon)

Next Steps

1. Review Existing Accounts - Audit current service accounts
2. Implement Monitoring - Set up activity alerts
3. Schedule Reviews - Calendar regular audits
4. Document Procedures - Create internal guidelines
5. Train Team - Ensure admins understand management procedures