User Management/service Accounts/promote User To Service Account

Overview

This guide provides step-by-step instructions for promoting an eligible user to a service account. Service accounts enable users to authenticate once and access multiple tenants where they have been granted permissions.

Prerequisites

Before promoting a user to a service account, ensure:

Required Permissions

• You must be logged in as:
  • Administrator - Full system access
  • Tenant Admin - With user management permissions

User Eligibility

The user being promoted must have one of these roles:

• Tenant Admin
• Administrator

Note: Users with Analyst, Developer, or IT Admin roles cannot become service accounts due to security restrictions.

System Requirements

• mindzie Studio Enterprise Server
• Multi-tenant configuration enabled
• At least one configured tenant to serve as home tenant

Step-by-Step Instructions

Step 1: Access User Management

1. Log in to mindzie Studio with administrator credentials
2. Click the Administration menu in the top navigation
3. Select User Management from the dropdown menu

Expected Result: You should see the user management page with a list of all users in your tenant.

![User Management Page - Shows list of users with columns for Name, Email, Role, Account Type, and Actions]

Step 2: Identify Eligible Users

1. Review the user list to find users eligible for service account promotion
2. Look for users with Tenant Admin or Administrator roles
3. Note that users with other roles will not have the promotion option available

Visual Indicators:

• Eligible users will have a "Promote to Service Account" button in the Actions column
• Ineligible users will only show "Edit" and "Delete" options

![User List - Highlighting eligible vs ineligible users based on role]

Step 3: Select User for Promotion

Option A: Single User Promotion

1. Locate the specific user you want to promote
2. Click the "Promote to Service Account" button in their row
3. Proceed to Step 4

Option B: Bulk Promotion

1. Check the checkboxes next to multiple eligible users
2. Click the "Bulk Actions" dropdown at the top of the list
3. Select "Promote to Service Accounts"
4. Proceed to Step 4

![User Selection - Shows both single and bulk selection options]

Step 4: Configure Service Account Settings

When the promotion dialog appears:

1. Review Selected Users

   • Verify the correct users are listed
   • Check their current roles are shown correctly

2. Select Home Tenant

   • Click the "Home Tenant" dropdown
   • Choose the appropriate tenant where this service account will authenticate
   • Consider selecting the user's primary organization

3. Review Security Warning

   • Read the warning about cross-tenant access implications
   • Understand that service accounts can access multiple tenants
   • Acknowledge that this grants elevated privileges

![Service Account Promotion Dialog - Shows user confirmation, home tenant selection, and security warning]

Step 5: Confirm Promotion

1. After selecting the home tenant, click "Promote"
2. A confirmation dialog will appear asking:

   Are you sure you want to promote these users to service accounts?
   This will allow them to access multiple tenants after authenticating
   at their home tenant.
   

3. Click "Yes, Promote" to confirm

![Confirmation Dialog - Final confirmation before promotion]

Step 6: Verify Successful Promotion

After promotion completes:

1. The page will refresh automatically
2. Look for the success notification: "User(s) successfully promoted to service account"
3. In the user list, verify:
   • The Account Type column now shows "Service Account" with an icon
   • The user's role remains unchanged
   • Additional service account actions are now available

![Success State - Shows user list with newly promoted service account indicated]

Alternative Method: Edit User Dialog

You can also promote users through the individual user edit dialog:

Step 1: Open User Edit Dialog

1. Click "Edit" next to any eligible user
2. The user edit dialog will open

Step 2: Navigate to Service Account Section

1. Scroll down to find "Service Account Settings"
2. This section will only appear for eligible users

Step 3: Enable Service Account

1. Check the box "This is a service account"
2. The "Home Tenant" dropdown will become enabled
3. Select the appropriate home tenant

Step 4: Save Changes

1. Click "Save" at the bottom of the dialog
2. Confirm when prompted

![User Edit Dialog - Shows service account settings section within user edit form]

Post-Promotion Configuration

Immediate Next Steps

1. Notify the User

   • Inform them of their new service account status
   • Provide their home tenant URL for authentication
   • Explain the new authentication process

2. Grant Target Tenant Access

   • Navigate to each tenant where the service account needs access
   • Add appropriate permissions for the service account
   • Test access to verify configuration

3. Document the Configuration

   • Record the service account creation
   • Document business justification
   • Note which tenants have granted access

Setting Up Cross-Tenant Access

For the service account to access other tenants:

1. Log in to Target Tenant as an administrator
2. Navigate to User Management
3. Add Service Account User
4. Assign Appropriate Permissions
5. Test Access

Authentication Process for Service Accounts

After promotion, the user's authentication flow changes:

Standard Authentication Flow (Before)

1. User navigates to specific tenant URL
2. Enters credentials directly
3. Accesses only that tenant

Service Account Flow (After)

1. User navigates to any tenant URL
2. System prompts for email address
3. System identifies as service account
4. Redirects to home tenant for authentication
5. After authentication, returns to target tenant
6. Can switch between permitted tenants without re-authenticating

Troubleshooting

Cannot See Promote Option

Problem: The "Promote to Service Account" button is not visible

Solutions:

• Verify user has Tenant Admin or Administrator role
• Check your own permissions (must be admin)
• Ensure multi-tenant configuration is enabled
• Refresh the page to update the UI

Home Tenant Not in Dropdown

Problem: Expected tenant doesn't appear in home tenant selection

Solutions:

• Verify the tenant exists and is active
• Check if you have permission to view that tenant
• Contact system administrator to verify tenant configuration

Promotion Fails with Error

Problem: Error message appears when trying to promote

Common Errors and Solutions:

Error Message	Solution
"User role not eligible"	User must have Tenant Admin or Administrator role
"Home tenant required"	Must select a home tenant before promoting
"Permission denied"	You need administrator privileges
"Database error"	Contact system administrator

User Cannot Authenticate After Promotion

Problem: Service account cannot log in after promotion

Solutions:

1. Verify home tenant URL is correct
2. Check if home tenant authentication is configured
3. Ensure user credentials are valid
4. Try resetting the user's password
5. Verify Azure AD/Identity configuration if applicable

Best Practices

Before Promotion

• Document why the user needs service account access
• Verify the user understands service account responsibilities
• Choose the most appropriate home tenant
• Plan which target tenants will need access

During Promotion

• Promote users individually when possible for better tracking
• Always review the security warning
• Double-check home tenant selection
• Take note of successful promotions for audit purposes

After Promotion

• Test authentication immediately
• Configure target tenant access promptly
• Set up monitoring for service account usage
• Schedule regular access reviews

Security Considerations

Important Warnings

• Service accounts have elevated privileges
• They can potentially access multiple customer environments
• All actions are audited but damage could be widespread
• Limit service accounts to essential users only

Recommended Security Measures

1. Enable MFA - Require multi-factor authentication
2. Strong Passwords - Enforce complex password requirements
3. Regular Reviews - Audit service account usage monthly
4. Access Logging - Monitor cross-tenant access patterns
5. Time-Limited Access - Consider temporary service accounts when possible

Frequently Asked Questions

Can I change the home tenant after promotion?

Yes, administrators can modify the home tenant assignment by editing the user and updating the Service Account Settings.

Can I demote a service account back to a regular user?

Yes, uncheck the "This is a service account" option in the user edit dialog to revert to a regular account.

What happens to existing permissions when promoting?

The user retains all existing permissions in their current tenant. Service account status only adds the ability to access other tenants.

Can service accounts access all tenants automatically?

No, service accounts must be explicitly granted permission in each target tenant. Authentication doesn't automatically grant authorization.

How many service accounts should we have?

Keep service accounts to a minimum. Only create them for users who genuinely need cross-tenant access as part of their role.

Related Documentation

• What Are Service Accounts?
• Manage Service Accounts
• User Roles Guide
• Tenant Management

Next Steps

1. Test Authentication - Have the user test logging in at their home tenant
2. Configure Access - Set up permissions in target tenants
3. Monitor Usage - Review service account activity logs
4. Document Configuration - Record the setup for compliance