For CiraSync Enterprise Edition, we recommend that users create a dedicated Service Account to serve as the Global Administrator for CiraSync. The Service Account does not need to have Global Administrator role beyond the first login. The account can be demoted to a User Mailbox in Office 365 while still offering the same functionality of granting and authorizing consent for CiraSync.
Furthermore, CiraSync is a Microsoft Azure application that uses the Daemon service. This means that a Global Administrator grants consent and CiraSync receives this access as a token. This token allows the CiraSync Service Account’s Dashboard management to authorize sync tasks and pushing new and updated information to user mailboxes.
- The Service Account can have Multifactor Authentication (MFA) added to it. We recommend this step is done before logging for the first time into the Dashboard with the account.
- Set up MFA for your CiraSync tenant.
- Or create a secure Service Account login:
- Create a strong 16-character password for the Service Account. For example, @bE6CwqCW!1l0nw6.
- Use an account login name that would be hard to guess. For example, Secure-A-Sync. Read more on how to create a secure login name here.
- Do not reuse this account for any other software or application.
- Do not log in to this account to manage the CiraSync Dashboard. You can set up role-based administration for your users, so they can manage the Dashboard using their own Office 365 identities.
- Make CiraSync use the Service Account for authentication and syncing purposes.
- Demote the CiraSync Service Account from the Global Administrator Role to the User Mailbox role. This can only be done after logging in to the CiraSync Dashboard once with the Service Account.