Create a Support User

Applies To: Dynamics 365 / Work 365
Audience: System Administrators, IT Teams

Overview

To enable the Work 365 Support Team to securely access your environment for troubleshooting or configuration assistance, create a dedicated support service account. This provides auditable, least-privileged access for Work 365 engineers—without using personal user credentials.

? Reference: Work 365 Support Portal – Environment Access Policy

Steps

✅ Step 1: Create a User in Microsoft Entra ID (Azure AD)

Create a new member user (not a guest) with the alias:
iotapsupport@<yourdomain>.com

Assign a valid Dynamics 365/Dataverse license, for example:

• Dynamics 365 Customer Engagement Plan

• Dynamics 365 Sales Enterprise

• Power Apps per user

Tip: Use a randomly generated temporary password and require change on first sign-in.

✅ Step 2: Assign Roles in Dynamics 365 / Dataverse

Go to Admin Center → Environments → [Your Environment] → Settings → Security → Users.
Locate iotapsupport@<yourdomain>.com and assign:

• System Administrator

• Work 365 Admin

These roles provide the access required to diagnose and remediate Work 365 configuration issues.

? Reference: Work 365 Documentation – Admin Roles and Permissions

✅ Step 3: Send Credentials Securely

Send the initial credentials via a secure, one-time method to: passwordmaster@iotap.com

Subject: <Your Company Name> Support Alias
Body:

Environment URL: https://<yourorg>.crm.dynamics.com Username: iotapsupport@<yourdomain>.com Password: <Temporary password>

Important: Share secrets only via a one-time, expiring mechanism approved by your security team.

✅ Step 4: Allow Third-Party OATH Tokens in Entra ID

1. Create a security group named Third Party OATH Allowed and add iotapsupport@<yourdomain>.com.

2. In Microsoft Entra admin center → Protection → Authentication methods → Policies:

   • Enable Third-party software OATH tokens.

   • Under Include groups, select Third Party OATH Allowed.

   • Save changes.

The Work 365 Support team will enroll their OATH token upon first access.

Key Notes

• Secure Storage: The support credentials are stored in an encrypted vault by Work 365 Support and purged after initial access is established.

• Correct Role Assignment: Ensure both System Administrator and Work 365 Admin are assigned.

• Generic Alias: Always use iotapsupport@<yourdomain>.com (not a personal mailbox) for continuity and compliance.

• MFA Handling: Do not bind the account to organization-owned MFA devices. The Work 365 Support team applies its own OATH-based MFA to this account.

Recommended Security Practices

• Just-in-Time Access: Enable the account only during an active support engagement; disable it afterward.

• Conditional Access: Restrict sign-in to approved IP ranges or require compliant device if your policy allows.

• Audit & Logging: Ensure Audit Tracking is enabled for key entities and verify sign-in logs for this user during/after the engagement.

• Password Policy: Force a password reset on first use and rotate if the account remains enabled for future engagements.

Summary

Create a dedicated iotapsupport@<yourdomain>.com user, assign System Administrator and Work 365 Admin roles, transmit initial credentials securely, and enable third-party OATH token authentication. This delivers secure, traceable access for Work 365 Support while meeting compliance and operational needs.