In order to create a Microsoft Advertising credential in Funnel, Microsoft work accounts provisioned via Microsoft Entra ID (Entra) must have sufficient Entra privileges to be able to consent to access permissions required by the enterprise application Funnel-Microsoft-Ads-Connector
which is hosted on Funnel's own Entra tenant.
Service principals
When a work account with sufficient Entra privileges initially consents to the permissions required by Funnel-Microsoft-Ads-Connector
, a service principal is created on the Entra tenant that the consenting work account is associated with. A service principal is not an enterprise application, instead it is an artefact that authorises the Funnel-Microsoft-Ads-Connector
enterprise application to access resources on a third-party tenant. See Microsoft's documentation on service principals and applications and on how service principals are created.
Initially, only work accounts with privileges for creating and administering service principals in Entra can consent to the permissions required by Funnel-Microsoft-Ads-Connector
. For reference, the following Microsoft Entra built-in roles have sufficient privileges for creating service principals:
Application Administrator
Cloud Application Administrator
Hybrid Identity Administrator
Once a service principal for Funnel-Microsoft-Ads-Connector
has been created on a tenant, all work accounts associated with the tenant will be able to consent to access permissions required by Funnel-Microsoft-Ads-Connector
via the Microsoft sign-in dialogue displayed when creating credentials in Funnel. Active service principals are listed on the Entra admin centre enterprise applications page.
Creating a service principal for Funnel-Microsoft-Ads-Connector
If an admin consent workflow is enabled in Entra, work accounts attempting to create Microsoft Advertising credentials in Funnel will be able to submit admin consent requests directly from the Microsoft dialogue shown after singing in to Microsoft via Funnel. These can then be approved via the Admin consent requests dashboard in the Microsoft Entra admin center.
If no admin consent workflow is enabled, a work account with sufficient privileges for creating service principals and fulfilling the conditions for connecting to Microsoft Advertising must successfully create a Microsoft Advertising credential in Funnel by consenting to the permissions in the delegated access dialogue displayed after signing in via Funnel.