Set up Service Accounts

Service accounts are recommended to ensure reliable, auditable provisioning activity—separate from individual user behavior.

Why Use a Service Account?

Keeps auto-provisioning activity separate from day-to-day user actions
Avoids confusion in app logs or audit trails
Ensures consistent execution of provisioning tasks
Can be tightly scoped and monitored

Requirements

To work properly, your service account must:

Have the permissions required to create users and assign roles in the third-party app
Authenticate using username and password (not Single Sign-On), so Agent Cake can reliably log in
Be active in the target application (not suspended, pending invite, or limited access)

How to Create a Service Account

You have two options:

1. Create a dedicated user

Set up a separate user in your Identity Provider (e.g. Google Workspace, Entra ID)
Example: [email protected]
Assign the account to the third-party app with the required permissions

2. Use an email alias of an existing user

If you prefer not to create a new user, you can use an alias
Example: [email protected]
This still allows separation in the app but uses an existing mailbox

Note: Be aware that some third-party tools may charge for the additional seat used by the service account. For less security-critical apps, you may choose to use a real user account instead.

Additional Tips

You can often reuse a single service account across multiple apps, as long as access rights are properly configured
Always review the permission levels in each third-party app to make sure the account can complete the necessary actions
Keep service accounts clearly named and auditable for easier tracking

PreviousControl Provisioned Permissions NextMulti-Factor Authentication

Last updated 15 days ago

Was this helpful?