Summary: Cayosoft recommends to use a service account with Domain Admins rights for Active Directory and Exchange management, and the account with the Global Admin role for MS 365 management. Global Admin role assignment is not a hard requirement, but it does make it easier to configure Cayosoft Administrator. If you need to restrict Cayosoft service accounts' rights, this article contains the minimum set of roles and permissions to delegate.
Applies to: Cayosoft Administrator 5.4 or later.
ID: KB20181207-1
In this article:
Permissions required for Active Directory management
The AD connection account is the account used as Active Directory domain credentials in Active Directory extension. The AD Service Account should have access to users, contacts, groups, and computer objects, and also has read all permissions in each managed domain.
We recommend using the same AD account as Cayosoft Administrator Service account and as AD Service Account in Active Directory extension configuration.
Important: Service Account should have Local Administrator permissions on the workstation or server where the product will be installed.
Delegate control over user objects
- Run Active Directory User and Computers tool
- Right-click the domain and choose Delegate Control
- Click Next to advance past the first step of the wizard.
- Click Add and specify the AD Service Account name, then click OK.
- Click Next.
- Leave the default setting of "Delegate the following common tasks:"
- Check the following:
- Create, delete and manage user accounts
- Reset user passwords and force password change at next logon
- Read all user information
- Modify the membership of a group
- Click Next
- Click Finish
Delegate control over computer, contact and group objects
- Run Active Directory User and Computers tool
- Right-click the domain and choose Delegate Control.
- Click Next to advance past the first step of the wizard.
- Click Add and specify the AD Service Account name, then click OK.
- Click Next.
- Click Create a custom task to delegate and click Next.
- Click Only the following objects in the folder.
- Select Computer objects, Contact objects and Group objects from the list.
- Select Create selected objects in this folder.
- Select Delete selected objects in this folder.
- Click Next.
- In the Permissions list, check Full Control.
- Click Next.
- Click Finish.
Delegate control to manage users' Home Folders
The Windows connection account, configured to run Cayosoft Admin Service, should have full control permission over network shared folder where home folders for active directory users are created:
- Login as Administrator on the machine where shared folder located.
- Navigate to the folder and open its Properties
- Go to Sharing tab and click Advanced Sharing...
- Click Permissions
- In appeared Permissions dialog click Add..., specify Windows Service Account name, then click OK.
- Ensure that just added account is selected in Group or user names section.
- Set Allow for Full control permission
- Click OK to close all dialog boxes.
Permissions required for Exchange On-Premises Management
The Exchange connection account is the account used as Exchange credentials in Microsoft Exchange extension. This Exchange Service Account should be added to the Organization Management security group:
- Open Active Directory Users and Computers tool
- Navigate to Domain > Microsoft Exchange Security Groups container > Organization Management group.
- Open the group's Properties, Members Tab.
- Click Add..., specify the AD Service Account name, then click OK.
- Click OK on Properties dialog.
Permissions required for MS 365 Management
The MS 365 connection account is the account used as MS 365 credentials in Microsoft 365 Extension.
The initial Cayosoft configuration should be performed using the MS 365 account with the Global Administrator role assigned. After the configuration is completed, you can change the roles of the MS 365 Service Account as described below.
The global Administrator role is required to grant consent for the MS Graph application, that is used for Adoption report collection and various MS 365 management tasks. Once Admin Consent is granted, the Global Administrator permissions are not necessary for the Service Account so that you can change them.
This is step by step instruction on how to configure Cayosoft Administrator to manage MS 365 under the account without Global Admin role:
- Create MS 365 connection account that you will be using in Cayosoft Administrator.
Important: This account should not be synchronized with Active Directory and should not be used in any other services or scripts.
- Delegate the Global Administrator role to the account. Role assignments will be changed to a customized administrator later.
- Run Cayosoft Administrator and complete the Initial Configuration wizard, and use the created account as Microsoft 365 credentials.
- After the configuration is completed, restart Cayosoft Administrator service and reopen Administrator Console.
- Grant consent as it is described in this KB article: How to grant admin consent to Azure APIs and connect to the Microsoft Graph API. Login to MS 365 under the same account that is defined on Microsoft 365 extension.
- Change roles that assigned to Cayosoft account in Microsoft 365 Admin Portal (https://admin.microsoft.com):
- Change role to Customized Administrator
- Select roles:
Note: You can find the detailed description of each MS 365 role in the following MS Docs article: About MS 365 admin roles.
- Exchange administrator
- License administrator
- User management administrator
- Teams Administrator
Note: Assign this role if you plan to manage Microsoft Teams. - Security reader or Global reader
Note: Assign one of these roles if you want to use MS 365 Users and Guests Inactive rule in Cayosoft Administrator. - Privileged authentication admin
Note: Assign this role if you want to use Cayosoft Administrator to manage MFA settings for Global Administrators. - Skype for Business administrator
Note: Assign this role if you want to use Cayosoft Administrator to manage Skype for Business. - SharePoint administrator
Note: Assign this role if you want to use Cayosoft Administrator to provision and manage One Drive and Sharepoint.
- Verify Exchange Online roles for the created MS 365 connection account. Office 365 connection account must be a member of the Organization Management role in Exchange Online.
- If you want to use Priority Booking action, you also need to configure additional permissions in Exchange Online: How to configure Priority Booking action in Web Console for MS 365 environment
- Restart Cayosoft Administrator service
Licenses required for MS 365 connection account
Some functionality in Cayosoft Administrator Service requires MS 365 connection account to have a license that includes Exchange Online and Teams services:
- For delivering notification messages. If you use the MS 365 connection account for authenticating and delivering SMTP messages via smtp.office365.com, it won't be able to send mail without an Exchange Online license. The account used for delivering notification messages is specified in Admin Console in Home > Configuration > Settings > Email Settings (SMTP).
- For using Teams automation rules. For example, for Analytics Collection | Teams Usage rule.
Permissions required for Microsoft Skype Server Management
The Microsoft Skype Server connection account is the account used as Skype On-premises credentials in Microsoft Skype Server extension.
To perform Microsoft Skype Server management, at least CsUserAdministrator role must be assigned to the specified Skype Server connection account:
- Open Active Directory Users and Computers tool
- Navigate to Users container
- Right-click CsUserAdministrator
- Click Add to a Group
- Enter the name of Microsoft Skype Server connection account
- Click OK
Related Articles
How to grant admin consent to Azure APIs and connect to the Microsoft Graph API
How to configure Priority Booking action in Web Console for Office 365 environment
Cayosoft Administrator System requirements
How to change the Service Account for Cayosoft Administrator
Comments
0 comments
Please sign in to leave a comment.