Articles in this section

See more
Print

Permissions required for Active Directory and Microsoft 365 accounts used by Cayosoft Administrator

Avatar
Julia Nol
  • Updated
Follow

Summary: Cayosoft recommends using a service account with Domain Admins rights for Active Directory and Exchange management, and an account with the Global Admin role for Microsoft 365 management. Global Admin role assignment is not a hard requirement, but it does make it easier to configure Cayosoft Administrator. If you need to restrict Cayosoft service accounts' rights, this article contains the minimum set of roles and permissions to delegate.

Applies to: Cayosoft Administrator 5.4 or later.

ID: KB20181207-1

In this article: 

Permissions required for Active Directory management

The AD connection account is the account used as Active Directory domain credentials in the Active Directory extension. The AD Service Account should have access to users, contacts, groups, and computer objects and read all permissions in each managed domain.

We recommend using the same AD account as the Cayosoft Administrator Service account and as AD Service Account in the Active Directory extension configuration.

Important: Service Account should have Local Administrator permissions on the workstation or server where the product will be installed. 

 

Delegate control over user objects

  1. Run Active Directory User and Computers tool
  2. Right-click the domain and choose Delegate Control
  3. Click Next to advance past the first step of the wizard.
  4. Click Add and specify the AD Service Account name, then click OK.
  5. Click Next.
  6. Leave the default setting of "Delegate the following common tasks:"
  7. Check the following:
    • Create, delete and manage user accounts
    • Reset user passwords and force password change at next logon
    • Read all user information
    • Modify the membership of a group
  8. Click Next
  9. Click Finish
Note: If you need to restrict permissions to some objects you should perform the steps described in this article: KB20161117-1 How to deny the Cayosoft Service Account permissions to an object – Cayosoft Help Center.

 

Delegate control over computer, contact, and group objects

  1. Run Active Directory User and Computers tool
  2. Right-click the domain and choose Delegate Control.
  3. Click Next to advance past the first step of the wizard.
  4. Click Add and specify the AD Service Account name, then click OK.
  5. Click Next.
  6. Click Create a custom task to delegate and click Next.
  7. Click Only the following objects in the folder.
  8. Select Computer objects, Contact objects and Group objects from the list.
  9. Select Create selected objects in this folder.
  10. Select Delete selected objects in this folder.
  11. Click Next.
  12. In the Permissions list, check Full Control.
  13. Click Next.
  14. Click Finish.
Note: If you want to restrict access to objects more granularly, and want to give access to read Bitlocker password for computers, keep in mind that the 'msFVE-RecoveryPassword' attribute is marked as “confidential” and read-only permissions is not enough for reading this attribute: 
"Simply granting 'read' access to these attributes will not allow a user to read the information in these attributes.".  You should give the AD connection account Full control under the attribute or use Access Mask.

 

Delegate control to manage users' Home Folders

The Windows connection account, configured to run Cayosoft Admin Service, should have full control permission over the network shared folder where home folders for active directory users are created:

  1. Log in as Administrator on the machine where the shared folder is located.
  2. Navigate to the folder and open its Properties
  3. Go to Sharing tab and click Advanced Sharing...
  4. Click Permissions
  5. In appeared Permissions dialog click Add..., specify Windows Service Account name, then click OK.
  6. Ensure that the just added account is selected in Group or user names section.
  7. Set Allow for Full control permission
  8. Click OK to close all dialog boxes. 

 

Permissions required for Exchange On-Premises Management

The Exchange connection account is the account used as Exchange credentials in the Microsoft Exchange extension. This Exchange Service Account should be added to the Organization Management security group:

  1. Open the Active Directory Users and Computers tool
  2. Navigate to Domain > Microsoft Exchange Security Groups container > Organization Management group.
  3. Open the group's Properties, Members Tab.
  4. Click Add..., specify the AD Service Account name, then click OK.
  5. Click OK on the Properties dialog.

 

Permissions required for Microsoft 365 Management

General requirements 

The Microsoft 365 connection account is the account that is used in Microsoft 365 Extension with Microsoft 365 credentials specified. Microsoft 365 connection account must always meet the following criteria:

  1. The connection account must have a Global Administrator role assigned.
  2. The connection account must be excluded from the Conditional Access Policy (CAP) and from Multi-factor Authentication (MFA)
  3. The connection account must be granted Administrative Consent to access your tenant. The list of permissions is here: Azure AD application permissions required by Cayosoft Administrator Service.  
  4. The connection account must have an Organization management role, whether through the Global Admins role, through Exchange administrators, or directly in Exchange Online through direct membership in a role.
  5. The connection account must be a cloud-only account to avoid issues with Azure AD synchronization and should not be used in other services or scripts.

  6. The connection account should have the corresponding Microsoft 365 licenses assigned for specific functionality like Teams management, and if you use the same account in Email settings, for email notifications.

  7. Additional roles in Exchange Online should be assigned for Priority booking web action.

Note: Cayosoft support recommends using Microsoft 365 connection account with the Global Administrator role assigned. If it is critical for you to remove the Global Administrator role and the initial configuration of Administrator Service is completed you can change the roles as described below. 

 

Configuring granular permissions for Microsoft 365 connection account

This is a step-by-step instruction on how to configure Cayosoft Administrator Service to manage Microsoft 365 under the account without the Global Administrator role:

  1. In Microsoft 365 extension specify credentials for Microsoft 365 account. You can create a new connection account that will be added to Azure AD roles and granted consent automatically or use an existing account that you will need to configure manually. 
  2. Delegate the Global Administrator role to the account. Role assignments will be changed to a customized administrator later.
  3. Grant consent as it is described in this KB article: How to grant admin consent to Azure APIs and connect to the Microsoft Graph API. Login to Microsoft 365 under the same account that is defined on Microsoft 365 extension.
  4. Change roles that are assigned to Cayosoft account in Microsoft 365 Admin Portal (https://admin.microsoft.com):
    1. Change role to Customized Administrator
    2. Select roles: 
      Note: You can find the detailed description of each Microsoft 365 role in the Microsoft documentation: About MS 365 admin roles.
      • Exchange Administrator
      • License Administrator
      • User Administrator
      • Global Reader

      • Privileged Authentication Administrator

        Note: Assign this role if you want to use Cayosoft Administrator to manage legacy MFA settings for Global Administrators or authentication methods for users.
      • Teams Administrator 
        Note: Assign this role if you plan to manage Microsoft Teams.  
      • Skype for Business Administrator
        Note: Assign this role if you want to use Cayosoft Administrator to manage Skype for Business.
      • SharePoint Administrator
        Note: Assign this role if you want to use Cayosoft Administrator to provision and manage One Drive and Sharepoint.
  5. Verify Exchange Online roles for the created Microsoft 365 connection account. Microsoft 365 connection account must be a member of the Organization Management role in Exchange Online.
  6. If you want to use the Priority Booking action, you also need to configure additional permissions in Exchange Online: How to configure Priority Booking action in Web Console for MS 365 environment.
  7. Restart the Cayosoft Administrator Service. 

 

Permissions required for Microsoft Skype Server Management

The Microsoft Skype Server connection account is the account used as Skype On-premises credentials in the Microsoft Skype Server extension.

To perform Microsoft Skype Server management, at least the CsUserAdministrator role must be assigned to the specified Skype Server connection account:

  1. Open the Active Directory Users and Computers tool
  2. Navigate to Users container
  3. Right-click CsUserAdministrator 
  4. Click Add to a Group
  5. Enter the name of the Microsoft Skype Server connection account
  6. Click OK

 

 

Related Articles

Troubleshooting connection to Microsoft 365 – Cayosoft Help Center

KB20180823-1 Troubleshooting Cayosoft Administrator Grant Consent

How to grant admin consent to Azure APIs and connect to the Microsoft Graph API

How to configure Priority Booking action in Web Console for Office 365 environment 

 

 

Related articles

Comments

0 comments

Please sign in to leave a comment.