Permissions required for AD and Office 365 accounts used by Cayosoft Administrator

Summary: Cayosoft recommends to use a service account with Domain Admins rights for Active Directory and Exchange management, and the account with the Global Admin role for Office 365 management. Global Admin role assignment is not a hard requirement, but it does make it easier to configure Cayosoft Administrator. If you need to restrict Cayosoft service accounts' rights, this article contains the minimum set of roles and permissions to delegate.

Applies to: Cayosoft Administrator 5.4 or later.

ID: KB20181207-1

---

In this article: 

Permissions required for Active Directory management

The AD connection account is the account used as Active Directory domain credentials in Active Directory extension. The AD Service Account should have access to users, contacts, groups, and computer objects, and also has read all permissions in each managed domain.

We recommend using the same AD account as Cayosoft Administrator Service account and as AD Service Account in Active Directory extension configuration.

 

Delegate control over user objects

1. Run Active Directory User and Computers tool
2. Right-click the domain and choose Delegate Control
3. Click Next to advance past the first step of the wizard.
4. Click Add and specify the AD Service Account name, then click OK.
5. Click Next.
6. Leave the default setting of "Delegate the following common tasks:"
7. Check the following:
   • Create, delete and manage user accounts
   • Reset user passwords and force password change at next logon
   • Read all user information
   • Modify the membership of a group
8. Click Next
9. Click Finish

 

Delegate control over computer, contact and group objects

1. Run Active Directory User and Computers tool
2. Right-click the domain and choose Delegate Control.
3. Click Next to advance past the first step of the wizard.
4. Click Add and specify the AD Service Account name, then click OK.
5. Click Next.
6. Click Create a custom task to delegate and click Next.
7. Click Only the following objects in the folder.
8. Select Computer objects, Contact objects and Group objects from the list.
9. Select Create selected objects in this folder.
10. Select Delete selected objects in this folder.
11. Click Next.
12. In the Permissions list, check Full Control.
13. Click Next.
14. Click Finish.

 

Delegate control to manage users' Home Folders

The Windows connection account, configured to run Cayosoft Admin Service, should have full control permission over network shared folder where home folders for active directory users are created:

1. Login as Administrator on the machine where shared folder located.
2. Navigate to the folder and open its Properties
3. Go to Sharing tab and click Advanced Sharing...
4. Click Permissions
5. In appeared Permissions dialog click Add..., specify Windows Service Account name, then click OK.
6. Ensure that just added account is selected in Group or user names section.
7. Set Allow for Full control permission
8. Click OK to close all dialog boxes. 

 

Permissions required for Exchange On-Premises Management

The Exchange connection account is the account used as Exchange credentials in Microsoft Exchange extension. This Exchange Service Account should be added to the Organization Management security group:

1. Open Active Directory Users and Computers tool
2. Navigate to Domain > Microsoft Exchange Security Groups container > Organization Management group.
3. Open the group's Properties, Members Tab.
4. Click Add..., specify the AD Service Account name, then click OK.
5. Click OK on Properties dialog.

 

Permissions required for Office 365 Management

The Office 365 connection account is the account used as Office 365 credentials in Office 365 Extension.

The initial Cayosoft configuration should be performed using the Office 365 account with the Global Administrator role assigned. After the configuration is completed, you can change the roles of the Office 365 Service Account as described below. 

The global Administrator role is required to grant consent for the MS Graph application, that is used for Adoption report collection and various Office 365 management tasks. Once Admin Consent is granted, the Global Administrator permissions are not necessary for the Service Account so that you can change them.

This is step by step instruction on how to configure Cayosoft Administrator to manage Office 365 under the account without Global Admin role:

1. Create Office 365 connection account that you will be using in Cayosoft Administrator.
   

   Important: This account should not be synchronized with Active Directory and should not be used in any other services or scripts.

2. Delegate the Global Administrator role to the account. Role assignments will be changed to a customized administrator later.
3. Run Cayosoft Administrator and complete the Initial Configuration wizard, and use the created account as Office 365 credentials.
4. After the configuration is completed, restart Cayosoft Administrator service and reopen Administrator Console.
5. Grant consent as it is described in this KB article: How to grant admin consent to Azure APIs and connect to the Microsoft Graph API. Login to Office 365 under the same account that is defined on Microsoft Office 365 extension.
6. Change roles that assigned to Cayosoft account in Microsoft Office 365 Admin Portal (https://admin.microsoft.com):
   1. Change role to Customized Administrator
   2. Select roles: 
      Note: You can find the detailed description of each Office 365 role in the following MS Docs article: About Office 365 admin roles.
      
      • Exchange administrator
      • License administrator
      • User management administrator
      • Teams Administrator 
        Note: Assign this role if you plan to manage Microsoft Teams.  
      • Security reader or Global reader
        Note: Assign one of these roles if you want to use Office 365 Users and Guests Inactive rule in Cayosoft Administrator.
      • Privileged authentication admin
        Note: Assign this role if you want to use Cayosoft Administrator to manage MFA settings for Global Administrators.
      • Skype for Business administrator
        Note: Assign this role if you want to use Cayosoft Administrator to manage Skype for Business.
      • SharePoint administrator
        Note: Assign this role if you want to use Cayosoft Administrator to provision and manage One Drive and Sharepoint.
7. Verify Exchange Online roles for the created Office 365 connection account. Office 365 connection account must be a member of the Organization Management role in Exchange Online.
8. If you want to use Priority Booking action, you also need to configure additional permissions in Exchange Online: How to configure Priority Booking action in Web Console for Office 365 environment 
9. Restart Cayosoft Administrator service

 

Permissions required for Microsoft Skype Server Management

The Microsoft Skype Server connection account is the account used as Skype On-premises credentials in Microsoft Skype Server extension.

To perform Microsoft Skype Server management, at least CsUserAdministrator role must be assigned to the specified Skype Server connection account:

1. Open Active Directory Users and Computers tool
2. Navigate to Users container
3. Right-click CsUserAdministrator 
4. Click Add to a Group
5. Enter the name of Microsoft Skype Server connection account
6. Click OK

 

 

---

Related Articles

How to grant admin consent to Azure APIs and connect to the Microsoft Graph API

How to configure Priority Booking action in Web Console for Office 365 environment 

Cayosoft Administrator System requirements

How to change the Service Account for Cayosoft Administrator