Summary: Cayosoft recommends using a service account with Domain Admins rights for Active Directory and Exchange management, and an account with the Global Admin role for Microsoft 365 management. Global Admin role assignment is not a hard requirement, but it does make it easier to configure Cayosoft Administrator. If you need to restrict Cayosoft service accounts' rights, this article contains the minimum set of roles and permissions to delegate.
Applies to: Cayosoft Administrator 5.4 or later.
ID: KB20181207-1
In this article:
Permissions required for Active Directory management
The AD connection account is the account used as Active Directory domain credentials in the Active Directory extension. The AD Service Account should have access to users, contacts, groups, and computer objects and read all permissions in each managed domain.
Delegate control over user objects
- Run the Active Directory User and Computers tool.
- Right-click the domain and select Delegate Control.
- Click Next to advance past the first step of the wizard.
- Click Add and specify the AD Service Account name, then click OK.
- Click Next.
- Leave the default setting of Delegate the following common tasks:
- Check the following:
- Create, delete, and manage user accounts
- Reset user passwords and force password change at the next logon
- Read all user information
- Modify the membership of a group
- Click Next.
- Click Finish.
Delegate control over computer, contact, and group objects
- Run the Active Directory User and Computers tool.
- Right-click the domain and select Delegate Control.
- Click Next to advance past the first step of the wizard.
- Click Add and specify the AD Service Account name, then click OK.
- Click Next.
- Click Create a custom task to delegate and click Next.
- Select Only the following objects in the folder.
- Select Computer objects, Contact objects, and Group objects from the list.
- Select Create selected objects in this folder.
- Select Delete selected objects in this folder.
- Click Next.
- In the Permissions list, check Full Control.
- Click Next.
- Click Finish.
"Simply granting 'read' access to these attributes will not allow a user to read the information in these attributes.". You should give the AD connection account Full control under the attribute or use Access Mask.
Delegate control to manage users' Home Folders
The Windows connection account, configured to run Cayosoft Admin Service, should have full control permission over the network shared folder where home folders for active directory users are created:
- Log in as Administrator on the machine where the shared folder is located.
- Navigate to the folder and open its Properties.
- Go to the Sharing tab and click Advanced Sharing...
- Click Permissions.
- In the Permission dialog, click Add..., specify the Windows Service Account name, and click OK.
- Ensure that the just added account is selected in the Group or User Names section.
- Set Allow for Full Control permission.
- Click OK to close all dialog boxes.
Permissions required for Exchange On-Premises Management
The Exchange connection account is the account used as Exchange credentials in the Microsoft Exchange extension. This Exchange Service Account should be added to the Organization Management security group:
- Open the Active Directory Users and Computers tool.
- Navigate to Domain > Microsoft Exchange Security Groups container > Organization Management group.
- Open the group's Properties, Members tab.
- Click Add..., specify the AD Service Account name, then click OK.
- Click OK on the Properties dialog.
Permissions required for Microsoft 365 Management
General requirements
The Microsoft 365 connection account is the account that is used in Microsoft 365 Extension with Microsoft 365 credentials specified. Microsoft 365 connection account must always meet the following criteria:
- The connection account must have a Global Administrator role assigned.
- The connection account must be excluded from the Conditional Access Policy (CAP) and from Multi-factor Authentication (MFA).
- The connection account must be granted Administrative Consent to access your tenant. The list of permissions is here: Azure AD application permissions required by Cayosoft Administrator Service.
- The connection account must have an Organization management role, whether through the Global Admins role, through Exchange administrators, or directly in Exchange Online through direct membership in a role.
- The connection account must be a cloud-only account to avoid issues with Azure AD synchronization and should not be used in other services or scripts.
-
The connection account should have the corresponding Microsoft 365 licenses assigned for specific functionality like Teams management, and if you use the same account in Email settings, for email notifications.
-
Additional roles in Exchange Online should be assigned for Priority booking web action.
Configuring granular permissions for Microsoft 365 connection account
This is a step-by-step instruction on how to configure Cayosoft Administrator Service to manage Microsoft 365 under the account without the Global Administrator role:
- In Microsoft 365 extension specify credentials for Microsoft 365 account. You can create a new connection account that will be added to Azure AD roles and granted consent automatically or use an existing account that you will need to configure manually.
- Delegate the Global Administrator role to the account. Role assignments will be changed to a customized administrator later.
- Grant consent as it is described in this KB article: How to register the application and grant consent for the Cayosoft Administrator Service to access the managed tenant Login to Microsoft 365 under the same account that is defined on the Microsoft 365 extension.
- Change roles that are assigned to the Cayosoft account in the Microsoft 365 Admin Portal (https://admin.microsoft.com):
- Change role to Customized Administrator
- Select roles:
Note: You can find the detailed description of each Microsoft 365 role in the Microsoft documentation: About MS 365 admin roles.
- Authentication Administrator
- Authentication Policy Administrator
- Exchange Administrator
- License Administrator
- User Administrator
- Global Reader
-
Privileged Authentication Administrator
Note: Assign this role if you want to use Cayosoft Administrator to manage legacy MFA settings for Global Administrators or authentication methods for users. - Teams Administrator
Note: Assign this role if you plan to manage Microsoft Teams. - Skype for Business Administrator
Note: Assign this role if you want to use Cayosoft Administrator to manage Skype for Business. - SharePoint Administrator
Note: Assign this role if you want to use Cayosoft Administrator to provision and manage One Drive and Sharepoint. - Cloud Device Administrator
Note: Assign this role if you want to enable, disable, and delete devices in Azure AD and read Windows 10 BitLocker keys (if present) in the Azure portal. - Privileged Role Administrator
Note: Assign this role if you plan to add existing users, groups, or devices to Azure AD Administrative Units. - Intune Administrator
Note: Assign this role if you plan to use the 'Retire device (via Intune)' option when suspending users in Microsoft 365.
- Verify Exchange Online roles for the created Microsoft 365 connection account. Microsoft 365 connection account must be a member of the Organization Management role in Exchange Online.
- If you want to use the Priority Booking action, you also need to configure additional permissions in Exchange Online: How to configure Priority Booking action in Web Console for MS 365 environment.
- Restart the Cayosoft Administrator Service.
Permissions required for Microsoft Skype Server Management
The Microsoft Skype Server connection account is the account used as Skype On-premises credentials in the Microsoft Skype Server extension.
To perform Microsoft Skype Server management, at least the CsUserAdministrator role must be assigned to the specified Skype Server connection account:
- Open the Active Directory Users and Computers tool.
- Navigate to Users container.
- Right-click CsUserAdministrator.
- Click Add to a Group.
- Enter the name of the Microsoft Skype Server connection account.
- Click OK.
Related Articles
Troubleshooting connection to Microsoft 365 – Cayosoft Help Center
KB20180823-1 Troubleshooting Cayosoft Administrator Grant Consent
How to grant admin consent to Azure APIs and connect to the Microsoft Graph API
How to configure Priority Booking action in Web Console for Office 365 environment
How to grant Cayosoft service account permissions to reset passwords for other user accounts
Comments
0 comments
Please sign in to leave a comment.