Microsoft 365 extension settings

Enable or disable the Microsoft 365 extension.

See the Initial Configuration Wizard article section to determine which extensions can be used in your environment.

Specify the account to connect to Microsoft 365.

IMPORTANT: If multi-factor authentication (MFA) for the Microsoft 365 connection account is enabled with Conditional Access Policies, Security Defaults, or legacy MFA, Cayosoft Administrator prompts your to complete additional configuration steps.

Microsoft 365 connection account should hold the Global Administrator role in Entra ID and must be a cloud-only account, i.e. not synchronized with on-premises Active Directory.

To replace membership in the Global Administrator role with a set of more granular roles, see the following article: Permissions required for Active Directory and Microsoft 365 accounts used by Cayosoft Administrator.

The Cayosoft Administrator Service uses the Microsoft Graph API to access analytical Microsoft 365 data and manage Microsoft 365 objects.

To access the Microsoft Graph, you must grant administrative consent to Cayosoft Administrator.

1. Click Find or register the app to grant admin consent to the specified account for Cayosoft Administrator to access your tenant. If prompted, specify the password.

2. Click Access to grant the permissions.

3. Click Refresh Status to verify the admin consent was granted.

Consent status values:

• Consent fully granted − no action is required. The Action column is empty.

• Consent not granted − no consent is found in Entra ID for the connection account. The Action column contains a Grant Consent button.

• Consent incomplete − the set of permissions granted to the connection account is incomplete. The Action column contains a Grant Consent button.

For details, see these articles:

• Entra ID application permissions required by Cayosoft Administrator Service

• How to register the application and grant consent for the Cayosoft Administrator Service to access the managed tenant

Change the Microsoft 365 name suffix.

The default value for the Microsoft 365 name suffix is taken from the Microsoft 365 connection account.

Microsoft 365 name suffix is used in the AD Users | Create Office 365 Accounts (Cloud) rule when creating new Microsoft 365 user accounts and in the New User web action.

Specify the usage location to be set by default for any newly created Microsoft 365 account, or when a Microsoft 365 license is assigned for the first time.

The default setting value depends on the region of the computer running the Administration Service.

The value of this setting is used in the New User | Create Office 365 User rule, when creating a new Microsoft 365 account that matches the user created in the Active Directory.

Set the setting to Yes if you plan to use Teams rules and web actions.

NOTE: If you don't plan to use automation rules and web actions listed above, it is recommended to keep this setting set to No for optimal performance.

IMPORTANT: SharePoint Client-Side Object Model (CSOM) and SharePoint Online Management Shell are required to enable this feature. For more information, see the following article: How to manually install required components to work with Microsoft 365 Services: Exchange Online, SharePoint Online, Teams Online.

The Connect to SharePoint Online setting works as follows:

1. To apply Microsoft 365 OneDrive settings to AD users with assigned Microsoft 365 OneDrive license, configure the New User | Office 365 OneDrive post creation tasks rule rule.

2. To match Office 365 user accounts and apply Office 365 OneDrive settings, configure Office 365 Users | OneDrive post creation tasks.

3. To view or modify user OneDrive settings in Web Portal, delegate the OneDrive Properties web action for hybrid user accounts or OneDrive Properties (Office 365) web action for cloud user accounts to your HelpDesk.

   NOTE: If you don't plan to use any of the features listed above, it is recommended to keep this setting set to No for optimal performance. SPO tenant admin URL SPO my site host URL

You can manually specify the SharePoint tenant admin URL and SharePoint my site host URL.

These URLs are calculated based on Microsoft recommendations. If the URLs in your environment don't meet recommendations and are calculated incorrectly you should specify them manually.

NOTE: Contact Cayosoft support before changing the default value.

One of the following values can be used to get the SharePoint site:

• All (default)

• SPO

• MS Graph

• CSOM

Select your Azure environment from the list.

For additional information on various Azure environments, see Microsoft 365 endpoints.

The license cache file contains the list of all Microsoft 365 licenses and options in your tenant.

The Cayosoft Administrator Service updates this file automatically on the service start.

When new licenses or services are added or removed in your tenant, click the Update License Cache button to update the license cache file manually. For details, see the following article: How to update license cache and rules when the Office 365 license change detected.

This setting points to the Microsoft 365 API endpoint and depends on the selected Azure environment.

NOTE: This setting was introduced for advanced troubleshooting purposes. Please contact Cayosoft if you believe this setting needs to be changed in your environment.

This setting points to the Microsoft Graph API endpoint.

NOTE: This setting was introduced for advanced troubleshooting purposes. Please contact Cayosoft if you believe this setting needs to be changed in your environment.

Use this setting to prevent selecting specific groups as Dynamic Group targets to prevent escalation.

You can set multiple values separated by ";", each value is a mask for the target group name. Example: *Global Admins*;*Helpdesk Admins*

Contact Cayosoft support if you receive the error connecting to Microsoft 365: Data returned by the remote Get- FormatData command is not in the expected format.

You can limit the scope of Microsoft 365 web queries to the members of the specified Entra ID Administrative Unit.

Click Configure to see the list of all Entra ID Administrative Units in your tenant and check which of them are set to treat as containers. In this case, selected Entra ID Administrative Units will behave like Active Directory Organizational Units: when a new member is added to this Entra ID Administrative Unit, the Cayosoft Administrator removes this member from all other Entra ID Administrative Units marked as containers.

You can check\uncheck Treat as container setting for each Entra ID Administrative Unit.

Select a generation rule from the list or create your own generation rule to satisfy the requirements and policies of your organization.

These rules are applied to the New User and Rename User web actions.

The naming attributes must be unique in Microsoft 365.

Cayosoft Administrator provides automatic name uniqueness check and conflict resolution. A unique name can be generated with alternative generation rules and uniqueness checks applied.

Select the desired behavior when a name conflict is identified:

• Stop and notify the user

• Continue and suffix the user name with a numeric counter

• Try the alternative generation rule, and if fail-stop and notify a user

• Try the alternative generation rule, and if fail - continue and suffix the user name with a numeric counter

See the following section for the alternative generation rules.

For more information, see the following article: Attribute policies.

If the Name conflict resolution option is set to Try alternative generation rule, and if fail-stop and notify a user or Try alternative generation rule, and if fail - continue and suffix the user name with a numeric counter, Cayosoft Administrator will use Alternate Name Generation Rules to generate user name during user creation.

Select a generation rule from the list or create your own generation rule to satisfy your organization's requirements and policies.

If the Name conflict resolution option is set to Continue and suffix the user name with a numeric counter or Try alternative generation rule, and if fail - continue and suffix the user name with a numeric counter, the next available numeric counter will be added to the generated string. By default, the counter starts with 1.

If you want to customize the counter format, use this setting to define the new format. For example, if you need to use two digits in the counter, you should enter 00 in the Counter format field.

Password policy provides granular control over password complexity rules:

• Length & character

• Password length

• Alphabetical characters

• Numeric characters

• Special characters

• Pattern & sequence

NOTE: Prevent sequence of UserID characters in the password policy using the UserPrincipalName prefix as UserID.

Specify prices for Microsoft 365 licenses, available in your tenant. You should input monthly cost - user/month.

These prices are used in:

• Office 365 Service Adoption dashboard

• License Optimization dashboard

• Analytics Collection Runbook

NOTE: Prices for Office 365 License Quota dashboard need to be specified on each web query separately.

If you want to use the New Suspend functionality you should set the Use modern suspend rules and configurations setting to Yes.

This command validates the specified settings and verifies the following:

1. The account credentials are correct.

2. Connection account role membership.

3. Connection to Exchange Online.