Microsoft 365 extension settings

Extension is enabled  

Enable or disable the Microsoft 365 extension.

Please, see the Select extensions article section to determine which extensions must be enabled in your environment.

Microsoft 365 credentials

Specify the account to connect to Microsoft 365. 

Microsoft 365 connection account should hold the Global Administrator role in Azure AD and must be a cloud-only account, i.e. not synchronized with on-premises Active Directory.

To replace membership in the Global Administrator role with a set of more granular roles, please see the Permissions required for Microsoft 365 management.

Admin Consent

Cayosoft Administrator service uses the Microsoft Graph API for Microsoft 365 analytical data and Microsoft 365 object management. For more information, please read Cayosoft Azure Admin Consent for Microsoft Graph API Assignment Details and How to grant admin consent to Azure APIs and connect to the Microsoft Graph API articles. 

To access the Microsoft Graph, the Cayosoft Administrator must be granted Administrative Consent.

1. Click Register Azure Application to grant Admin consent for Cayosoft Administrator to access your tenant.
2. Click Grant
3. Click Refresh to be sure that admin consent was granted

Consent Status values:

1. Consent fully granted - no action required. The action column is empty.
2. Consent not granted - highlighted in red, no consent identified in the O365 for the connection account. The action column contains a button "Grant Consent".
3. Consent incomplete - highlighted in red, consent granted to the connection account, but the set of permissions is incomplete. The action column contains a button "Grant Consent".

Microsoft 365 name suffix

Change the Microsoft 365 name suffix.

The default value for the Microsoft 365 name suffix is taken from the Microsoft 365 connection account.

Microsoft 365 name suffix is used in AD Users | Create Office 365 Accounts (Cloud) rule during new Microsoft 365 user accounts creation and New User web action.

Default Usage Location

Specify the Usage Location to set by default for any newly created Microsoft 365 account, or when a Microsoft 365 license is assigned for the first time.

The default setting value depends on the region of the computer running the Administration Service.

The value of this setting is used in the New User | Create Office 365 User rule, when creating a new Microsoft 365 account that matches the user created in the Active Directory.

Maximum returned results

The maximum number of objects returned from Microsoft 365. By default, all objects that you have provisioned in Microsoft 365 are returned.

Connect to Microsoft Teams (Skype for Business Online)

Set this setting to Yes if you plan to use Teams rules and web actions.

Connect to SharePoint Online service

Connect to SharePoint Online service setting works as follows:

Set this setting to Yes if you plan to use one of the features:

1. To apply Microsoft 365 OneDrive settings to AD users with assigned Microsoft 365 OneDrive license, configure the New User | Office 365 OneDrive post-creation tasks rule.
2. To match Office 365 user accounts and apply Office 365 OneDrive settings configure Office 365 Users | OneDrive post creation tasks rule.
3. To view or modify user OneDrive settings in Web Portal, delegate the OneDrive Properties web action for hybrid user accounts or OneDrive Properties for cloud user accounts to your HelpDesk. 
4. To build a report about OneDrive user settings configure the OneDrive for Business Users reporting rule. 

Advanced Settings

SPO tenant admin URL

SPO my site host URL

You can manually specify SharePoint tenant admin URL and SharePoint my site host URL.

These URLs are calculated based on Microsoft recommendations. If the URLs in your environment don't meet recommendations and are calculated incorrectly you should specify them manually. 

Azure Environment 

Select your Microsoft Azure environment from the list. 

For information on various Azure Environments, please see the MS Docs: https://docs.microsoft.com/en-us/office365/enterprise/office-365-endpoints.

License Cache File

The License Cache file contains the list of all Microsoft 365 licenses and options in your tenant.

Cayosoft Administrator service updates this file automatically on service start.

When new licenses or services were added or removed in your tenant, click the Update License Cache command to update the license cache file manually.

For details, please see How to update license cache and rules when the Microsoft 365 license change detected KB article.

Enforce License Precedence (Advanced)

This is an advanced setting in Cayosoft Administrator that helps to resolve Microsoft 365 license plan conflicts. For details, please see KB20181026-1.

License Add-ins Services IDs (Advanced)

This setting is used to determine the proper order in which certain license plans must be assigned or revoked in Microsoft 365.

Some Microsoft 365 license plans are treated as add-ins to the core license plans. The add-in license plan cannot be assigned to the user without a corresponding core plan being assigned. Add-in plans must be assigned only after the core plan was assigned, and must be revoked before the core plan is revoked. Otherwise, Microsoft 365 reports a license assignment error.

If you have any custom add-ins, you should specify them in this setting.

Microsoft 365 API URL (Advanced)

This setting points to the Microsoft 365 API endpoint and depends on the selected Azure Environment.

Microsoft Graph Reporting API URL (Advanced)

This setting points to the Microsoft Graph API endpoint.

Enable Modern Authentication (Advanced)

Use this setting to enable modern authentication for Microsoft 365. For details please see this article: Modern Authentication and Azure AD Security Defaults impact on Cayosoft Administrator – Cayosoft Help Center

Dynamic Group target exclusions

Use this setting to prevent selecting specific groups as Dynamic Group targets to prevent escalation.

You can set multiple values separated by ";",  each value is a mask for the target group name. Example: *Global Admins*;*Helpdesk Admins*

Microsoft Teams membership enumeration page size

Specify integer number.

Apply fix for Get-FormatData error

Contact Cayosoft support if you receive the error connecting to Microsoft 365: Data returned by the remote Get-FormatData command is not in the expected format.

MS Graph advanced queries

Enables consistency level eventual which uses an index that might not be up-to-date with recent changes to the object.

Use legacy EXO commands

Microsoft provided a new set of commands based on REST API for managing Exchange Online. The recommendation is to use these newer Microsoft commands, but they might cause certain backward compatibility issues. Select 'Yes' to switch back to the legacy commands. 

Azure AD Administrative Units

Azure AD Administrative Units

You can limit the scope of Microsoft 365 web queries to the members of the specified Azure AD Administrative Unit.

Click Configure to see the list of all Azure AD Administrative Units in your tenant and check which of them are set to treat as containers. In this case, selected Azure AD Administrative Units to behave like Active Directory Organizational Unit: when a new member is added to this Azure AD Administrative Unit, Cayosoft Administrator removes this member from all other Azure AD Administrative Units marked as containers. 

You can check\uncheck Treat as container setting for each Azure AD Administrative Unit.

User Name Generation Rules (Web Interface)

Display Name generation rule

User Name prefix generation rule

Cayosoft Administrator can automatically generate user  DisplayName and User Name during user creation.

Select a generation rule from the list or create your own generation rule to satisfy your organization's requirements and policies.

These rules are applied to the New User and Rename User web actions.

User Name conflict resolution

Naming attributes should be unique in Microsoft 365. Cayosoft Administrator provides automatic name uniqueness check and conflict resolution. A unique name can be generated with alternative generation rules and applying unique counters.

Select the desired behavior when a name conflict is identified:

1. Stop and notify the user
2. Continue and suffix the user name with a numeric counter
3. Try the alternative generation rule (see next section), and if fail-stop and notify a user
4. Try the alternative generation rule (see next section), and if fail - continue and suffix the user name with a numeric counter

For more information, please see the Name conflict resolution and alternative names generation section.

Alternate Name Generation Rules (Web Interface)

Alternative User Name prefix generation rule

If the Name conflict resolution option is set to Try alternative generation rule, and if fail-stop and notify a user or Try alternative generation rule, and if fail - continue and suffix the user name with a numeric counter, Cayosoft Administrator will use Alternate Name Generation Rules to generate user name during user creation.

Select a generation rule from the list or create your own generation rule to satisfy your organization's requirements and policies.

Counter format

If the Name conflict resolution option is set to Continue and suffix the user name with a numeric counter or Try alternative generation rule, and if fail - continue and suffix the user name with a numeric counter, the next available numeric counter will be added to the generated string. By default, the counter starts with 1.

If you want to customize the counter format, use this setting to define the new format. For example, if you need to use two digits in the counter, you should enter 00 in the Counter format field.

Other User Provisioning Settings (Web Interface) 

Default User Language

Time Zone 

The values of Default User Language and Time zone settings will be used by default in the New User | Office 365 Mailbox post-creation tasks rule.

Show email prefix and suffix controls

Specify if email prefixes and suffixes should be displayed when creating resource mailboxes. 

Password Generation Options

Password policy

Password policy provides granular control over password complexity rules:

1. Length & Character:
   1. Password length
   2. Alphabetical characters 
   3. Numeric characters
2. Special Characters
3. Pattern & Sequence:
   Note: Prevent sequence of UserID characters in the password policy using the UserPrincipalName prefix as UserID. 

Customer Prices for Microsoft 365 Licenses

License prices

Specify prices for Microsoft 365 licenses, available in your tenant. You should input monthly cost - user/month.

These prices are used in:

• Office 365 Service Adoption dashboard
• Office 365 License Optimization
• Analytics Collection Runbook

1. The Check Settings command has been updated to check connection account role membership and connection to Exchange Online.
2. New Use legacy EXO commands setting has been added.

1. Microsoft 365 extension was renamed to Microsoft 365 extension.
2. MS Graph advanced queries setting is added.
3. Microsoft Teams membership enumeration page size setting is added.
4. Cayosoft Administrator has been transitioned to a new Teams PS module to replace the legacy Skype for Business Online Windows PowerShell Module.

1. Enable Modern Authentication setting is added.
2. Multi-factor authentication (MFA) for Microsoft 365 connection accounts can be enabled.

The Гpdate License command is renamed to Update License Cache.

Azure Admin consent status values added.