Skip to main content

Articles in this section

See more
Print

Configuration: Add a Tenant

  • Updated

Configuration: Add a Tenant

This article describes how to add a new Microsoft 365 tenant in Cayosoft Guardian. The wizard guides you through the connection method, configuration account, application account creation, service selection, and confirmation.

Prerequisites

  • A Microsoft Entra Global Administrator account to grant consent and complete setup.
  • Network/browser access to your Microsoft 365 tenant.

Adding a tenant

Adding your Entra ID/Microsoft 365 cloud tenant immediately enables change monitoring and data backup for continuous protection against unwanted changes.

  1. Choose how Guardian will connect to Microsoft 365:

    • Create Microsoft Entra application (recommended) – Guardian will create and configure an application in Microsoft Entra ID with the required roles.
    • Use credentials of an existing user account (legacy) – Legacy authentication option using an existing account.

    RECOMMENDED: Use the Microsoft Entra application method for enhanced security and easier management. Learn more: Entra application accounts.

    Connection method selection

  2. If you select Create Microsoft Entra application (recommended), the account you sign in with:

    • Must be a member of the Global Administrator role.

    Create Entra application requirement

  3. If you select Use credentials of an existing user account (legacy), the account must meet the following requirements:

    • Must be a member of the Global Administrator role.
    • Should be a dedicated account created specifically for Cayosoft Guardian.
    • Must not be synced from on-premises Active Directory.

    Legacy user account requirements

  4. Enter the account in the format username@domain.com. This account is used only during configuration and is not preserved.

  5. Sign in to your Microsoft Entra tenant so Guardian can automatically create and configure the application and assign the required roles.

    • Sign In with a Global Administrator and grant consent when prompted.
    • Name for Microsoft Entra application – defaults to Cayosoft Guardian service account (you can rename if needed).

  6. Admin consent must be granted for Guardian to access the tenant. Click Sign In and log in using a Global Administrator account.

  7. Enable Grant write permission for automatic rollback.

    NOTE: Enabling this option grants the required write permissions so that Cayosoft Guardian can perform rollback operations when needed. After all rollback tasks are complete, you should manually de-elevate the account to remove write permissions and reduce security risk. For details on managing access, see Managing access .

     

  8. Choose which Microsoft 365 services Guardian will monitor for changes:

    • Entra ID
    • Exchange Online
    • Teams
    • Intune

    NOTE: Enabling additional services increases database storage requirements. Use the system requirements calculator to estimate storage needs.

    Cayosoft Guardian automatically configures the Microsoft Entra application with the required permissions for the selected services.

    Service selection confirmation

    Once configuration is complete, the tenant appears in your list of managed tenants.

  9. You will see the following details:

    • Tenant name
    • Configuration account name
    • Guardian service application account
    • Configured jobs (e.g., Entra ID)

    Managed tenant details

Managing access

With this feature, Cayosoft Guardian helps your organization follow security best practices while still maintaining rollback and recovery capabilities when required.

To elevate access for Microsoft Entra tenants:

  1. In the Cayosoft Guardian web portal, go to Configuration > Managed Tenants.

  2. From the tenant list, choose the tenant you want to elevate.

  3. At the top of the tenant details pane, click Elevate access.

  4. In the Account name field, enter the Global Administrator account in the format: username@domain.com.

  5. Click Sign in and complete the authentication process.

  6. After signing in, click Elevate to grant write permissions.

  7. Confirm that the tenant status reflects elevated access.

To de-elevate connection accounts for Microsoft Entra tenants :

  1. In the Cayosoft Guardian web portal, go to Configuration > Managed Tenants.

  2. From the tenant list, choose the tenant you want to de-elevate.

  3. At the top of the tenant details pane, click De-elevate access.

  4. In the Account name field, enter the Global Administrator account in the format: username@domain.com

  5. Click Sign in and complete the authentication process.

  6. After signing in, click De-elevate to remove elevated write permissions.

  7. Confirm that the tenant status reflects de-elevated access.

Switching tenant connection method

To change a managed tenant from the legacy User account connection to the Microsoft Entra application connection, remove the tenant and add it back using the Entra application account method.

  1. In the Guardian web console, go to Configuration > Managed Tenants.
  2. Select the tenant you want to switch and choose Delete.
  3. After removal completes, select Add tenant.
  4. When prompted for the connection method, choose Microsoft Entra application and complete the Add tenant flow.

NOTE: Removing and re-adding the tenant in this way does not cause configuration issues or Cayosoft Guardian Change History data loss.

For more information on how to swith the connection method to gMSA, see Switch existing forest recovery plans to use gMSA in Forest Recovery: Create, configure, verify and run forest recovery plan.

Managing credentials

To edit the credentials:

  1. Open the Cayosoft Guardian web portal.
  2. Expand Configuration node.
  3. Select the Managed tenants node.
  4. Select the tenant and click Properties.
  5. On the Credentials tab, click Edit.
  6. Click Add + and select the credentials to be added.

  7. For Token credential, specify:

    • Account name – the account name for which the credential is being configured.
    • Refresh token – the refresh token (or password) associated with the account.
    • Type – the type of token credentials.

  8. For Password credential, specify:

    • Account name – the account name for which the credential is being configured.
    • Password – the password associated with the account.
    • Type – the type of password credentials.

To delete the credentials:

  1. Open the Cayosoft Guardian web portal.
  2. Expand Configuration node.
  3. Select the Managed tenants node.
  4. Select the tenant and click Properties.
  5. On the Credentials tab, click Edit.
  6. Click the vertical kebab icon and click Delete.
  7. Confirm the deletion.

© Copyright 2013-2026 Cayosoft Inc. All rights reserved.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request
Return to top

Related articles

Comments

0 comments

Please sign in to leave a comment.