Required permissions for connection accounts in Cayosoft Administrator

Overview

When accessing target platforms, Cayosoft Administrator uses connection accounts to collect and manage data from the platforms. To ensure the correct operation of Cayosoft Administrator, the accounts must have corresponding roles, permissions and settings. This article lists both recommended and least-privilege sets of permissions and settings for the connection accounts used to access target platforms.

Permissions

Recommended permissions and settings

Review the table to learn more about the recommended sets of permissions and settings for each platform:

Platform	Recommended permissions
Active Directory (AD)	Member of the Domain Admins group in each managed domain.
AD Lightweight Directory Services (AD LDS)	Member of the Domain Admins group.
Cayosoft Guardian integration	The Global Administrator role in Cayosoft Guardian.
Google Workspace	The super admin role.
Microsoft 365	The Global Administrator role in the target tenant. The connection account must be excluded from the Conditional Access Policy (CAP) and from the multi-factor authentication (MFA). The connection account must be granted the Administrative Consent to access the tenant. Refer to the list of permissions: Entra ID application permissions required by Cayosoft Administrator Service. The connection account must be granted the Organization Management role in Exchange Online, whether through the Global Administrator role, the Exchange Administrator Entra ID role, or directly. The connection account must be a cloud-only account to avoid issues with the Entra ID synchronization. The account should not be used to run other services or scripts. The connection account must have the corresponding Microsoft 365 licenses assigned for specific functionality like Teams management and email notifications if you use the same account for the Email settings email notifications. Optional: The connection account must have additional roles in Exchange Online assigned for the Priority booking web action.
Microsoft Exchange	Member of the Organization Management role group.
Microsoft Hybrid	—
Okta	—
Ping	—
Utils	The SQL Server connection account: The connection account must use the SQL Server Authentication mode. The connection account must have Read permissions in `sys.Databases`, `sys.columns`, and `sys.schemas` in the `master` database. The connection account must be able to connect to the target database server. The connection account must have the `db_owner` and `db_denydatawriter` roles in the target database. IMPORTANT: If you are using the AD Users \| Update SQL Server Database rule, the connection account must have an appropriate role to write to the database. The Oracle DB connection account: The `CONNECT` role. The `RESOURCE role`. The `SELECT_CATALOG_ROLE` role. IMPORTANT: If you are using the AD Users \| Update Oracle Database rule, the connection account must have an appropriate role to write to the database.
Workday	The Workday HR connection account: A dedicated Integration System User. A separate Integration System Security Group to assign access to. The Integration System Security Group assigned as initiator for the following Workday Web Services: Maintain Contact Information Home Contact Change Work Contact Change The Integration System Security Group requires the following permissions in the domain security policy: The domain security policy must be granted GET to read data. The domain security policy must be granted PUT if you would like to write data from Active Directory to Workday. Refer to the list of the minimum required GET permissions for the domain security policy: Worker Data: Public Worker Reports Worker Data: Workers Worker Data: All Positions Worker Data: Current Staffing Information Person Data: Work Contact Information Refer to the list of the minimum required PUT permissions for the domain security policy: Worker Data: Maintain Contact Information Person Data: Work Contact Information* IMPORTANT: The Person Data: Work Contact Information permission is required if your Workday environment distinguishes Worker and Person entities.

Least-privilege permissions

Platform

Recommended permissions

Active Directory (AD)

Delegate the following tasks in the target domain to the connection account:

Create, delete, and manage user accounts
Reset user passwords and force password change at the next logon
Read all user information
Modify the membership of a group

Delegate control over the following items in a custom task in the target domain to the connection account:

Computer objects
Contact objects
Group objects

Delegate access to the shared Home folder of the AD users:

In the Share Permissions tab of the target share, specify the connection account and grant Allow Full Control permissions.

Microsoft 365

Delegate the following roles to the connection account:

Authentication Administrator
Authentication Policy Administrator
Cloud Application Administrator
Cloud Device Administrator
Exchange Administrator
Global Reader
Intune Administrator
License Administrator
Privileged Authentication Administrator
Privileged Role Administrator
User Administrator
Skype for Business Administrator
SharePoint Administrator
Teams Administrator

Microsoft Exchange

Delegate the following roles to the connection account:

Active Directory Permissions
Audit Logs
Compliance Admin
Database Copies
Distribution Groups
Exchange Servers
ExchangeCrossServiceIntegration
Federated Sharing
Mail Recipient Creation
Mail Recipients
Mailbox Search
MyBaseOptions
Remote and Accepted Domains
UM Mailboxes
Unified Messaging
User Options

Notes

Active Directory

If you need to restrict permissions to some objects you should perform the steps described in this article: How to deny Active Directory connection account permissions to an object.
If you encounter the Access Denied error when you attempt to create new users or reset user passwords, verify the connection user has the extended Unexpire password right assigned. Review the following article for more information: How to grant Cayosoft service account permissions to reset passwords for other user accounts.

Configuring granular permissions for Microsoft 365 connection account

Review the following step-by-step instructions to configure the least-privilege Microsoft 365 connection account:

In Microsoft 365 extension settings, specify credentials for the Microsoft 365 account. You can create a new connection account to get Entra ID roles assigned and get consent granted automatically; alternatively, use an existing account and configure it manually.
Delegate the Global Administrator role to the account. You will change the role assignments later.
Grant consent as described in the following KB article: Register application and grant consent to access managed tenant. Log in using the same account used in the Microsoft 365 extension.
In the Microsoft 365 Admin Portal, change roles assigned to the connection account. Refer to the table for the list of required roles: Microsoft 365.
Verify the Exchange Online roles for the created Microsoft 365 connection account. The Microsoft 365 connection account must be a member of the Organization Management role in Exchange Online.
Restart the Cayosoft Administrator Service.

CayosoftAdministratorProduction.4.log-1174102284.zip
40 KB Download

Articles in this section

Required permissions for connection accounts in Cayosoft Administrator

Required permissions for connection accounts in Cayosoft Administrator

Overview

Permissions

Recommended permissions and settings

Least-privilege permissions

Notes

Active Directory

Configuring granular permissions for Microsoft 365 connection account

Related Articles

Comments

Articles in this section

Required permissions for connection accounts in Cayosoft Administrator

Overview

Permissions

Recommended permissions and settings

Least-privilege permissions

Notes

Active Directory

Configuring granular permissions for Microsoft 365 connection account

Related Articles

Related articles