Entra ID application permissions required by Cayosoft Administrator Service

The Cayosoft Administrator Service requires specific Microsoft Entra ID (formerly Azure Active Directory) application permissions to manage your Microsoft 365 tenant and its objects.

When you configure Microsoft 365 extension settings, Cayosoft registers Entra ID applications that are used to authenticate, authorize, and perform management operations against Microsoft Graph and other Microsoft 365 services.

Entra ID applications used by Cayosoft Administrator

Cayosoft Administrator uses two different Entra ID applications, each with a distinct purpose:

1. Cayosoft Administrator app

This application is used during:

Initial Microsoft 365 connection setup
Create a connection account flow
Validate connection credentials flow
MFA detection and configuration checks
Security Defaults / MFA enforcement handling

Some permissions for this app are requested only during Create or Validate operations.

2. Cayosoft Administrator API Access app

This application is used for day‑to‑day operations, including:

Rules and workflows
Web actions
Reporting
Automation
Delegated and self‑service tasks

NOTE: Partial consent is not supported for the Cayosoft Administrator API Access app. If any required permission is missing, Cayosoft Administrator treats this as a critical error and the connection to Microsoft 365 will not function correctly. A red banner is displayed indicating incomplete consent.

Where to review permissions

Sign in to https://aad.portal.azure.com/ using a Global Administrator account.
Navigate to Enterprise applications > All applications.
Select Cayosoft Administrator API Access or Cayosoft Administrator.
Open Permissions.

Microsoft Graph permissions – Admin consent

Permission	Description	Usage
openid	Sign users in	Used for Azure authentication (SSO).
User.Read	Sign in and read user profile	Used for Azure authentication (SSO).

Cayosoft Administrator application – Admin consent

Permission	Permission name	Description	Usage in Cayosoft Administrator
Application.ReadWrite.All	Read and write applications	Allows the app to create, read, update, and delete applications and service principals in Microsoft Entra ID.	Used by the Cayosoft Administrator app to check for the existence of and create or update the Cayosoft Administrator API Access application during initial setup, re‑consent, upgrades, and Create / Validate connection flows.

Microsoft Graph permissions – Delegated/application permissions (API Access app)

The following permissions are granted to the Cayosoft Administrator API Access app and are used across Cayosoft Administrator features.

Core identity, directory, and group management

Permission	Description	Usage in Cayosoft Administrator
Directory.Read.All	Read directory data	Used across rules, delegated actions, reporting, and directory queries.
Directory.ReadWrite.All	Read and write directory data	Used across the product to manage users, groups, and devices.
Group.Read.All	Read groups	Used across rules and delegated actions.
Group.ReadWrite.All	Read and write groups	Used to manage Microsoft 365 groups, security groups, memberships, and role assignments.
GroupMember.Read.All	Read access to group memberships	Used for managing group membership.
GroupMember.ReadWrite.All	Read and write access to group memberships	Used for managing group membership.
Member.Read.Hidden	Read hidden group memberships	Used in rules (for example, Microsoft 365 Groups) to filter or evaluate groups with hidden membership or administrative units.

User lifecycle and authentication management

Permission	Description	Usage in Cayosoft Administrator
User.ReadWrite.All	Read and write users	Used across rules, workflows, and web actions to manage user accounts.
User.Invite.All	Invite guest users	Used in guest-related web actions such as New Guest.
Profile.ReadWrite.All	Read and write user profiles	Used to update and synchronize user attributes.
UserAuthenticationMethod.ReadWrite.All	Read and write user authentication methods	Used by Authentication Methods web actions, suspend functionality, and rules related to authentication methods.
Policy.ReadWrite.AuthenticationMethod	Read and write authentication method policies	Used to read and manage tenant-level authentication method policies and to get or set MFA status (Disabled / Enabled / Enforced) via M365 User → Properties web action.

Clarification:

UserAuthenticationMethod.ReadWrite.All manages user-specific authentication methods (for example, phone numbers or Authenticator app settings).

Policy.ReadWrite.AuthenticationMethod manages tenant-level authentication method policies that control MFA behavior and enforcement.

Audit, reporting, and analytics

Permission	Description	Usage in Cayosoft Administrator
AuditLog.Read.All	Read audit logs	Used to read last sign-in information, analytics collection, Service Adoption Dashboard, and License Optimization.
Reports.Read.All	Read reports	Used in report generation web actions.
Reports.ReadWrite.All	Read and write reports	Used in advanced reporting scenarios.
SecurityEvents.Read.All	Read security events	Used for security-related reports.

Mail, calendar, files, and collaboration

Permission	Description	Usage in Cayosoft Administrator
Mail.ReadWrite	Read and write mail	Used to send notifications using Microsoft Graph from a service account.
Mail.ReadWrite.Shared	Read and write shared mail	Used to send notifications using Microsoft Graph from non-service accounts.
Mail.Send	Send mail	Used to send notifications through Microsoft Graph.
Mail.Send.Shared	Send shared mail	Used to send notifications from shared mailboxes.
Calendars.ReadWrite.Shared	Read and write calendars	Used by workflows and rules that interact with user calendars.
Files.Read.All	Read all user-accessible files	Used for analytics and OneDrive functionality (for example, retrieving drive URLs).
People.Read	Read people list	Used in approval workflows and web actions that send emails.

Device and Intune management

Permission	Description	Usage
Device.Read.All	Read devices	Used across the product for device queries.
Device.ReadWrite.All	Read and write devices	Used to manage devices and synchronize properties.
DeviceLocalCredential.Read.All	Read local credentials	Used by LAPS web actions.
DeviceManagementManagedDevices.ReadWrite.All	Read/write Intune devices	Used by device web actions for Intune-managed devices.
DeviceManagementManagedDevices.PrivilegedOperations.All	Perform privileged Intune actions	Used for retire, suspend, and delete device actions.

Tenant metadata and organization information

Permission	Description	Usage
Organization.Read.All	Read organization information	Used to retrieve subscribed SKUs and verified domains in the tenant.

Legacy permission (planned for deprecation)

Permission	Description	Usage
EWS.AccessAsUser.All	Exchange Web Services mailbox access	Previously used for Priority Booking functionality. Planned for removal as Exchange Online integrations are modernized to Microsoft Graph.

Known behavior: Remote Mailbox domain validation

When using AD web actions with the Remote Mailbox type, Cayosoft validates the selected UPN suffix against domains available in Microsoft Entra ID.

If the suffix does not exist, the following error is displayed:

The domain '@<domain>' is not valid.

This behavior is expected and is not related to insufficient permissions.

CayosoftAdministratorProduction.4.log-1174102284.zip
40 KB Download

Articles in this section

Entra ID application permissions required by Cayosoft Administrator Service

Entra ID application permissions required by Cayosoft Administrator Service

Entra ID applications used by Cayosoft Administrator

1. Cayosoft Administrator app

2. Cayosoft Administrator API Access app

Where to review permissions

Microsoft Graph permissions – Admin consent

Cayosoft Administrator application – Admin consent

Microsoft Graph permissions – Delegated/application permissions (API Access app)

Core identity, directory, and group management

User lifecycle and authentication management

Audit, reporting, and analytics

Mail, calendar, files, and collaboration

Device and Intune management

Tenant metadata and organization information

Legacy permission (planned for deprecation)

Known behavior: Remote Mailbox domain validation

Comments

Articles in this section

Entra ID application permissions required by Cayosoft Administrator Service

Entra ID applications used by Cayosoft Administrator

1. Cayosoft Administrator app

2. Cayosoft Administrator API Access app

Where to review permissions

Microsoft Graph permissions – Admin consent

Cayosoft Administrator application – Admin consent

Microsoft Graph permissions – Delegated/application permissions (API Access app)

Core identity, directory, and group management

User lifecycle and authentication management

Audit, reporting, and analytics

Mail, calendar, files, and collaboration

Device and Intune management

Tenant metadata and organization information

Legacy permission (planned for deprecation)

Known behavior: Remote Mailbox domain validation

Related articles