Skip to main content

Articles in this section

See more
Print

Connection accounts in Cayosoft Guardian

  • Updated

Connection accounts in Cayosoft Guardian

Cayosoft Guardian requires connection accounts to integrate with Active Directory (on-premises) and Microsoft Entra ID. These accounts allow Cayosoft Guardian to collect activity, monitor changes, and perform rollback operations.

To streamline configuration, Cayosoft Guardian automatically applies certain environment prerequisites during tenant onboarding, such as enabling the Unified Audit Log and applying Exchange Online customizations when an Entra application account is used.

This article describes the supported account types, their permissions, and the environment changes Cayosoft Guardian applies during setup.

Prerequisites

  • A supported version of Windows Server for on-premises connectors.
  • Administrative access to delegate rights in Active Directory or Entra ID.
  • For Entra application accounts, a Microsoft Entra ID Global Administrator must grant consent to the required Microsoft Graph API permissions.
  • For Managed Identity, Cayosoft Guardian must be deployed in Azure.

Environment changes applied by Cayosoft Guardian

When you add a tenant by using application authentication, Cayosoft Guardian automatically applies the following environment changes.

Exchange Online

  • Enable organization customization: Enables organization customization, which is usually enabled by default. This is required for auditing and custom role creation.

    This change is irreversible.

  • Turn auditing on: Enables the audit log if it is not already enabled.

    Auditing is usually already enabled in most organizations.

  • Create a custom role: Creates the Cayosoft View-Only Mail Recipients role, which is derived from the native Mail Recipients role. This role is used to collect mailbox properties in read-only mode. Only cmdlets that begin with Get are included in this role.
  • Register the Exchange Online application account: Creates and registers the Entra application specified during tenant onboarding.
  • Assign permissions in read-only mode: Adds the service principal to the following Exchange Online roles:
    • View-Only Organization Management built-in role group
    • View-Only Audit Logs built-in role
    • Cayosoft View-Only Mail Recipients custom role
  • Assign permissions in write mode: Adds the service principal to the following Exchange Online role group:
    • Organization Management

Microsoft Entra ID

  • Create application registration: Creates an application registration by using the name specified in the New Microsoft 365 Tenant wizard.
  • Create enterprise application: Creates the enterprise application automatically for the application registration.

Assign permissions in write mode

Adds the enterprise application to the Global Administrator role.

Assigns all read-only permissions and the Microsoft Graph application permissions in Permissions for Change Monitoring and Rollback in Cayosoft Guardian.

Azure infrastructure

  • Assign permissions in read-only mode: Assigns the service account application to the Reader Azure RBAC role at the Tenant root management group scope.
  • Assign permissions in write mode: Assigns the service account application to the User Access Administrator Azure RBAC role at the Tenant root management group scope.

Audit logging

Cayosoft Guardian records all environment changes it applies during tenant onboarding, including the following:

  • Enabling Unified Audit Logs
  • Applying Exchange Online customizations
  • Registering and configuring Entra application accounts
  • Assigning permissions in Exchange Online, Entra ID, and Azure

These actions are logged in Cayosoft Guardian internal change tracking so administrators can provide transparency to security and compliance teams.

Connection account permissions

Account type Recommended use Required permissions Notes
Group Managed Service Account (gMSA) On-premises AD connectors and services Read access to directory objects for monitoring. Write or modify access if rollback is required. Log on as a service right on the host that runs the AD connector. Requires Windows Server 2012 or later and a KDS root key. The domain functional level must support gMSA. Cannot be used in Entra ID.
Standard service account When gMSA is not available Directory read permissions. Optional delegated write or modify rights for rollback. Local Log on as a service right on connector hosts. The password lifecycle must be managed manually. This account type has a higher security risk than gMSA.
Microsoft Entra application account Cloud integrations in Entra ID Microsoft Graph API permissions, including Directory.Read.All for change monitoring, Directory.ReadWrite.All for rollback, and AuditLog.Read.All for audit logs. Additional application permissions may be required for Microsoft Teams, Exchange, and Intune. Role assignment: Global Reader for read-only mode and Global Administrator for write mode. Authentication uses a client secret or certificate and requires admin consent. Secret or certificate lifecycle must be managed. This account type automatically enables Unified Audit Log connection and Exchange customizations.
Managed Identity Guardian deployed in Azure Managed identity created automatically. Role assignment required, such as Directory Reader or Key Vault Reader. Available only for Azure-hosted deployments. Permissions must still be assigned explicitly.

© Copyright 2013-2026 Cayosoft Inc. All rights reserved.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request
Return to top

Related articles

Comments

0 comments

Please sign in to leave a comment.