The roles and permissions (minimum scope) required for a service account configured in M365 Manager Plus are listed below.
| Module | Role Name | Scope |
| Management | User Administrator | Manage users, contacts and groups. |
| Privileged Authentication Administrator | Reset password, block or unblock administrators. | |
| Privileged Role Admin | Manage role assignments in Azure Active Directory. | |
| Exchange Administrator | Update mailbox properties | |
| Teams Service Admin | Manage Microsoft Teams | |
| Reporting | Global Reader | Get reports on all Microsoft 365 services |
| Security Reader | Security Reader | |
| Auditing and Alerting | Security Reader | Get audit logs and sign-in reports |
| Monitoring | - | - |
| Content Search | - | - |
Note:
The roles and permissions (minimum scope) required for an application configured in M365 Manager Plus are listed below.
| Module | API Name | Permission | Scope |
| Management | Microsoft Graph | User.ReadWrite.All | User creation, modification, deletion and restoration. |
| Group.ReadWrite.All | Group creation, modification, deletion, restoration. And add or remove members and owners. | ||
| Reporting | Microsoft Graph | User.Read.All | Users and group members report. |
| Group.Read.All | Group reports. | ||
| Contacts.Read | Contact reports. | ||
| Files.Read.All | OneDrive for Business reports. | ||
| Reports.Read.All | Usage reports. | ||
| Organization.Read.All | License details reports. | ||
| AuditLog.Read.All | Audit log-based reports | ||
| Azure Active Directory Graph | Domain.Read.All | Domain-based reports. | |
| Auditing and Alerting | Microsoft Graph | AuditLog.Read.All | Audit reports and alerts. |
| Monitoring | Office 365 Management APIs | ServiceHealth.Read | Health and performance reports. |
| Content Search | Microsoft Graph | Mail.Read | Content search reports. |
