Minimum scope

The roles and permissions, or minimum scope, required by a service account configured for M365 Manager Plus are listed below.

Table 1: Roles and permissions required by the service account.

Module Role Name Scope
Management User Administrator Manage users, contacts, and groups.
Privileged Authentication Administrator Reset passwords, and block or unblock administrators.
Privileged Role Admin Manage role assignments in Azure Active Directory.
Exchange Administrator Update mailbox properties.
Teams Service Admin Manage Microsoft Teams.
Reporting Global Reader Get reports on all Microsoft 365 services.
Security Reader Get audit logs and mailbox reports.
Auditing and alerting Security Reader Get audit logs and sign-in reports.
Monitoring - -
Content Search - -
 
Note:
  • If an Azure AD application is not configured for M365 Manager Plus, the Service Admin role is required for the Monitoring feature.
  • An Azure AD application needs to be configured for M365 Manager Plus in order to use the Content Search feature.

The roles and permissions, or minimum scope, required by an Azure AD application configured for M365 Manager Plus are listed below.

Table 2: Roles and permissions required by the Azure AD application.

Module API Name Permission Scope
Management Microsoft Graph User.ReadWrite.All Create, modify, delete, or restore users.
Group.ReadWrite.All Create, modify, delete, or restore groups. Add or remove group members and owners.
AdminsitrativeUnit.ReadWrite.All Adding members to administrative units
RoleManagement.ReadWrite.Directory Add directory roles to users.
Reporting Microsoft Graph User.Read.All Get user and group member reports.
Group.Read.All Get group reports.
Contacts.Read Get contact reports.
Files.Read.All Get OneDrive for Business reports.
Reports.Read.All Get usage reports.
Organization.Read.All Get license detail reports.
AuditLog.Read.All Get audit log-based reports.
ChannelMember.Read.All
(not available in Chinese tenant)
Get Microsoft Teams channel members report.
Application.Read.All Get Azure AD application details.
Sites.Read.All Get SharePoint sites details.
Policy.Read.All Configure conditional access policies details.
Calendars.Read Get users' calendar details.
Auditing and Alerting Office 365 Management ActivityFeed.Read Read the activity data for the organization.
Monitoring Microsoft Graph ServiceHealth.Read.All Get health and performance reports.
Content Search Microsoft Graph Mail.Read Get content search reports.
Configuration Microsoft Graph Application.ReadWrite.All Modify the application details.
Get download link