Minimum scope

The roles and permissions, or minimum scope, required by a service account configured for M365 Manager Plus are listed below.

Table 1: Roles and permissions required by the service account.

Module Role Name Scope
Management User Administrator Manage users, contacts, and groups.
Privileged Authentication Administrator Reset passwords, and block or unblock administrators.
Privileged Role Administrator Manage role assignments in Azure Active Directory.
Exchange Administrator Update mailbox properties.
Teams Administrator Manage Microsoft Teams.
Reporting Global Reader Get reports on all Microsoft 365 services.
Security Reader Get audit logs and mailbox reports.
Auditing and alerting Security Reader Get audit logs and sign-in reports.
Monitoring - -
Content Search - -
  • If an Azure AD application is not configured for M365 Manager Plus, the Service Support Administrator role is required for the Monitoring feature.
  • An Azure AD application needs to be configured for M365 Manager Plus in order to use the Content Search feature.
  • If Exchange Administrator role is not provided, add the service account to the role group with
    "View-Only Audit Logs" role. This role is required for audit and audit-based reports. To learn how to set up this account, click here

The roles and permissions, or minimum scope, required by an Azure AD application configured for M365 Manager Plus are listed below.

Table 2: Roles and permissions required by the Azure AD application.

Module API Name Permission Scope
Management Microsoft Graph User.ReadWrite.All Create, modify, delete, or restore users.
Group.ReadWrite.All Create, modify, delete, or restore groups. Add or remove group members and owners.
AdminsitrativeUnit.ReadWrite.All Adding members to administrative units
RoleManagement.ReadWrite.Directory Add directory roles to users.
SharePoint Sites.FullControl.All Allows the app to read, create, update, and delete document libraries and lists in all site collections.
Reporting Microsoft Graph User.Read.All Get user and group member reports.
Group.Read.All Get group reports.
Contacts.Read Get contact reports.
Files.Read.All Get OneDrive for Business reports.
Reports.Read.All Get usage reports.
Organization.Read.All Get license detail reports.
AuditLog.Read.All Get audit log-based reports.
(not available in Chinese tenant)
Get Microsoft Teams channel members report.
Application.Read.All Get Azure AD application details.
Sites.Read.All Get SharePoint sites details.
Policy.Read.All Configure conditional access policies details.
Calendars.Read Get users' calendar details.
SharePoint Sites.Read.All Allows the app to read documents and list items in all site collections.
Office 365 Management ActivityFeed.Read Read the audit data for organization.
Auditing and Alerting Office 365 Management ActivityFeed.Read Get audit reports and alerts.
Monitoring Microsoft Graph ServiceHealth.Read.All Get health and performance reports.
Content Search Microsoft Graph Mail.Read Get content search reports.
Configuration Microsoft Graph Application.ReadWrite.All Modify the application details.
Backup Office 365 Exchange Online full_access_as_app Uses Exchange Web Services to backup and restore mailboxes.

Copyright © 2023, ZOHO Corp. All Rights Reserved.