Tenant Configuration

    You can either automate the configuration of Microsoft 365 tenants or choose to do it manually.

    Automate Microsoft 365 tenant configuration

    Follow these steps to automate Microsoft 365 tenant configuration:

    1. Login to ADManager Plus and navigate to Domain/Tenant Settings → Microsoft 365 tab.
    2. Click Add New Tenant button on the top-right corner.
    3. Click Configure the Microsoft 365 Login button to initiate the process. Please use the Global Administrator credentials to log in and authorize. Note that ADManager Plus does not store this credential for security reasons.

      At this stage, the following actions will be executed:

      • An Azure AD application will be created. It will fetch the Microsoft 365 data via Microsoft Graph API.
      • A Service Account that has both Exchange Administrator and View-Only Organization Management roles will be created.
    4. Select the required AD domains which are to be linked with this account. It is essential to link the on-premises domains with Microsoft 365 domains as it is needed to apply certain restrictions such as OU-based restrictions.
    5. Click Proceed in the dialog box that appears. You will be redirected to the Microsoft 365 login page where you would be required to login with the Global Administrator's credentials.
    6. The Microsoft 365 login portal will list the permissions requested for your organization. Once you are informed of these permissions, click Accept.
    7. Once the tenant configuration is successful, it will be listed in the Microsoft 365/Google Apps window.

    Manually configure Microsoft 365 tenant

    If you wish to configure a Microsoft 365 tenant manually, follow these steps:

    1. Create an Azure AD application that will be used for ADManager Plus. To do this, sign in to the Azure AD portal and create a new app registration. Once this process is completed, copy the Application Secret Key, Application ID, and Application Object ID. These values will be needed later in this configuration process.
    2. Create a Service Account with the View-Only Organization Management, View Only Audit Log and Service Administrator permissions.
    3. Login to ADManager Plus and click the Domain/Tenant Settings option in the top right corner.
    4. Click the Configure using Microsoft 365 Login to login with the already registered Azure AD Application option.
    5. Configuring Rest API

    6. In the window that appears, enter the Tenant Name, Application Secret Value, Application ID, and Application Object ID in the respective fields.
    7. Once the tenant configuration is successful, it will be listed in the Microsoft 365 tab.

    In some cases, ADManager Plus would require you to perform some actions to complete the configuration process:

    Error Message What does it mean? Solution
    1) REST API Access - Enable Now ADManager Plus hasn't been granted all the permissions for tenant configuration. Enable REST API access with the required permissions. For additional information, refer to this document.
    2) REST API Access - Update Permissions ADManager Plus requires additional permissions to process the newly added features. Enable REST API access with the required permissions. For additional information, refer to this document.
    3)
    • Service Account - Configure Now / Status - Failed to create service account
    • Azure AD Secret Key is invalid
    The service account could not be created. Follow the steps to troubleshoot service account creation error.

    Steps to update a service account in ADManager Plus

    1. Now the service account must be configured. To do this, click the edit option under the Actions column.
    2. Click the edit icon found near Service Account Details.
    3. Enter the credentials of the service account you need to configure in the respective fields.
    4. Click Update, and close the pop-up window.

    Steps to troubleshoot service account creation error

    1. Create a Microsoft 365 service account with the Exchange admin role.
    2. From the ADManager Plus console, click Configure Now listed under Service Account column.
    3. Enter the credentials of the service account that was created earlier.
    4. Click Configure.

    Steps to modify Microsoft 365 tenant details

    1. Login to ADManager Plus, navigate to the Admin tab and click Microsoft 365/Google Apps under System Settings.
    2. The list of all Microsoft 365 tenants that are currently configured with ADManager Plus is listed here.
    3. Under the Actions column, click on the respective tenant that you wish to modify.
    4. Click on the edit icon and modify the desired values.
    5. Click Update once the changes have been completed.

    Steps to configure an MFA enabled service account

    If the service account is MFA enabled, you have the option of using either the Trusted IP feature or the Conditional Access in Microsoft 365 to by-pass the MFA.

    Steps to configure trusted IPs

    1. Login to portal.azure.com with the Global Admin credentials and click Azure Active Directory listed under Azure services.
    2. Click Security from the left pane and choose MFA listed under the Manage category.
    3. Click the Additional cloud-based MFA settings option. In the new window that pops up, navigate to the trusted ips section.
    4. Select the Skip multi-factor authentication for requests from federated users on my intranet option.
    5. In the text box that opens, enter the IP address of the machine in which ADManager Plus is installed.
    6. Click Save to complete the process.

    Steps to configure Conditional Access

    You can create a new policy to enforce MFA and exclude a specific set of ADManager Plus users so that they need not undergo multi-factor authentication. Note that you need a Azure AD Premium P1 license to use conditional access.

    1. Login to portal.azure.com with the Global Admin credentials and click Azure Active Directory listed under Azure services.
    2. Click Security from the left pane and choose Conditional Access under the Protect category.
    3. Click New Policy and enter the desired name of that policy.
    4. Select Users and groups option and click the Exclude tab.
    5. Using the Users and groups checkbox, select all the ADManager Plus users for whom the MFA must not be enforced, and click Done.
    6. In the Access controls section, select Grant.
    7. Choose the Grant access radio button and Require multi-factor authentication using the checkbox.
    8. Click on Create and then Save to complete the operation.

    Don't see what you're looking for?

    •  

      Visit our community

      Post your questions in the forum.

       
    •  

      Request additional resources

      Send us your requirements.

       
    •  

      Need implementation assistance?

      Try onboarding