✖

Related Products
ADManager Plus

Active Directory Management & Reporting
Download | Demo
ADAudit Plus

Real-time Active Directory Auditing and UBA
Download | Demo
ADSelfService Plus

Self-Service Password Management
Download | Demo
EventLog Analyzer

Real-time Log Analysis & Reporting
Download | Demo
AD360

Integrated Identity & Access Management
Download | Demo
Log360

Comprehensive SIEM and UEBA
Download | Demo

Minimum scope

The roles and permissions, or minimum scope, required by a service account configured for M365 Manager Plus are listed below.

Table 1: Roles and permissions required by the service account.

Module	Role Name	Scope
Management	User Administrator	Manage users, contacts, and groups.
	Privileged Authentication Administrator	Reset passwords, and block or unblock administrators.
	Privileged Role Administrator	Manage role assignments in Azure Active Directory.
	Exchange Administrator	Update mailbox properties.
	Teams Administrator	Manage Microsoft Teams.
Reporting	Global Reader	Get reports on all Microsoft 365 services.
Reporting	Security Reader	Get audit logs and mailbox reports.
Auditing and alerting	Security Reader	Get audit logs and sign-in reports.
Monitoring	-	-
Content Search	-	-

Note:

If an Azure AD application is not configured for M365 Manager Plus, the Service Support Administrator role is required for the Monitoring feature.
An Azure AD application needs to be configured for M365 Manager Plus in order to use the Content Search feature.
If Exchange Administrator role is not provided, add the service account to the role group with
"View-Only Audit Logs" role. This role is required for audit and audit-based reports. To learn how to set up this account, click here

The roles and permissions, or minimum scope, required by an Azure AD application configured for M365 Manager Plus are listed below.

Table 2: Roles and permissions required by the Azure AD application.

Module	API Name	Permission	Scope
Management	Microsoft Graph	User.ReadWrite.All	Create, modify, delete, or restore users.
		Group.ReadWrite.All	Create, modify, delete, or restore groups. Add or remove group members and owners.
		AdminsitrativeUnit.ReadWrite.All	Adding members to administrative units
		RoleManagement.ReadWrite.Directory	Add directory roles to users.
	SharePoint	Sites.FullControl.All	Allows the app to read, create, update, and delete document libraries and lists in all site collections.
Reporting	Microsoft Graph	User.Read.All	Get user and group member reports.
		Group.Read.All	Get group reports.
		Contacts.Read	Get contact reports.
		Files.Read.All	Get OneDrive for Business reports.
		Reports.Read.All	Get usage reports.
		Organization.Read.All	Get license detail reports.
		AuditLog.Read.All	Get audit log-based reports.
		ChannelMember.Read.All (not available in Chinese tenant)	Get Microsoft Teams channel members report.
		Application.Read.All	Get Azure AD application details.
		Sites.Read.All	Get SharePoint sites details.
		Policy.Read.All	Configure conditional access policies details.
		Calendars.Read	Get users' calendar details.
	SharePoint	Sites.Read.All	Allows the app to read documents and list items in all site collections.
	Office 365 Management	ActivityFeed.Read	Read the audit data for organization.
Auditing and Alerting	Office 365 Management	ActivityFeed.Read	Get audit reports and alerts.
Monitoring	Microsoft Graph	ServiceHealth.Read.All	Get health and performance reports.
Content Search	Microsoft Graph	Mail.Read	Get content search reports.
Configuration	Microsoft Graph	Application.ReadWrite.All	Modify the application details.
Backup	Office 365 Exchange Online	full_access_as_app	Uses Exchange Web Services to backup and restore mailboxes.

Previous Topic Next Topic