The roles and permissions, or minimum scope, required by a service account configured for M365 Manager Plus are listed below.
Table 1: Roles and permissions required by the service account.
Module | Role Name | Scope |
Management | User Administrator | Manage users, contacts, and groups. |
Privileged Authentication Administrator | Reset passwords, and block or unblock administrators. | |
Privileged Role Administrator | Manage role assignments in Azure Active Directory. | |
Exchange Administrator | Update mailbox properties. | |
Teams Administrator | Manage Microsoft Teams. | |
Reporting | Global Reader | Get reports on all Microsoft 365 services. |
Security Reader | Get audit logs and mailbox reports. | |
Auditing and alerting | Security Reader | Get audit logs and sign-in reports. |
Monitoring | - | - |
Content Search | - | - |
The roles and permissions, or minimum scope, required by an Azure AD application configured for M365 Manager Plus are listed below.
Table 2: Roles and permissions required by the Azure AD application.
Module | API Name | Permission | Scope |
Management | Microsoft Graph | User.ReadWrite.All | Create, modify, delete, or restore users. |
Group.ReadWrite.All | Create, modify, delete, or restore groups. Add or remove group members and owners. | ||
AdminsitrativeUnit.ReadWrite.All | Adding members to administrative units | ||
RoleManagement.ReadWrite.Directory | Add directory roles to users. | ||
Reporting | Microsoft Graph | User.Read.All | Get user and group member reports. |
Group.Read.All | Get group reports. | ||
Contacts.Read | Get contact reports. | ||
Files.Read.All | Get OneDrive for Business reports. | ||
Reports.Read.All | Get usage reports. | ||
Organization.Read.All | Get license detail reports. | ||
AuditLog.Read.All | Get audit log-based reports. | ||
ChannelMember.Read.All (not available in Chinese tenant) |
Get Microsoft Teams channel members report. | ||
Application.Read.All | Get Azure AD application details. | ||
Sites.Read.All | Get SharePoint sites details. | ||
Policy.Read.All | Configure conditional access policies details. | ||
Calendars.Read | Get users' calendar details. | ||
Office 365 Management | ActivityFeed.Read | Read the audit data for organization. | |
Auditing and Alerting | Office 365 Management | ActivityFeed.Read | Read the activity data for the organization. |
Monitoring | Microsoft Graph | ServiceHealth.Read.All | Get health and performance reports. |
Content Search | Microsoft Graph | Mail.Read | Get content search reports. |
Configuration | Microsoft Graph | Application.ReadWrite.All | Modify the application details. |