The roles and permissions, or minimum scope, required by a service account configured for M365 Manager Plus are listed below.
Table 1: Roles and permissions required by the service account.
| Module | Role Name | Scope |
| Management | User Administrator | Manage users, contacts, and groups. |
| Privileged Authentication Administrator | Reset passwords, and block or unblock administrators. | |
| Privileged Role Administrator | Manage role assignments in Azure Active Directory. | |
| Exchange Administrator | Update mailbox properties. | |
| Teams Administrator | Manage Microsoft Teams. | |
| Reporting | Global Reader | Get reports on all Microsoft 365 services. |
| Security Reader | Get audit logs and mailbox reports. | |
| Auditing and alerting | Security Reader | Get audit logs and sign-in reports. |
| Monitoring | - | - |
| Content Search | - | - |
The roles and permissions, or minimum scope, required by an Azure AD application configured for M365 Manager Plus are listed below.
Table 2: Roles and permissions required by the Azure AD application.
| Module | API Name | Permission | Scope |
| Management | Microsoft Graph | User.ReadWrite.All | Create, modify, delete, or restore users. |
| Group.ReadWrite.All | Create, modify, delete, or restore groups. Add or remove group members and owners. | ||
| AdminsitrativeUnit.ReadWrite.All | Adding members to administrative units | ||
| RoleManagement.ReadWrite.Directory | Add directory roles to users. | ||
| Reporting | Microsoft Graph | User.Read.All | Get user and group member reports. |
| Group.Read.All | Get group reports. | ||
| Contacts.Read | Get contact reports. | ||
| Files.Read.All | Get OneDrive for Business reports. | ||
| Reports.Read.All | Get usage reports. | ||
| Organization.Read.All | Get license detail reports. | ||
| AuditLog.Read.All | Get audit log-based reports. | ||
| ChannelMember.Read.All (not available in Chinese tenant) |
Get Microsoft Teams channel members report. | ||
| Application.Read.All | Get Azure AD application details. | ||
| Sites.Read.All | Get SharePoint sites details. | ||
| Policy.Read.All | Configure conditional access policies details. | ||
| Calendars.Read | Get users' calendar details. | ||
| Office 365 Management | ActivityFeed.Read | Read the audit data for organization. | |
| Auditing and Alerting | Office 365 Management | ActivityFeed.Read | Read the activity data for the organization. |
| Monitoring | Microsoft Graph | ServiceHealth.Read.All | Get health and performance reports. |
| Content Search | Microsoft Graph | Mail.Read | Get content search reports. |
| Configuration | Microsoft Graph | Application.ReadWrite.All | Modify the application details. |
