Tenant Configuration
You can either automate the configuration of Microsoft 365 tenants or choose to do it manually.
Automate Microsoft 365 tenant configuration
Follow these steps to automate Microsoft 365 tenant configuration:
- Log in to ADManager Plus as an administrator and click on Domain/Tenant Settings in the top-right corner.
- Select Microsoft 365.
- Click the Configure using Microsoft 365 logon link located at the top right corner of the Microsoft 365 page.
- Click Proceed in the pop-up that appears.
- You will be diverted to the Microsoft 365 login portal. Enter the credentials of a Global Administrator account.
- Click Accept.
- An application and service account for ADManager Plus will be created automatically. You will now see a page that displays the list of permissions the application needs.
- Go through the list and click Accept.
- Select the domains to which the Microsoft 365 option should be provided.
- Click Save.
- You will now be redirected to the ADManager Plus console, where you can see that REST API access is enabled for the account you configured. If REST API access is not enabled, the page will provide an option to Enable Access.
Manually configure Microsoft 365 tenant
If you wish to configure a Microsoft 365 tenant manually, follow these steps:
- Create an Azure AD application that will be used for ADManager Plus. To do this, sign in to the Azure AD portal and create a new app registration. Once this process is completed, copy the Application Secret Key, Application ID, and Application Object ID. These values will be needed later in this configuration process.
- Create a Service Account with the View-Only Organization Management, View Only Audit Log and Service Administrator permissions.
- Login to ADManager Plus and click the Domain/Tenant Settings option in the top right corner.
- Click the Configure using Microsoft 365 Login to login with the already registered Azure AD Application option.
- In the window that appears, enter the Tenant Name, Application Secret Value, Application ID, and Application Object ID in the respective fields.
- Once the tenant configuration is successful, it will be listed in the Microsoft 365 tab.
In some cases, ADManager Plus would require you to perform some actions to complete the configuration process:
Error Message |
What does it mean? |
Solution |
1) REST API Access - Enable Now |
ADManager Plus hasn't been granted all the permissions for tenant configuration. |
Enable REST API access with the required permissions. For additional information, refer to this document. |
2) REST API Access - Update Permissions |
ADManager Plus requires additional permissions to process the newly added features. |
Enable REST API access with the required permissions. For additional information, refer to this document. |
3)
- Service Account - Configure Now / Status - Failed to create service account
- Azure AD Secret Key is invalid
|
The service account could not be created. |
Follow the steps to troubleshoot service account creation error. |
Steps to update a service account in ADManager Plus
- Now the service account must be configured. To do this, click the edit option under the Actions column.
- Click the edit icon found near Service Account Details.
- Enter the credentials of the service account you need to configure in the respective fields.
- Click Update, and close the pop-up window.
Steps to troubleshoot service account creation error
- Create a Microsoft 365 service account with the Exchange admin role.
- From the ADManager Plus console, click Configure Now listed under Service Account column.
- Enter the credentials of the service account that was created earlier.
- Click Configure.
Steps to modify Microsoft 365 tenant details
- Login to ADManager Plus, navigate to the Admin tab and click Microsoft 365/Google Apps under System Settings.
- The list of all Microsoft 365 tenants that are currently configured with ADManager Plus is listed here.
- Under the Actions column, click on the respective tenant that you wish to modify.
- Click on the edit icon and modify the desired values.
- Click Update once the changes have been completed.
Steps to configure an MFA enabled service account
If the service account is MFA enabled, you have the option of using either the Trusted IP feature or the Conditional Access in Microsoft 365 to by-pass the MFA.
Steps to configure trusted IPs
- Login to portal.azure.com with the Global Admin credentials and click Azure Active Directory listed under Azure services.
- Click Security from the left pane and choose MFA listed under the Manage category.
- Click the Additional cloud-based MFA settings option. In the new window that pops up, navigate to the trusted ips section.
- Select the Skip multi-factor authentication for requests from federated users on my intranet option.
- In the text box that opens, enter the IP address of the machine in which ADManager Plus is installed.
- Click Save to complete the process.
Steps to configure Conditional Access
You can create a new policy to enforce MFA and exclude a specific set of ADManager Plus users so that they need not undergo multi-factor authentication. Note that you need a Azure AD Premium P1 license to use conditional access.
- Login to portal.azure.com with the Global Admin credentials and click Azure Active Directory listed under Azure services.
- Click Security from the left pane and choose Conditional Access under the Protect category.
- Click New Policy and enter the desired name of that policy.
- Select Users and groups option and click the Exclude tab.
- Using the Users and groups checkbox, select all the ADManager Plus users for whom the MFA must not be enforced, and click Done.
- In the Access controls section, select Grant.
- Choose the Grant access radio button and Require multi-factor authentication using the checkbox.
- Click on Create and then Save to complete the operation.