Tenant configuration

You can either automate the configuration of Microsoft 365 tenants or choose to do it manually.

Automate Microsoft 365 tenant configuration

Follow these steps to automate Microsoft 365 tenant configuration:

1. Log in to ADManager Plus as an administrator and navigate to Directory/Application Settings in the top-right corner.
2. Select the Microsoft 365 tab.
3. Click the Configure using Microsoft 365 login option.
4. Click Proceed in the pop-up that appears.
5. You will be diverted to the Microsoft 365 login portal. Enter the credentials of a Global Administrator account.
6. Click Accept.
7. An application and service account for ADManager Plus will be created automatically. You will now see a page that displays the list of permissions the application needs.
8. Go through the list and click Accept.
9. Select the domains to which the Microsoft 365 option should be provided.
10. Click Save.
11. You will now be redirected to the ADManager Plus console, where you can see that REST API access is enabled for the account you configured. If REST API access is not enabled, the page will provide an option to Enable Access.

Manually configure Microsoft 365 tenant

If you wish to configure a Microsoft 365 tenant manually, follow these steps:

1. Create an Microsoft Entra ID application that will be used for ADManager Plus. To do this, sign in to the Microsoft Entra ID admin center portal and create a new app registration. Once this process is completed, copy the Application Secret Key, Application ID, and Application Object ID. These values will be needed later in this configuration process.
2. Create a Service Account with the View-Only Organization Management, View Only Audit Log, and Service Administrator permissions.
3. Login to ADManager Plus and navigate to the Directory/Application Settings option in the top right corner.
4. Select the Microsoft 365 tab, and click the Configure using Microsoft 365 Login option to login with the already registered Azure AD Application option.
5. In the window that appears, enter the Tenant Name, Application Secret Value, Application ID, and Application Object ID in the respective fields.
6. Once the tenant configuration is successful, it will be listed in the Microsoft 365 tab.

In some cases, ADManager Plus would require you to perform some actions to complete the configuration process:

Error Message	What does it mean?	Solution
REST API Access - Enable Now	ADManager Plus hasn't been granted all the permissions required for tenant configuration.	Enable REST API access with the required permissions. For additional information, refer to this document.
REST API Access - Update Permissions	ADManager Plus requires additional permissions to process the newly added features.	Enable REST API access with the required permissions. For additional information, refer to this document.
Service Account - Configure Now / Status - Failed to create service account Azure AD Secret Key is invalid	The service account could not be created.	Follow the steps to troubleshoot service account creation error.

Steps to update a service account in ADManager Plus

1. Navigate to Directory/Application Settings > Microsoft 365 tab.
2. In the domain where you'd like to update the service account, click the Edit icon under the Actions column.
3. Click th e Edit icon next to Service Account Details.
4. Enter the credentials for the service account in the appropriate fields.
5. Click Update to save the changes and close the pop-up window.

Steps to troubleshoot service account creation error

1. Create a Microsoft 365 service account with the Exchange admin role.
2. From the ADManager Plus console, click Configure Now listed under Service Account column.
3. Enter the credentials of the service account that was created in the above section.
4. Click Configure.

Steps to modify Microsoft 365 tenant details

1. Login to ADManager Plus, navigate to Directory/Application Settings and select the Microsoft 365 tab.
2. The Microsoft 365 tenants that are currently configured with ADManager Plus are listed on this page.
3. Under the Actions column, click the respective tenant that you wish to modify.
4. Click the Edit icon and modify the desired values.
5. Click Update once the changes have been completed.

Steps to configure an MFA enabled service account

If the service account is MFA enabled, you have the option of using either the Trusted IP feature or the Conditional Access in Microsoft 365 to bypass the MFA.

Steps to configure trusted IPs

1. Log in to Entra ID admin center using your Global Administrator credentials.
2. Navigate to Protection > Multi-factor authentication > Getting started > Configure > Additional cloud-based MFA settings.
3. In the new window that opens, go to the Trusted IPs section.
4. Select the Skip multi-factor authentication for requests from federated users on my intranet option.
5. In the text box, enter the IP address of the machine in which you have installed ADManager Plus.
6. Click Save to complete the process.

Steps to configure Conditional Access

You can create a new policy to enforce MFA and exclude a specific set of ADManager Plus users so that they need not undergo multi-factor authentication. Note that you need a Azure AD Premium P1 license to use conditional access.

1. Log in to the Entra ID admin center using your Global Administrator credentials.
2. Navigate to Identity > Protection > Conditional Access.
3. Click Create New Policy.
4. Provide a name for the policy.
5. Under Assignments, click the link below Users.
6. Click the Exclude option and select the Users and groups check box.
7. Choose the ADManager Plus users for whom MFA should not be enforced.
8. Click Select.
9. Under the Access controls section, click the link below Grant.
10. Select the Grant access radio button and the Require multi-factor authentication check box.
11. Click Select to confirm your Access Control changes.
12. Select the On toggle from the options under Enable Policy.
13. Click Create to create your conditional access policy.