Tenant configuration

You can choose to either automate the configuration of Microsoft 365 tenants or do it manually.

Automate Microsoft 365 tenant configuration

Follow these steps to automate Microsoft 365 tenant configuration:

1. Log in to ADManager Plus as an administrator and navigate to Directory/Application Settings in the top-right corner.
2. Select the Microsoft 365 tab.
3. Click the Configure using Microsoft 365 login option.
4. In the pop-up that appears, click Proceed.
5. Select the domains to link to the tenant from the Link Domains to Microsoft 365 Account dialog box.

   Note: You can link multiple domains to a single Microsoft 365 tenant, but each domain can be linked to only one tenant.

6. You will be diverted to the Microsoft 365 login portal. Enter the credentials of a Global Administrator account.
7. Click Accept.
8. An application for ADManager Plus will be created automatically, and a page will display the list of permissions the application needs.
9. Go through the list and click Accept.
10. Select the domains to which the Microsoft 365 option should be provided.
11. Click Save.
12. You will be redirected to the ADManager Plus console, where you can see that REST API access is enabled for the account you configured. If REST API access is not enabled, the page will provide an option to Enable Access.

    Note: Once the tenant configuration is complete, a service account is required to perform the following Microsoft 365 actions:

    • Modify MFA settings for bulk Microsoft 365 users.
    • Assign policy packages in Microsoft Teams while creating a new user.

    Follow these steps to manually create a service account and configure it in ADManager Plus.

Manually configure a Microsoft 365 tenant

If you wish to configure a Microsoft 365 tenant manually, follow these steps:

1. Create an Microsoft Entra ID application that will be used for ADManager Plus. To do this, sign in to the Microsoft Entra ID admin center portal and create a new app registration. Once this process is completed, copy the Application Secret Key, Application ID, and Application Object ID. These values will be needed later in this configuration process.
2. Log in to ADManager Plus and navigate to the Directory/Application Settings option in the top-right corner.
3. To configure a Microsoft 365 tenant:
   • Select the Microsoft 365 tab, and click the Configure using Microsoft 365 Login option to login with the already registered Azure AD Application option.
   • In the window that appears, enter the Tenant Name, Application Secret Value, Application ID, and Application Object ID in the respective fields.
4. Once the tenant configuration is successful, it is mandatory to link domains to the Microsoft 365 tenant.
5. To link domains to the Microsoft 365 tenant:
   • Navigate to Directory/Application Settings > Microsoft 365 and click More under the Status column.
   • Select the domains to link to the tenant from the Link Domains to Microsoft 365 Account dialog box.
6. The configured tenants will be listed in the Microsoft 365 tab.

Steps to create a service account in ADManager Plus

1. Log in to the Microsoft 365 admin center as a Global Administrator.
2. Navigate to Admin > Users > Active users in the left pane.
3. Choose Add a user.
4. Enter the Display name and Username. (Note: First name and last name are optional.)
5. Uncheck Automatically create password to provide a password of your choice. Check the box to let the system generate a password for you.
6. Click Next.
7. A service account does not require a license. Hence, select your usage location and the Create user without product license radio button.
8. Click Next.
9. Under the Roles option, select Admin center access and choose the required roles. (Note: The Exchange Admin role is mandatory.) Click here to view the list of required roles.
10. Click Next.
11. Choose Finish adding.

In some cases, ADManager Plus would require you to perform some actions to complete the configuration process:

Error Message	What does it mean?	Solution
REST API Access - Enable Now	ADManager Plus hasn't been granted all the permissions required for tenant configuration.	Enable REST API access with the required permissions. For additional information, refer to this document.
REST API Access - Update Permissions	ADManager Plus requires additional permissions to process the newly added features.	Enable REST API access with the required permissions. For additional information, refer to this document.
Service Account - Configure Now / Status - Failed to create service account Azure AD Secret Key is invalid	The service account could not be created.	Follow the steps to troubleshoot service account creation error.

Once the service account is created in the Microsoft 365 admin center, follow the steps below to configure it in ADManager Plus.

Steps to configure or update a service account in ADManager Plus

1. Log in to ADManager Plus.
2. Navigate to Directory/Application Settings > Microsoft 365.
3. In the domain where you'd like to update the service account, click the Edit icon under the Actions column.
4. Click the Edit icon next to Service Account Details.
5. Enter the credentials for the service account in the appropriate fields.
6. Click Update to save the changes and close the pop-up window.
7. To delete the configured service account, click the Remove Service Account option.

Steps to troubleshoot service account creation error

1. Create a Microsoft 365 service account with the Exchange admin role.
2. From the ADManager Plus console, click Configure Now listed under Service Account column.
3. Enter the credentials of the service account that was created in the above section.
4. Click Configure.

Steps to modify Microsoft 365 tenant details

1. Login to ADManager Plus, navigate to Directory/Application Settings and select the Microsoft 365 tab.
2. The Microsoft 365 tenants that are currently configured with ADManager Plus are listed on this page.
3. Under the Actions column, click the respective tenant that you wish to modify.
4. Click the Edit icon and modify the desired values.
5. Click Update once the changes have been completed.

Steps to configure an MFA enabled service account

If the service account is MFA enabled, you have the option of using either the Trusted IP feature or the Conditional Access in Microsoft 365 to bypass the MFA.

Steps to configure trusted IPs

1. Log in to Entra ID admin center using your Global Administrator credentials.
2. Navigate to Protection > Multi-factor authentication > Getting started > Configure > Additional cloud-based MFA settings.
3. In the new window that opens, go to the Trusted IPs section.
4. Select the Skip multi-factor authentication for requests from federated users on my intranet option.
5. In the text box, enter the IP address of the machine in which you have installed ADManager Plus.
6. Click Save to complete the process.

Steps to configure Conditional Access

You can create a new policy to enforce MFA and exclude a specific set of ADManager Plus users so that they need not undergo multi-factor authentication. Note that you need a Azure AD Premium P1 license to use conditional access.

1. Log in to the Entra ID admin center using your Global Administrator credentials.
2. Navigate to Identity > Protection > Conditional Access.
3. Click Create New Policy.
4. Provide a name for the policy.
5. Under Assignments, click the link below Users.
6. Click the Exclude option and select the Users and groups check box.
7. Choose the ADManager Plus users for whom MFA should not be enforced.
8. Click Select.
9. Under the Access controls section, click the link below Grant.
10. Select the Grant access radio button and the Require multi-factor authentication check box.
11. Click Select to confirm your Access Control changes.
12. Select the On toggle from the options under Enable Policy.
13. Click Create to create your conditional access policy.