Grant Roles to Global admin Account

The following Administrative roles must be granted to the customer Global IT administrator who grants consent to the Service Provider operator to connect to the customer Microsoft 365 platform for performing Background synchronization:

Application Administrator (used for Token Authentication)
Skype for Business Admin (Mandatory)
Teams Communications Administrator (Mandatory)

For Fully Automatic DNS provisioning, the following roles must also be configured:

Domain Name Administrator (for Txt and A-record generation)
User Administrator (for creating the Live PlatformM365 Activation user)
If you don't wish to configure the 'Application Administrator' permission, then you will be prompted to provide consent when running the Token Authentication wizard.
Skype for Business and Teams Communication roles are mandatory roles.
User Admin and Domain Name Admin are only required if you are using Fully Automatic DNS provisioning of the customer sub domain during the Onboarding process.
The background replication with the token or username password connects to Azure with the PowerShell connection string shown below:

connect-azuread -MsAccessToken $tokens.Item1 -AadAccessToken $tokens.Item3 -AccountId $m365username

To assign administrator roles:
1. Sign-in to the customer tenant with Admin permissions.
2. Open the Azure Active Directory.
3. In the Users screen, choose the user who will have the role to grant consent in the organization.

Graphical user interface, application, Word Description automatically generated

Graphical user interface, text, application, email Description automatically generated

4. In the Navigation pane, select Assigned Roles.

Graphical user interface, text, application, email Description automatically generated

5. Click Add assignments.

6. Add role “Application administrator”.
7. Add role “Skype for Business Administrator”.

Graphical user interface, text, application Description automatically generated

8. Add role “Teams communications administrator”.

Graphical user interface, text, application, email Description automatically generated

9. Add role Domain Name Administrator.

The following screen displays all added admin roles.

10. The added User should be able to use ”admin consent workflow” as an administrator (by default granted to the Global admin only):
a. Open the Enterprise Application and then in the Navigation pane, select Consent and permissions.

b. Select the Admin consent settings tab.
c. Select Yes for allowing users to request admin consents.

d. Click Add users.

e. Select a user with the Application Administrator role or Global Admin role ( only users with the Global, Application, or Cloud application administrator role can grant admin consent). The user is added.

11. Click Save.