Quest Nova provides granular delegation and policy control for Microsoft 365, enabling you to assign pre-defined roles and responsibilities to specific users, such as help desk operators, country-level administrators, or even end-users setting boundaries far more precise than native delegation. Nova also includes policy-based automation for authorization, service configuration and license assignment.
Nova Delegation and Policy Control (DPC) uses service accounts to manage tenants and to perform actions on behalf of delegated administrators. Service accounts are also used to pull the data from the account to perform actions upon in DPC.
You can review and manage these accounts on the Manage Administration, then the Service Accounts page.
On the Service accounts tab, you can:
·Refresh: Update the list of service accounts for the tenant.
·Add: Add a service account to the tenant. Instructions on how to do that are below.
·Edit: Change the service account. You will need the account's credentials to access.
·Delete: Remove the service account from the tenant.
·Authorize Management: Learn more about this below.
There are two steps to configure and setup Nova DPC for the tenant. They are:
1.Allowing permissions for Nova DPC
Nova DPC requires an administrator to allow Microsoft permissions to retrieve data for the tenant. To do this:
1.On the Manage administration tab, click Service accounts.
2.Click Authorize Management.
3.Sign in using an administrative account.
4.Review the list of permissions. Once you are happy with this, click Accept. This will then take you back to Nova.
2.Adding a service account to the tenant
You then need to add the service account to pull the data from to perform actions on. To do this:
1.On the Manage administration tab, click Service accounts.
2.Select the tenant to add the service account to.
3.Enter the global administrative account's email to the Admin username box.
4.Enter the password of the global administrator.
5.Click Save. The service account will then be provisioned.
Pre-requisites for service accounts
·The service account needs to be a global administrator in the tenant. The global administrator account will also need to be mail enabled to receive an email invitation. A global administrator account is required as:
i.this allows for delegated actions to be completed by Nova users, without needing to grant these users full administrator permissions.
ii.an account with global administrator permissions are able to perform actions that may not be available via Microsoft Graph.
·Single Sign On (SSO) is the preferred method of signing in. This will need to be authorized in each tenant.
·Multi-factor authentication should not be enabled on the account (it is used to programmatically run PowerShell sessions, and therefore cannot be multi-factor authentication enabled). Application passwords are not supported for the service account.
·It must be free from any policies that would restrict its access in the tenant (for example, a Conditional Access Policy that limits basic authentication attempts from internal IP addresses only).
·It should be dedicated for use with Nova DPC.
NOTE: If the password of the service account is changed, it must also be changed in Nova DPC. |
Permissions
A list of the APIs/permissions required can be found here.
To be granted access to Nova DPC, you need to accept Microsoft permissions during the on-boarding process of connecting your tenant. The following are Microsoft's permissions:
Permission |
Permission Description |
---|---|
Manage Exchange As Application |
Allows the app to manage the organization's Exchange environment without any user interaction. This includes mailboxes, groups, and other configuration objects. To enable management actions, an admin must assign the appropriate roles directly to the app. |
Use Exchange Web Services with afull access to all mailboxes |
Allows the app to have full access via Exchange Web Services to all mailboxes without a signed-in user. |
Read all usage reports |
Allows an app to read all service usage reports without a signed-in user. Services the provide usage reports include Microsoft 365 and Microsoft Entra ID. |
Manage apps that this app creates or owns |
Allows the app to create other applications, and fully manage those applications (read, update, update application secrets and delete), without a signed-in user. It cannot update any apps that it is not an owner of. |
Read calendars in all mailboxes |
Allows the app to read events of all calendars without a signed-in user. |
Read and write calendars in all mailboxes |
Allows the app to create, read, update, and delete events of all calendars without a signed-in user. |
Read contacts in all mailboxes |
Allows the app to read all contacts in all mailboxes without a signed-in user. |
Read and write contacts in all mailboxes |
Allows the app to create, read, update, and delete all contacts in all mailboxes without a signed-in user. |
Read all devices |
Allows the app to read your organization's devices' configuration information without a signed-in user. |
Read and write devices |
Allows the app to read and write all device properties without a signed in user. Does not allow device creation, device deletion or update of device alternative security identifiers. |
Read Microsoft Intune apps |
Allows the app to read the properties, group assignments and status of apps, app configurations, and app protection policies managed by Microsoft Intune, without a signed-in users. |
Read and write Microsoft Intune apps |
Allows the app to read and write the properties, group assignments and status of apps, app configurations and app protection policies managed by Microsoft Intune, without a signed-in user. |
Read Microsoft Intune device configuration and policies |
Allows the app to read properties of Microsoft Intune-managed device configuration and device compliance policies and their assignment to groups, without a signed-in user. |
Read and write Microsoft Intune device configuration and policies |
Allows the app to read and write properties of Microsoft Intune-managed device configuration and device compliance policies and their assignment to groups, without a signed-in user. |
Perform user-impacting remote actions on Microsoft Intune devices |
Allows the app to perform remote high impact actions such as wiping the device or resetting the passcode on devices managed by Microsoft Intune, without a signed-in user. |
Read Microsoft Intune devices |
Allows the app to read the properties of devices managed by Microsoft Intune, without a signed-in user. |
Read and write Microsoft Intune devices |
Allows the app to read and write the properties of devices managed by Microsoft Intune, without a signed-in user. Does not allow high impact operations such as remote wipe and password reset on the devices owner. |
Read Microsoft Intune RBAC settings |
Allows the app to read the properties relating to the Microsoft Intune Role-Based Access Control (RBAC) settings, without a signed-in user. |
Read and write Microsoft Intune RBAC settings |
Allows the app to read and write the properties relating to the Microsoft Intune Role-Based Access Control (RBAC) settings, without a signed-in user. |
Read Microsoft Intune configuration |
Allows the app to read Microsoft Intune service properties including device enrollment and third party service connection configuration, without a signed-in user. |
Read and write Microsoft Intune configuration |
Allows the app to read and write Microsoft Intune service properties including device enrollment and third party service connection configuration, without a signed-in user. |
Read directory data |
Allows the app to read data in your organization's directory, such as users, groups and apps, without a signed-in user. |
Read and write directory data |
Allows the app to read and write data in your organization's directory, such as users, and groups, without a signed-in user. Does not allow user or group deletion. |
Read and write domains |
Allows the app to read and write all domain properties without a signed in user. Also allows the app to add, verify and remove domains. |
Read files in all site collections |
Allows the app to read all files in all site collections without a signed in user. |
Read and write files in all site collections |
Allows the app to read, create, update and delete all files in all site collections without a signed in user. |
Read all groups |
Allows the app to read group properties and memberships, and read the calendar and conversations for all groups, without a signed-in user. |
Read and write all groups |
Allows the app to create groups, read all group properties and memberships, update group properties and memberships, and delete groups. Also allows the app to read and write group calendar and conversations. All of these operations can be performed by the app without a signed-in user. |
Read all user mailbox settings |
Allows the app to read user's mailbox settings without a signed-in user. Does not include permission to send mail. |
Read and write all user mailbox settings |
Allows the app to create, read, update, and delete user's mailbox settings without a signed-in user. Does not include permission to send mail. |
Read mail in all mailboxes |
Allows the app to read mail in all mailboxes without a signed-in user. |
Read and write mail in all mailboxes |
Allows the app to create, read, update, and delete mail in all mailboxes without a signed-in user. Does not include permission to send mail. |
Send mail as any user |
Allows the app to send mail as any user without a signed-in user. |
Read all hidden memberships |
Allows the app to read the memberships of hidden groups and administrative units without a signed-in user. |
Read all OneNote notebooks |
Allows the app to read all the OneNote notebooks in your organization, without a signed-in user. |
Read and write all OneNote notebooks |
Allows the app to read all the OneNote notebooks in your organization, without a signed-in user. |
Read online meeting details |
Allows the app to read online meeting details in your organization, without a signed-in user. |
Read and create online meetings |
Allows the app to read and create online meetings as an application in your organization. |
Read all users' relevant people lists |
Allows the app to read any user's scored list of relevant people, without a signed-in user. The list can include local contacts, contacts from social networking, your organization's directory, and people from recent communications (such as email and Skype). |
Read all usage reports |
Allows an app to read all service usage reports without a signed-in user. Services that provide usage reports include Microsoft 365 and Microsoft Entra ID. |
Have full control of all site collections |
Allows the app to have full control of all site collections without a signed in user. |
Create, edit, and delete items and lists in all site collections |
Allows the app to create or delete document libraries and lists in all site collections without a signed in user. |
Read items in all site collections |
Allows the app to read documents and list items in all site collections without a signed in user. |
Read and write items in all site collections |
Allows the app to create, read, update, and delete documents and list items in all site collections without a signed in user. |
Invite guest users to the organization |
Allows the app to invite guest users to the organization, without a signed-in user. |
Read all users' full profiles |
Allows the app to read user profiles without a signed in user. |
Read and write all users' full profiles |
Allows the app to read and update user profiles without a signed in user. |
Access the directory as the signed-in user |
Allows the app to have the same access to information in the directory as the signed-in user. |
Read directory data |
Allows the app to read data in your company or school directory, such as users, groups, and apps. |
Read and write directory data |
Allows the app to read and write data in your company or school directory, such as users, and groups. Does not allow user or group deletion. |
Read all groups |
Allows the app to read basic group properties and memberships on behalf of the signed-in user. |
Read and write all groups |
Allows the app to create groups on behalf of the signed-in user and read all group properties and memberships. Additionally, this allows the app to update group properties and memberships for the groups the signed-in user owns. |
Read hidden memberships |
Allows the app to read the memberships of hidden groups and administrative units on behalf of the signed-in user, for those hidden groups and administrative units that the signed-in user has access to. |
Sign in and read user profile |
Allows users to sign in to the app, and allows the app to read the profile of signed-in users. It also allow the app to read basic company information of signed-in users. |
Read all users' full profiles |
Allows the app to read the full set of profile properties of all users in your company or school, on behalf of the signed-in user. Additionally, this allows the app to read the profiles of the signed-in user's reports and manager. |
Read all users' basic profiles |
Allows the app to read a basic set of profile properties of all users in your company or school on behalf of the signed-in user. Includes display name, first and last name, photo, and email address. Additionally, this allows the app to read basic info about the signed-in user's reports and manager. |
Read and write all applications |
Allows the app to create, read, update and delete applications and service principals without a signed-in user. Does not allow management of consent grants. |
Manage apps that this app creates or owns |
Allows the app to create other applications, and fully manage those applications (read, update, update application secrets and delete), without a signed-in user. It cannot update any apps that it is not an owner of. |
Read and write domains |
Allows the app to read and write all domain properties without a signed in user. Also allows the app to add, verify and remove domains. |
Read all hidden memberships |
Allows the app to read the memberships of hidden groups and administrative units without a signed-in user. |
A virtual organizational unit (vOU) is a manually built dynamic list of users tailored to group users by a specific attribute. For example, vOUs can be built to group users by their location, department, company or another attribute. These help administrators to group users to assign authorization, configuration and license policies to them.
If you are familiar with on-premises Microsoft Entra ID, then you will already be familiar with organizational units. The problem is that Microsoft Entra ID and Microsoft 365 do not have this concept. These users are stored in a flat list, which can make working with multiple geographies and multiple departments much more difficult. Nova has modified this premise, redefined as 'virtual organizational units'. You can create a hierarchy of these just like you would in an on premises Microsoft Entra ID environment.
Viewing users and groups assigned to a Virtual Organizational Unit
Follow the steps below to see a list of users and groups currently assigned to a virtual organizational unit.
1.In the left menu, select Manage Administration > Tenants.
2.Expand the organizational units until you find the one whose users you want to see.
3.Click the desired organizational unit is ellipses button (...) and select Users or Groups to see a list of users or groups that were added to the group within Nova.
© ALL RIGHTS RESERVED. Termini di utilizzo Privacy Cookie Preference Center