-
Title
How to create O365 Service Accounts with Required Permissions -
Description
Some customers may not wish to give Global Admin rights to Service Accounts
Please Note
These Steps are only valid for accounts required for Migration Manager for Exchange Operation
They are not designed to work for Migration Manager for Active Directory Operation
-
Cause
This is due to the fact that the level of access is against some security policies in Customer environments. -
Resolution
While having the Service accounts belong to the Global Administrator Group for Office 365 is recommended, it is not always possible. The following is a way to create the accounts via PowerShell with the minimum required permissions acceptable.
Download the attached PowerShell script and follow these instructions.
1. Log on to any computer running Microsoft Windows 7 (x64 edition), Microsoft Windows Server 2008 R2 operating system or later.
2. Install Microsoft Online Services Sign-In Assistant (64-bit version) and Windows Azure Active Directory Module for Windows PowerShell (64-bit version). To get installation instructions and download links, go to http://technet.microsoft.com/en-us/library/jj151815.aspx.
3. Create a .CSV file in any appropriate location with the following two headers: AccountName and Password.
4. Fill the file in with administrative account names to be created in Office 365 and their passwords, one account per line.
The following is an example of a file with valid format:
AccountName,Password
AdminAcc1,Password1
AdminAcc2,Password2
AdminAcc3,Password3
5. After that launch %SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe.
6. Allow script execution by invoking the following cmdlet: Set-executionpolicy unrestricted
7. Then change the PowerShell current working directory to location of the script file which script files your download.
8. Invoke the following cmdlet: Import-Module ./CreateQSGranularPermissionAdminAccountsInMSOLModule.ps1
9. Specify the appropriate parameters for the following cmdlet and invoke it: Create-QSGranularPermissionAdminAccountsInMSOL
10. As prompted, provide the credentials of administrative account with Global Administrator role to connect Office 365.
Select valid Office 365 license in a list displayed by Cmdlet and enter the related serial number to assign this license to the created user accounts.Caution: The user account that you specify for the Create-QSGranularPermissionAdminAccountsInMSOL cmdlet must have the Global Administrator role in Microsoft Office 365.
The administrative accounts specified in .CSV file will be created in Microsoft Office 365 and granted the following roles:
- User Management Administrator
- ApplicationImpersonation
- Mail Recipients
-
Attachments