Skip to main content
All CollectionsFrequently asked questions (FAQs)Microsoft 365
What admin rights will I need to set up the M365 sync?
What admin rights will I need to set up the M365 sync?

Find which Azure admin privileges you will need to authorise synchronisation.

Courtney Leacock avatar
Written by Courtney Leacock
Updated over 2 years ago

To authorise the synchronisation with Microsoft 365, you will need an Azure account with one of the following roles:

  • Global Administrator

  • Privileged Role Administrator

  • Cloud Application Administrator

  • Application Administrator

Any of these roles can be used for Delegated Permissions authentication but only Global Administrator can be used with Application Permissions authentication.

Application Permissions authentication requires an account that can grant tenant-wide admin consent for an AD Enterprise Application. This combined with the MS Graph API permissions required by the sync mean that this authentication option requires an account with Global Administrator role.

Delegated Permissions authentication will work as long as the token we hold for the delegated user is valid. That token will be invalidated if that user is removed, changes their password or enables MFA. It is also possible for it to expire after a period of time. This means you may need to re-authenticate the sync integration from time to time. For these reasons we recommend using Application Permissions authentication particularly if you intend to use the automatic sync or frequently run a manual sync. However we understand that it is not always possible or justifiable to use a Global Administrator account which is why we offer the Delegated Permissions option.

Did this answer your question?