Required Permissions Reference

introduction activate integrates with , microsoft 365, and exchange online to automate identity lifecycle, access provisioning, and collaboration services to perform these functions securely, activate requires specific delegated or application permissions within your tenant this section outlines the minimum permissions required for each activate product each permission is listed alongside a short explanation of why it is needed so administrators can validate scope, reduce unnecessary privilege, and meet least privilege security principles permissions are grouped by product area, for example identity & access management – user provisioning, group membership, lifecycle actions data access management – shared mailbox and distribution list management collaboration management – teams creation and channel management service desk and catalogue – device, service, and licence management some products do not require any additional azure or microsoft 365 permissions; these are also noted explicitly for clarity note microsoft continues to deprecate legacy powershell modules (msonline, azuread) in favour of the microsoft graph api activate supports both where required, but organisations should plan to migrate to graph permissions wherever possible how to use this section review the products your organisation intends to deploy request the listed permissions during app registration in entra id this ensures activate has exactly the access it needs — no more, no less audit regularly as microsoft graph evolves, check if permissions can be reduced or updated identity access management identity & access manager permission why it's needed user readwrite all required to create, update, or disable user accounts during provisioning and deprovisioning group readwrite all needed to add or remove users from groups so access can be granted or revoked automatically directory readwrite all provides the ability to manage directory objects (users, groups, devices) — essential for lifecycle tasks like onboarding/offboarding user phone readwrite all allows updating phone number attributes used for authentication or contact information user administrator grants administrative control to reset passwords, assign roles, and manage user identity lifecycle tasks exchange administrator only required for mailbox creation and management in exchange online mailboxsettings readwrite enables activate to read and configure out of office messages and mailbox preferences for users role manager permission why it's needed groupmember readwrite all required to add or remove members from groups not needed if group readwrite all is already granted self service password reset manager permission why it's needed user readwrite all required to create, update, or disable user accounts during provisioning and deprovisioning helpdesk administrator grants the ability to reset user passwords and invalidate refresh tokens, which is essential for self service password reset workflows privileged access manager permission why it's needed user readwrite all required to create, update, or disable user accounts during provisioning and deprovisioning group readwrite all needed to add or remove users from groups so access can be granted or revoked automatically directory readwrite all provides the ability to manage directory objects (users, groups, devices) — essential for lifecycle tasks like onboarding/offboarding user administrator grants administrative control to reset passwords, assign roles, and manage user identity lifecycle tasks security group compliance manager no additional azure permissions required security group manager permission why it's needed user readwrite all required to create, update, or disable user accounts during provisioning and deprovisioning group readwrite all needed to add or remove users from groups so access can be granted or revoked automatically directory readwrite all provides the ability to manage directory objects (users, groups, devices) — essential for lifecycle tasks like onboarding/offboarding user administrator grants administrative control to reset passwords, assign roles, and manage user identity lifecycle tasks itsm service desk integrations manager no additional azure permissions required data access management shared mailbox manager permission why it's needed user readwrite all required to create, update, or disable user accounts during provisioning and deprovisioning directory readwrite all provides the ability to manage directory objects (users, groups, devices) — essential for lifecycle tasks like onboarding/offboarding exchange administrator only required for mailbox creation and management in exchange online exchange manageasapp allows activate to manage exchange online mailboxes directly as an application, without needing a signed in user required for automated shared mailbox management distribution list manager permission why it's needed exchange administrator required to use bypasssecuritygroupmanagercheck flag on add distributiongroupmember bypasssecuritygroupmanagercheck error docid\ uakuynd41twrpi6ay9u n exchange manageasapp allows activate to manage exchange online mailboxes directly as an application, without needing a signed in user required for automated distribution list management folder manager no additional azure permissions required teams® manager permission why it's needed team create required to create new microsoft teams workspaces for users or groups channel create group needed to create channels within teams, enabling structured collaboration user administrator grants rights to manage teams membership through user account and role management skype for business administrator provides backward compatibility for managing legacy skype for business policies that still affect teams teams communication administrator required to manage teams calling and meeting settings, such as conferencing and voice policies hardware and software management asset and license manager no additional azure permissions required service catalogue manager permission why it's needed user readwrite all required to create, update, or disable user accounts during provisioning and deprovisioning group readwrite all needed to add or remove users from groups so access can be granted or revoked automatically directory readwrite all provides the ability to manage directory objects (users, groups, devices) — essential for lifecycle tasks like onboarding/offboarding device readwrite all required to read and update device objects in azure ad, allowing activate to sync and manage devices for computer selection full access as app required to access mailboxes if email approvals is in use user administrator grants administrative control to reset passwords, assign roles, and manage user identity lifecycle tasks device asset manager no additional azure permissions required license and subscription manager no additional azure permissions required extension & mobile connection manager no additional azure permissions required other general permissions these are permissions that are required for functions other than direct product use permission why it's needed full access as app required to access mailbox content when email approvals is in use, or other mailbox content access is required can't be delegated to an application organization read all this is for querying license counts/subscribed skus