.. _ms-service-accounts:
Service Accounts
------------------
VOSS-4-UC utilizes service accounts for access to the PowerShell Proxy and for provisioning Microsoft
365 tenants. A single service account is required for the PowerShell Proxy. For Microsoft 365 tenants,
VOSS-4-UC requires access to both Azure Active Directory and to Microsoft Teams.
This can be accomplished with a single service account, or with separate service accounts for Azure AD
and Teams. Each tenant under management requires its own service account(s).
Account permissions and other details are described in this section.
PowerShell Proxy Server Remote Management Service Account
..........................................................
Clients, including VOSS-4-UC, that connect to the WinRM service on the PowerShell Proxy must provide
credentials for an account having the characteristics listed below.
Table: *Remote Management Service Account*
.. tabularcolumns:: |p{4.5cm}|p{10.5cm}|
+----------------------------+----------------------------------------+
| **Account Type** | Local Computer Account |
| | (Note: not a domain account) |
+----------------------------+----------------------------------------+
| **Local Group Membership** | Administrators |
| | Remote Management Users |
+----------------------------+----------------------------------------+
Tenant Service Account: Azure Active Directory
...............................................
For Azure Active Directory, the permissions required by VOSS-4-UC will depend on the management
use cases required for that tenant. Minimum required permissions and additional permissions required for
specific use cases are identified in the following tables.
.. note::
You can combine the role permissions for Azure Active Directory with the role permissions for
Microsoft Teams management into a single service account, or you can create two separate service
accounts - one for Azure AD and another for Teams.
Table: *Azure Active Directory - Minimum Required Permissions*
.. tabularcolumns:: |p{7.0cm}|p{4.0cm}|p{4.0cm}|
+-----------------------------------------+--------------------------+--------------------------------+
| Role Permissions | Description | Management Use Case |
+=========================================+==========================+================================+
| microsoft.directory/users/standard/read | Read basic properties on | Retrieve end user information, |
| | users in Azure Active | including existing licensing, |
| | Directory | from Azure AD |
+-----------------------------------------+--------------------------+--------------------------------+
| microsoft.directory/users/memberOf/read | Read users.memberOf | Retrieve end user group |
| | property in Azure Active | membership |
| | Directory | |
+-----------------------------------------+--------------------------+--------------------------------+
Table: *Azure Active Directory - Additional Permissions Required to License / Enable End Users for Direct Routing*
.. tabularcolumns:: |p{7.0cm}|p{4.0cm}|p{4.0cm}|
+------------------------------------------------+---------------------------+--------------------------+
| Role Permissions | Description | Management Use Case |
+================================================+===========================+==========================+
| microsoft.directory/users/assignLicense | Manage licenses on users | License end user for |
| | in Azure Active Directory | Direct Routing (assign |
| | | E1 / E3 / E5 / Phone |
| | | System license) |
+------------------------------------------------+---------------------------+--------------------------+
| microsoft.directory/users/usageLocation/update | Update users.usageLocation| Update end user Usage |
| | property in Azure Active | membership |
| | Directory | |
+------------------------------------------------+---------------------------+--------------------------+
Table: *Azure Active Directory - Additional Permissions Required to Manage Active Directory End Users*
.. tabularcolumns:: |p{8.0cm}|p{3.0cm}|p{5.0cm}|
+----------------------------------------------------+-----------------+-----------------------------------+
| Role Permissions | Description | Management Use Case |
+====================================================+=================+===================================+
| microsoft.directory/users/create | Add users | End user adds / changes / deletes |
+----------------------------------------------------+-----------------+-----------------------------------+
| microsoft.directory/users/delete | Delete users | End user adds / changes / deletes |
+----------------------------------------------------+-----------------+-----------------------------------+
| microsoft.directory/users/disable | Disable users | End user adds / changes / deletes |
+----------------------------------------------------+-----------------+-----------------------------------+
| microsoft.directory/users/enable | Enable users | End user adds / changes / deletes |
+----------------------------------------------------+-----------------+-----------------------------------+
| microsoft.directory/users/restore | Restore deleted | End user adds / changes / deletes |
+----------------------------------------------------+-----------------+-----------------------------------+
| microsoft.directory/users/basic/update | Update basic | End user adds / changes / deletes |
| | properties on | |
| | users in Azure | |
| | directory | |
+----------------------------------------------------+-----------------+-----------------------------------+
| microsoft.directory/users/manager/update | Update manager | End user adds / changes / deletes |
| | for users | |
+----------------------------------------------------+-----------------+-----------------------------------+
| microsoft.directory/users/password/update | Reset passwords | End user adds / changes / deletes |
| | for all uses | |
+----------------------------------------------------+-----------------+-----------------------------------+
| microsoft.directory/users/userPrincipalName/update | Update User | End user adds / changes / deletes |
| | Principal | |
| | Name of users | |
+----------------------------------------------------+-----------------+-----------------------------------+
Tenant Service Account: Microsoft Teams
........................................
To manage Microsoft Teams, VOSS-4-UC requires a service account having the following built-in role.
.. note::
You can combine the role permissions for Azure Active Directory with the role permissions for
Microsoft Teams management into a single service account, or you can create two separate service
accounts - one for Azure AD and another for Teams.
Table: *Microsoft Teams Management - Required Role*
.. tabularcolumns:: |p{6.0cm}|p{4.0cm}|p{4.0cm}|
+----------------------------------+---------------------------+-----------------------------+
| Role | Description | Management Use Case |
+==================================+===========================+=============================+
| Skype for Business Administrator | Full access to all Teams | Teams-enabled user and |
| | and Skype features, | device management; |
| | Skype user attributes, | management of voice routing |
| | manages service requests, | configuration elements |
| | requests, and monitors | |
| | service health | |
+----------------------------------+---------------------------+-----------------------------+