Service Accounts¶
VOSS-4-UC utilizes service accounts for access to the PowerShell Proxy and for provisioning Microsoft 365 tenants. A single service account is required for the PowerShell Proxy. For Microsoft 365 tenants, VOSS-4-UC requires access to both Azure Active Directory and to Microsoft Teams. This can be accomplished with a single service account, or with separate service accounts for Azure AD and Teams. Each tenant under management requires its own service account(s).
Account permissions and other details are described in this section.
PowerShell Proxy Server Remote Management Service Account¶
Clients, including VOSS-4-UC, that connect to the WinRM service on the PowerShell Proxy must provide credentials for an account having the characteristics listed below.
Table: Remote Management Service Account
| Account Type | Local Computer Account (Note: not a domain account) |
| Local Group Membership | Administrators Remote Management Users |
Tenant Service Account: Azure Active Directory¶
For Azure Active Directory, the permissions required by VOSS-4-UC will depend on the management use cases required for that tenant. Minimum required permissions and additional permissions required for specific use cases are identified in the following tables.
Note
You can combine the role permissions for Azure Active Directory with the role permissions for Microsoft Teams management into a single service account, or you can create two separate service accounts - one for Azure AD and another for Teams.
Table: Azure Active Directory - Minimum Required Permissions
| Role Permissions | Description | Management Use Case |
|---|---|---|
| microsoft.directory/users/standard/read | Read basic properties on users in Azure Active Directory | Retrieve end user information, including existing licensing, from Azure AD |
| microsoft.directory/users/memberOf/read | Read users.memberOf property in Azure Active Directory | Retrieve end user group membership |
Table: Azure Active Directory - Additional Permissions Required to License / Enable End Users for Direct Routing
| Role Permissions | Description | Management Use Case |
|---|---|---|
| microsoft.directory/users/assignLicense | Manage licenses on users in Azure Active Directory | License end user for Direct Routing (assign E1 / E3 / E5 / Phone System license) |
| microsoft.directory/users/usageLocation/update | Update users.usageLocation property in Azure Active Directory | Update end user Usage membership |
Table: Azure Active Directory - Additional Permissions Required to Manage Active Directory End Users
| Role Permissions | Description | Management Use Case |
|---|---|---|
| microsoft.directory/users/create | Add users | End user adds / changes / deletes |
| microsoft.directory/users/delete | Delete users | End user adds / changes / deletes |
| microsoft.directory/users/disable | Disable users | End user adds / changes / deletes |
| microsoft.directory/users/enable | Enable users | End user adds / changes / deletes |
| microsoft.directory/users/restore | Restore deleted | End user adds / changes / deletes |
| microsoft.directory/users/basic/update | Update basic properties on users in Azure directory | End user adds / changes / deletes |
| microsoft.directory/users/manager/update | Update manager for users | End user adds / changes / deletes |
| microsoft.directory/users/password/update | Reset passwords for all uses | End user adds / changes / deletes |
| microsoft.directory/users/userPrincipalName/update | Update User Principal Name of users | End user adds / changes / deletes |
Tenant Service Account: Microsoft Teams¶
To manage Microsoft Teams, VOSS-4-UC requires a service account having the following built-in role.
Note
You can combine the role permissions for Azure Active Directory with the role permissions for Microsoft Teams management into a single service account, or you can create two separate service accounts - one for Azure AD and another for Teams.
Table: Microsoft Teams Management - Required Role
| Role | Description | Management Use Case |
|---|---|---|
| Skype for Business Administrator | Full access to all Teams and Skype features, Skype user attributes, manages service requests, requests, and monitors service health | Teams-enabled user and device management; management of voice routing configuration elements |
