UnitySync Office 365 login requirements
Created: 2016-04-21 08:46:39Modified: 2023-08-15 17:03:36
Tags: Office 365 System Requirements UnitySync
System Requirements
Ensure your UnitySync server meets the Special Requirements for o365 connections.
Required Login information
ID: The login of the default administrative account or other custom account created for UnitySync. This is required information when using Office 365 (O365).
ID name format: Use the same login format you would use when logging into O365 on line:
i.e. AdminAccountName@YourDomain.onmicrosoft.com
Password: The password that corresponds to the login ID specified
Permissions to read/write an O365 tenant
We highly recommend use of an O365 Admin account. Microsoft does not make it easy to create a non Admin account with the necessary access for UnitySync to perform the required powershell commands when writing to O365.
NOTE: Two factor authentication (2FA) must be disabled for the o365 user account specified in your connection.
Discovery of O365
We highly recommend use of an O365 Admin account. Alternatively, you may assign minimum read access to your UnitySync O356 login ID to be used for O365 Discovery.
For example, create an unlicensed Office 365 user account without O365 admin rights.
For view only access to O365, add user to the “View-Only Organization Management” admin role in the Exchange Admin Center. This role should provide UnitySync the rights needed to run the powershell commandlets utilized by UnitySync Discovery.
Discovery, commandlets required:
Get-User
Get-Mailbox
Get-EXOMailbox
Get-MailUser
Get-Contact
Get-MailContact
Get-DistributionGroup
Get-DistributionGroupMember
Get-UnifiedGroup
Get-UnifiedGroupLinks
Syncing to O365:
We highly recommend use of an O365 Admin account. Microsoft does not make it easy to create a non Admin account with the necessary access for UnitySync to perform the required powershell commands when writing to O365.
That said, it is possible for a Non Admin account to sync to O365.
The following commands are utilized by a UnitySync Sync process:
Set-Group
Set-DistributionGroup
Update-DistributionGroupMember
Set-Contact
Set-MailContact
New-DistributionGroup
New-MailContact
Remove-DistributionGroup
Remove-MailContact
Additionally, here is an Sample O365 RBAC script to reduce permissions.
IMPORTANT NOTE: This script was provided by a client as a sample script which allowed them to create a non Admin account for UnitySync to sync to o365. Your script may be different depending on your preference and environment. Using the script as an example, you can try to create a custom account with minimal access.
For more detailed information about setting read/write permissions on O365 User accounts, refer to Microsoft tech articles and/or reach out to Microsoft technical support:
Refer to: TechNet Overview of Built-in role groups
Refer to: TechNet View-only Organization Management
Refer to: Permissions in Exchange Online
Refer to: Create an unscoped role
For more information about O365 syncs, please refer to the O365 KB articles and the UnitySync Administrator’s Guide.