Register Adaxes as an app in Microsoft Entra ID

To register a Microsoft Entra domain or a Microsoft 365 tenant in Adaxes, you have to first register Adaxes as an app in Microsoft Entra ID. This establishes a trust between Adaxes and the Microsoft identity platform, and allows Adaxes to manage your domain or Microsoft 365 tenant. The process consists of three steps – create an application in Entra ID, add API permissions, and assign roles to the application.

Create application

  1. Sign in to the Microsoft Entra admin center.

  2. Navigate to and open the App registrations service.

    To quickly locate the service, type App registrations in the Search field.

  3. Click New registration.

  4. Enter the application name (e.g. Adaxes), and click Register.

  5. Copy the Application (client) ID and paste it into the Application (client) ID field in Adaxes Administration console.

  6. Copy the Directory (tenant) ID and paste it into the Directory (tenant) ID field in Adaxes Administration console.

  7. Back on the app page in the Microsoft Entra admin center, click Add a certificate or secret.

  8. Click New client secret and then click Add.

  9. Copy the client secret Value and paste it into the Client secret field in Adaxes Administration console.

Do not click Next in the Administration console yet, as you need to grant the newly registered app the required permissions first.

Add API permissions

The app requires all of the following API permissions for managing Microsoft Entra domains. If you are going to use Adaxes only to manage a Microsoft 365 tenant i.e. assign/revoke licenses and manage Exchange Online mailboxes, just the Exchange.ManageAsApp permission is sufficient.

  • Permission

  • Reason

  • Exchange.ManageAsApp

  • To allow Adaxes to connect to Exchange Online.

  • AuditLog.Read.All

  • To read users' last sign in information.

  • Sites.ReadWrite.All

  • To modify properties stored in external sources e.g. employee hire date stored in SharePoint.

  • Group.ReadWrite.All

  • To modify group properties stored in external sources.

  • User.ReadWrite.All

  • To read/write user photo.

Add these API permissions via the app manifest:

  1. On the app page in the Microsoft Entra admin center, click Manifest.

  2. Locate the requiredResourceAccess key in the JSON manifest and set it to the following value.

    Microsoft Entra ID / Microsoft 365
    "requiredResourceAccess": [
        {
            "resourceAppId": "00000002-0000-0ff1-ce00-000000000000",
            "resourceAccess": [
                {
                    "id": "dc50a0fb-09a3-484d-be87-e023b12c6440",
                    "type": "Role"
                }
            ]
        },
        {
            "resourceAppId": "00000003-0000-0000-c000-000000000000",
            "resourceAccess": [
                {
                    "id": "62a82d76-70ea-41e2-9197-370581804d09",
                    "type": "Role"
                },
                {
                    "id": "9492366f-7969-46a4-8d15-ed1a20078fff",
                    "type": "Role"
                },
                {
                    "id": "741f803b-c850-494e-b5df-cde7c675a1ca",
                    "type": "Role"
                },
                {
                    "id": "b0afded3-3588-46d8-8b3d-9842eff778da",
                    "type": "Role"
                }
            ]
        }
    ]
    
    Microsoft 365 only
    "requiredResourceAccess": [
        {
            "resourceAppId": "00000002-0000-0ff1-ce00-000000000000",
            "resourceAccess": [
                {
                    "id": "dc50a0fb-09a3-484d-be87-e023b12c6440",
                    "type": "Role"
                }
            ]
        }
    ]
    
  3. Click Save.

  4. Click API permissions.

  5. Verify that the list contains the required permissions.

  6. Click Grant admin consent for <tenant name> and then click Yes to confirm. Admin consent is required to make the added permissions effective.

Assign roles to the app

As a final step, you need to assign the following Microsoft Entra roles to the app. These roles support application authentication and provide the rest of the required permissions. You have two options.

  • Global administrator
    or
  • Exchange administrator and User administrator
  1. Go back to the Microsoft Entra admin center home page.

  2. Navigate to and open the Microsoft Entra ID roles and administrators service.

    To quickly locate the service, type Microsoft Entra ID roles and administrators in the Search field.

  3. Click on the role you want to assign.

  4. Click Add assignments.

  5. Assign the role to the app you've just registered.

  6. In Adaxes Administration console, click Next and follow the instructions in the wizard to complete the domain/tenant registration.

Microsoft Entra roles might not become effective immediately. If you encouter an insufficient permissions error in Adaxes, wait several minutes and click Next again.