Register Adaxes as an app in Entra ID

Registering Adaxes as an app in Microsoft Entra ID establishes a trust between Adaxes and the Microsoft identity platform. This allows Adaxes to perform operations in Entra ID, Microsoft 365, and Exchange Online via the registered app.

The app registration can serve two purposes:

Enable Adaxes to manage Entra ID, Microsoft 365, and Exchange Online
Enable Adaxes to securely send email notifications via Exchange Online

This article explains how to register and configure the app to manage your Entra organization. For details on how to configure the app to send emails, see Configure mail settings.

Create application

Sign in to the Microsoft Entra admin center.
Navigate to and open the App registrations service.

To quickly locate the service, type App registrations in the Search field.
Click New registration.
Enter the application name (e.g. Adaxes), and click Register.
Copy the Application (client) ID and paste it into the Application (client) ID field in Adaxes administration console.
Copy the Directory (tenant) ID and paste it into the Directory (tenant) ID field in Adaxes administration console.
Back on the app page in the Microsoft Entra admin center, click Add a certificate or secret.
Click New client secret and then click Add.
Copy the client secret Value and paste it into the Client secret field in Adaxes administration console.

Do not click Next in the administration console yet, as you need to grant the newly registered app the required permissions first.

Add API permissions

The app requires certain API permissions to enable Adaxes to manage your Microsoft Entra domain or Microsoft 365 tenant. Tenant management requires fewer permissions than domain management.

Permission
Reason
Exchange.ManageAsApp
Connect to Exchange Online.
User.ReadWrite.All
View, create, update, and delete user accounts.
User-PasswordProfile.ReadWrite.All
Reset users' passwords.
UserAuthenticationMethod.ReadWrite.All
Reset users' multifactor authentication methods.
User.EnableDisableAccount.All
Enable and disable accounts of role-assignable group members.
LicenseAssignment.ReadWrite.All
Assign and revoke Microsoft 365 licenses.
AuditLog.Read.All
Read users' last sign in information. Domain management only.
Sites.ReadWrite.All
Modify properties stored in external sources e.g. employee hire date stored in SharePoint. Domain management only.
Group.ReadWrite.All
View, create, update, delete groups and add/remove group members. Domain management only.
RoleManagement.ReadWrite.Directory
Create role-assignable groups. Domain management only.

Add these API permissions via the app manifest:

On the app page in the Microsoft Entra admin center, click Manifest to open up an editor that allows you to directly edit the attributes of the app registration.
Locate the requiredResourceAccess key in the manifest.

Set the key to one of the values below, depending on the function that your Entra app will perform.

Domain / tenant management and sending emails

Select one of these values if you will use the app to manage your domain or tenant and send emails.

Entra domain and Microsoft 365 tenant

"requiredResourceAccess": [
    {
        "resourceAppId": "00000002-0000-0ff1-ce00-000000000000",
        "resourceAccess": [
            {
                "id": "dc50a0fb-09a3-484d-be87-e023b12c6440",
                "type": "Role"
            },
            {
                "id": "7146a1f0-8703-45b3-9eae-527a64c00995",
                "type": "Role"
            }
        ]
    },
    {
        "resourceAppId": "00000003-0000-0000-c000-000000000000",
        "resourceAccess": [
            {
                "id": "b0afded3-3588-46d8-8b3d-9842eff778da",
                "type": "Role"
            },
            {
                "id": "62a82d76-70ea-41e2-9197-370581804d09",
                "type": "Role"
            },
            {
                "id": "5facf0c1-8979-4e95-abcf-ff3d079771c0",
                "type": "Role"
            },
            {
                "id": "9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8",
                "type": "Role"
            },
            {
                "id": "9492366f-7969-46a4-8d15-ed1a20078fff",
                "type": "Role"
            },
            {
                "id": "cc117bb9-00cf-4eb8-b580-ea2a878fe8f7",
                "type": "Role"
            },
            {
                "id": "741f803b-c850-494e-b5df-cde7c675a1ca",
                "type": "Role"
            },
            {
                "id": "50483e42-d915-4231-9639-7fdb7fd190e5",
                "type": "Role"
            },
            {
                "id": "3011c876-62b7-4ada-afa2-506cbbecc68c",
                "type": "Role"
		    }
        ]
    }
]

Microsoft 365 tenant

"requiredResourceAccess": [
    {
        "resourceAppId": "00000002-0000-0ff1-ce00-000000000000",
        "resourceAccess": [
            {
                "id": "dc50a0fb-09a3-484d-be87-e023b12c6440",
                "type": "Role"
            },
            {
                "id": "7146a1f0-8703-45b3-9eae-527a64c00995",
                "type": "Role"
            }
        ]
    },
    {
        "resourceAppId": "00000003-0000-0000-c000-000000000000",
        "resourceAccess": [
            {
                "id": "5facf0c1-8979-4e95-abcf-ff3d079771c0",
                "type": "Role"
            },
            {
                "id": "cc117bb9-00cf-4eb8-b580-ea2a878fe8f7",
                "type": "Role"
            },
            {
                "id": "741f803b-c850-494e-b5df-cde7c675a1ca",
                "type": "Role"
            },
            {
                "id": "50483e42-d915-4231-9639-7fdb7fd190e5",
                "type": "Role"
            },
            {
                "id": "3011c876-62b7-4ada-afa2-506cbbecc68c",
                "type": "Role"
		    }

        ]
    }
]

Only domain / tenant management

Select one of these values if you will use the app to only to manage your domain or tenant.

Entra domain and Microsoft 365 tenant

"requiredResourceAccess": [
    {
        "resourceAppId": "00000002-0000-0ff1-ce00-000000000000",
        "resourceAccess": [
            {
                "id": "dc50a0fb-09a3-484d-be87-e023b12c6440",
                "type": "Role"
            }
        ]
    },
    {
        "resourceAppId": "00000003-0000-0000-c000-000000000000",
        "resourceAccess": [
            {
                "id": "b0afded3-3588-46d8-8b3d-9842eff778da",
                "type": "Role"
            },
            {
                "id": "62a82d76-70ea-41e2-9197-370581804d09",
                "type": "Role"
            },
            {
                "id": "5facf0c1-8979-4e95-abcf-ff3d079771c0",
                "type": "Role"
            },
            {
                "id": "9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8",
                "type": "Role"
            },
            {
                "id": "9492366f-7969-46a4-8d15-ed1a20078fff",
                "type": "Role"
            },
            {
                "id": "cc117bb9-00cf-4eb8-b580-ea2a878fe8f7",
                "type": "Role"
            },
            {
                "id": "741f803b-c850-494e-b5df-cde7c675a1ca",
                "type": "Role"
            },
            {
                "id": "50483e42-d915-4231-9639-7fdb7fd190e5",
                "type": "Role"
            },
            {
                "id": "3011c876-62b7-4ada-afa2-506cbbecc68c",
                "type": "Role"
		    }
        ]
    }
]

Microsoft 365 tenant

"requiredResourceAccess": [
    {
        "resourceAppId": "00000002-0000-0ff1-ce00-000000000000",
        "resourceAccess": [
            {
                "id": "dc50a0fb-09a3-484d-be87-e023b12c6440",
                "type": "Role"
            }
        ]
    },
    {
        "resourceAppId": "00000003-0000-0000-c000-000000000000",
        "resourceAccess": [
            {
                "id": "cc117bb9-00cf-4eb8-b580-ea2a878fe8f7",
                "type": "Role"
            },
            {
                "id": "741f803b-c850-494e-b5df-cde7c675a1ca",
                "type": "Role"
            },
            {
                "id": "50483e42-d915-4231-9639-7fdb7fd190e5",
                "type": "Role"
            },
            {
                "id": "5facf0c1-8979-4e95-abcf-ff3d079771c0",
                "type": "Role"
            },
            {
                "id": "3011c876-62b7-4ada-afa2-506cbbecc68c",
                "type": "Role"
		    }
        ]
    }
]

Click Save.
Click API permissions.
Verify that the list contains the required permissions.
Click Grant admin consent for <tenant name> and then click Yes to confirm. Admin consent is required to make the added permissions effective.

Assign Exchange roles to the app

The app requires the following admin roles to manage Exchange Online.

Role
Reason
Mail Recipients
Manage existing mailboxes, mail users, and mail contacts. Verify that all the required roles are assigned to the Adaxes application in Exchange Online.
Mail Recipient Creation
Create mailboxes, mail users, mail contacts, and distribution groups.
Distribution Groups
Create and manage distribution groups and their members.
Security Group Creation and Membership
Create and manage mail-enabled security groups and their members.
Move Mailboxes
Move mailboxes between servers in an organization.
Retention Management
Manage retention policies.
Organization Client Access
Define which Exchange ActiveSync mobile devices are allowed.

There is a slight caveat – you cannot assign Exchange admin roles directly to an Entra app. You need to first create a corresponding Exchange service principal, and then assign the roles to this principal. This can only be done via PowerShell.

Launch Windows PowerShell on the computer where the ExchangeOnlineManagement PowerShell module is installed.
Execute the following script. It will create an Exchange service principal for your app if there isn't already one, combine the required roles into a role group, and add the app to the role group.

In the script:
- $applicationId – the identifier of the app registration in Entra ID.
- $entraServicePrincipalId – the identifier of the Entra service principal of the app.
  How to obtain the application and service principal identifiers
  1. Open the Microsoft Entra admin center.
  2. Navigate to and open the Enterprise applications service.
  3. Locate your application and click it.
  4. The app registration and service principal identifiers will be displayed in the Properties section, in the Application ID and Object ID fields respectively.
  Important
  
  Do not confuse these identifiers with the ones on the app page of the App registrations service. Those identifiers are different and will not work.
- $displayName – a user-friendly display name for the new service principal.
- $roleGroupName – the name of the new role group that will contain all the permissions required by Adaxes. For example, Adaxes app permissions.
```
$applicationId = "<appID>"
$entraServicePrincipalId = "<objectID>"
$displayName = "<displayName>"
$roleGroupName = "<roleGroupName>"

$roles = @(
    "Mail Recipients",
    "Mail Recipient Creation",
    "Distribution Groups",
    "Security Group Creation and Membership",
    "Move Mailboxes",
    "Retention Management",
    "Organization Client Access"
)

Connect-ExchangeOnline
try 
{
    $servicePrincipal = Get-ServicePrincipal -Identity $applicationId -ErrorAction Stop
}
catch 
{
    $servicePrincipal = New-ServicePrincipal `
        -AppId $applicationId -ObjectId $entraServicePrincipalId -DisplayName $displayName
}
New-RoleGroup -Name $roleGroupName -Roles $roles -Members $servicePrincipal.Identity
```
Finally, go back to the Adaxes administration console, click Next, and follow the instructions in the wizard.