Register Adaxes as an app in Microsoft Azure

To register an Azure AD domain or a Microsoft 365 tenant in Adaxes, you have to first register Adaxes as an app in Microsoft Azure. This establishes a trust between Adaxes and the Microsoft identity platform, and allows Adaxes to manage your domain or Microsoft 365 tenant. The process consists of three steps – create an application in Azure, add API permissions, and assign roles to the application.

Create application

  1. Sign in to the Azure portal.

  2. Navigate to and open the App registrations service.

    To quickly locate the service, type App registrations in the Search field.

  3. Click New registration.

  4. Enter the application name (e.g. Adaxes), and click Register.

  5. Copy the Application (client) ID and paste it into the Application (client) ID field in Adaxes Administration console.

  6. Copy the Directory (tenant) ID and paste it into the Directory (tenant) ID field in Adaxes Administration console.

  7. Back on the app page in the Azure Portal, click Add a certificate or secret.

  8. Click New client secret and then click Add.

  9. Copy the client secret Value and paste it into the Client secret field in Adaxes Administration console.

Do not click Next in the Administration console yet, as you need to grant the newly registered app the required permissions first.

Add API permissions

The app requires all of the following API permissions for managing Azure AD domains. If you are going to use Adaxes only to manage a Microsoft 365 tenant i.e. assign/revoke licenses and manage Exchange Online mailboxes, the Exchange.ManageAsApp permission is sufficient.

  • Permission

  • Reason

  • Exchange.ManageAsApp

  • To allow Adaxes to connect to Exchange Online.

  • AuditLog.Read.All

  • To read users' last sign in information.

  • Sites.ReadWrite.All

  • To modify properties stored in external sources e.g. employee hire date stored in SharePoint.

  • Group.ReadWrite.All

  • To modify group properties stored in external sources.

  • User.ReadWrite.All

  • To read/write user photo.

  1. On the app page in the Azure Portal, click Manifest.

  2. Locate the requiredResourceAccess key in the JSON manifest and set it to the following value.

    Azure AD / Microsoft 365
    "requiredResourceAccess": [
        {
            "resourceAppId": "00000002-0000-0ff1-ce00-000000000000",
            "resourceAccess": [
                {
                    "id": "dc50a0fb-09a3-484d-be87-e023b12c6440",
                    "type": "Role"
                }
            ]
        },
        {
            "resourceAppId": "00000003-0000-0000-c000-000000000000",
            "resourceAccess": [
                {
                    "id": "62a82d76-70ea-41e2-9197-370581804d09",
                    "type": "Role"
                },
                {
                    "id": "9492366f-7969-46a4-8d15-ed1a20078fff",
                    "type": "Role"
                },
                {
                    "id": "741f803b-c850-494e-b5df-cde7c675a1ca",
                    "type": "Role"
                },
                {
                    "id": "b0afded3-3588-46d8-8b3d-9842eff778da",
                    "type": "Role"
                }
            ]
        }
    ]
    
    Microsoft 365 only
    "requiredResourceAccess": [
        {
            "resourceAppId": "00000002-0000-0ff1-ce00-000000000000",
            "resourceAccess": [
                {
                    "id": "dc50a0fb-09a3-484d-be87-e023b12c6440",
                    "type": "Role"
                }
            ]
        }
    ]
    
  3. Click Save.

  4. Click API permissions.

  5. Verify that the list contains the required permissions.

  6. Click Grant admin consent for <tenant name>. Admin consent is required to make the added permissions effective.

Assign roles to the app

As the final step, you need to assign the following Azure AD roles to the app. These roles support application authentication and provide the rest of the required permissions. You have two options.

  • Global administrator
    or
  • Exchange administrator and User administrator
  1. Go back to the Azure portal home page.

  2. Navigate to and open the Azure AD roles and administrators service.

    To quickly locate the service, type Azure AD roles and administrators in the Search field.

  3. Click on the role you want to assign.

  4. Click Add assignments.

  5. Assign the role to the app you've just registered.

  6. In Adaxes Administration console, click Next and follow the instructions in the wizard to complete the domain/tenant registration.

Azure AD roles might not become effective immediately. If you encouter an insufficient permissions error in Adaxes, wait several minutes and click Next again.