Active Directory management & automation

Grant Permissions to Perform Office 365 Management Tasks

Using Adaxes, you can delegate Office 365 management tasks to users. In this tutorial, you will learn how to allow users to activate and deactivate accounts in Office 365, as well as assign and revoke Office 365 licenses. To allow such operations, you need to create a Security Role that grants permissions to modify Office 365 properties of user accounts.

By default, some built-in Security Roles contain Write All Properties or Full Control permission that allow modifying Office 365 properties, among other operations. This means that when you assign such roles to someone, you also grant the permission to perform all Office 365 management tasks.
Launch Adaxes Administration Console, right-click your Adaxes service, point to New and click Security Role. The Create Security Role wizard will open.


Enter a name for the new Role and click Next.

In order to add permissions to the new Role, click Add.


Select the User object type.


In the right-hand portion of the dialog, select the permissions you want to grant:

  • To have full control over Office 365 accounts, users need to be able to modify all Office 365 properties. To grant such permission, select the Write Office 365 Properties permission in the Allow column.

  • If you want to restrict users to perform specific operations only, you need to grant the permission to modify the Office 365 property that corresponds to the operation you need. The following table shows which operation corresponds to which permission:

    Operation Permission
    Activate account, set location Write 'Office 365 Location' property
    Assign / Revoke licenses Write 'Office 365 Licenses' property
    Allow / block access to Office 365 Write 'Office 365 Sign-In Blocked' property

    To grant permissions for the operation you need:

    • Check the Show all properties option located under the Property-specific permissions list.
    • Type Office 365 in the filter edit box to filter out permissions unrelated to Office 365.
    • Select the Allow column for the necessary permission. For example, if you want to allow modifying Office 365 licenses assigned to users, check the Write 'Office 365 Licenses' Property permission in the Allow column.

When done, click OK and Next.

Now, you need to assign the Security Role to users and specify the Active Directory scope where they can apply the role permissions. At the Assign Role page, select the users to whom you want to grant the permissions of the role.
  • To allow a specific user or group to manage Office 365 accounts, select it in the Assign to list.

    Role assignments

    To quickly find a user or group, type its name in the search field and click the button.
  • To allow managers to manage Office 365 accounts of their subordinates, select Manager. A user's manager is specified in the Manager property of the user's Active Directory account.

    Assign role to managers

    If you change the manager for a user, the previous manager will lose, and the new manager will gain the rights granted by the role.

  • To allow users to manage their own Office 365 accounts, select Self.

    Assign role to self

    To have more control on Office 365 accounts managed by users themselves, you can configure a Business Rule that will automatically request an approval when users modify their Office 365 accounts.
When done, click Assign.

In the Role Activity Scope dialog that opens, you need to select where the specified users will be able to perform the operations allowed by the Security Role.

You can select the following items:

  • All Objects - select to allow the operations on Office 365 accounts of all users in all domains managed by Adaxes.

  • Domain - select a domain to allow the operations on Office 365 accounts of users located in the selected domain. When you select a domain, the Assignment Options dialog appears.

    Assignment Options

    The only applicable option here is All objects in this Domain. It means that the permissions granted by the role will be applied to all users in the selected domain. Click OK.

    Assignment Options for a Specific Domain

  • OU or Container - select an Organizational Unit or container to allow the operations on users located in the selected OU. If you select an OU, specify the assignment scope in the Assignment Options dialog.

    Assignment Options

    By default, the permissions of the role will be effective for all users in the OU at any nesting level. To grant permissions for the direct children of the OU only, check Immediate child objects only.

    Assignment Options for an OU or Container

    When done, click OK.

  • Group - select a group to allow the operations on Office 365 accounts of users who are members of the group. If you select a group, specify the assignment scope in the Assignment Options dialog.

    Assignment Options

    By default, the permissions of the role will be effective for all members of the group, including members of the nested groups. To grant permissions for the direct members only, check Direct members only.

    Assignment Options for Group members

    When done, click OK.

  • Business Unit - select a Business Unit to allow the operations on Office 365 accounts of users who are members of the selected Business Unit. To view available Business Units, select the Business Units item in the Look in drop-down list.

    Viewing Business Units

    When you select a Business Unit, the Assignment Options dialog appears.

    Assignment Options

    In this case, the only applicable option is Members of this Business Unit. It means that the permissions will be applied to all members of the selected Business Unit. Click OK.

    Assignment Options

Select the object you need and click Add. When finished, click OK.


When you delegate Office 365 account management to users, to simplify Office 365 management tasks for them, you can also customize Adaxes Web Interface.
Apart from Office 365 account management, Adaxes also allows management of Exchange Online mailboxes. If you also want to delegate management of Exchange Online mailboxes, see Grant Permissions to Perform Exchange Tasks for more information.
? Waiting

Progress status: Checking...