#Manage Tenants

On the Integrations > Microsoft CSP > Tenants page, you can find the following information:

• Display name – The display name of the Microsoft 365 tenant.

• Primary domain name – The primary domain associated with the Microsoft 365 tenant.

• Microsoft ID – The unique Microsoft-generated identifier for the Microsoft 365 tenant.

• Tenant status in Microsoft CSP – The current tenant status within Microsoft CSP.

• Customer – The customer account to which Microsoft 365 tenant belongs.

• Admin app consent – The current authorization status of the admin app.

To effectively manage tenants, you can follow these recommended steps and procedures:

1. To ensure regular updates, Elements automatically syncs tenants from Microsoft CSP partner accounts every day. If immediate synchronization is required, you can manually initiate the process by clicking Sync tenants from CSP.

2. Before onboarding customers or adding services, you must first push an admin app to each target tenant. Select the desired tenant, click Authorize, and then click Push and closeto initiate the authorization process. For a mapped tenant, the authorization process will also push all application app profiles to the tenant.

   The following table lists the permissions required by the admin app pushed to the tenant.

   API	Permission	Type
   Azure Resource Manager	user_impersonation (Access Azure Resource Manager as organization users)	Delegated
   Commercial environment: Dynamics CRM GCC or GCC High environment: Dataverse	user_impersonation (Access Common Data Service as organization users)	Delegated
   Microsoft Graph	AppCatalog.ReadWrite.All (Read and write to all app catalogs)	Delegated
   Microsoft Graph	ChannelMember.ReadWrite.All (Add and remove members from channels)	Delegated
   Microsoft Graph	ChannelMessage.Send (Send channel messages)	Delegated
   Microsoft Graph	DeviceManagementConfiguration.ReadWrite.All (Read and write Microsoft Intune Device Configuration and Policies)	Delegated
   Microsoft Graph	DeviceManagementServiceConfig.ReadWrite.All (Read and write Microsoft Intune configuration)	Delegated
   Microsoft Graph	Directory.AccessAsUser.All (Access directory as the signed-in user)	Delegated
   Microsoft Graph	Directory.Read.All (Read directory data)	Delegated
   Microsoft Graph	Group.ReadWrite.All (Read and write all groups)	Delegated
   Microsoft Graph	PeopleSettings.ReadWrite.All (Read and write tenant-wide people settings)	Delegated
   Microsoft Graph	Policy.ReadWrite.DeviceConfiguration (Read and write your organization's device configuration policies)	Delegated
   Microsoft Graph	Policy.ReadWrite.MobilityManagement (Read and write your organization's mobility management policies)	Delegated
   Microsoft Graph	TeamMember.ReadWrite.All (Add and remove members from teams)	Delegated
   Microsoft Graph	TeamSettings.ReadWrite.All (Read and change all Teams' settings)	Delegated
   Office 365 Exchange Online	Exchange.Manage (Manage Exchange configuration)	Delegated
   SharePoint	AllSites.FullControl (Have full control of all site collections)	Delegated
   Power BI Service	Capacity.Read.All (View all capacities)	Delegated
   Power BI Service	Dashboard.ReadWrite.All (Read and write all dashboards)	Delegated
   Power BI Service	Dataflow.ReadWrite.All (Read and write all dataflows)	Delegated
   Power BI Service	Dataset.ReadWrite.All (Read and write all datasets)	Delegated
   Power BI Service	Report.ReadWrite.All (Read and write all reports)	Delegated
   Power BI Service	Tenant.ReadWrite.All (Read and write all content in tenant)	Delegated
   Power BI Service	Workspace.ReadWrite.All (View and write all workspaces)	Delegated
   PowerApps Service	User (Access the PowerApps Service API)	Delegated
   Skype and Teams Tenant Admin API	user_impersonation (Access Microsoft Teams and Skype for Business data as the signed in user)	Delegated
   Viva Engage	access_as_user (Read and write to the Yammer platform)	Delegated
   Viva Engage	user_impersonation (Read and write to the Yammer platform)	Delegated

3. If a tenant is already registered in AvePoint Online Services, the associated customer account will be automatically mapped to the tenant, and this customer-to-tenant mapping cannot be modified. For an unregistered tenant, you must manually onboard a customer and map it to the tenant.

   To manually onboard and map a customer to a tenant, select the tenant and click Onboard and map customers. Complete the customer information and click Invite and close. Once onboarded, the customer account will appear in the customers list. Search for the customer by organization name and select the target customer account. Click Apply changes to apply the updates. Once applied, the customer-to-tenant mapping cannot be modified.

4. Add the desired service to the tenant. For detailed information, refer to the corresponding sections below.

#Add Cloud Backup for Microsoft 365 service

To add the Cloud Backup for Microsoft 365 service to a tenant, select the tenant and click Add services. Enable the toggle of the Cloud Backup for Microsoft 365 service and click Continue. Complete the subscription information for this service, and click Save and continue. The AvePoint Cloud Backup for Microsoft365 (All Permissions) app will be registered in the Microsoft Entra admin center. For permissions required by the app, refer to API permissions required by Cloud Backup for Microsoft 365 (All Permissions) app.

• Subscription type – Select the subscription type for this service: Trial or Subscription.

• Storage – Choose to use the customer’s own storage or AvePoint storage.

• Storage profile – Select a storage profile from the drop-down list. If there is no storage profile, click Create a profile to create one. For more information about storage profiles, refer to Manage Storage Profiles.

  This field only appears while choosing to use the customer’s own storage for Cloud Backup for Microsoft 365.

• Retention – If the customer uses AvePoint storage, configure the data retention by choosing one of the following options:

  • Retain data for _ years – The data generated within the specific years will be kept. The time to keep data is determined by the subscriptions you purchased from AvePoint.

  • Unlimited retention – All data will be kept without any pruning.

    This option is available when you assign the trial subscription. For Subscription type, it is determined by the subscriptions you purchased from AvePoint.

• Add subscription for Microsoft 365 services – If you have a pooled subscription for Microsoft 365 services, you can click this button to add the Microsoft 365 services subscription for the customer. The following information can be configured additionally:

  • Source – Select a value to indicate the source of your subscription.

  • Subscription model – Select the subscription model for the customer.

  • User seats/Purchased capacity – Enter the number of user seats or capacity that you want to assign based on your subscription model.

• Add subscription for Power Platform – If you have a pooled subscription for Power Platform, you can click this button to add the Power Platform subscription for the customer. The following information can be configured additionally:

  • Type – Select the type for the subscription.

  • Limit – Enter a number to define the limit of the subscription.

• Subscription expiration date – By default, Same as pooled subscription is selected to keep the same expiration date as the pooled subscription. You can select Expire now or select Specify a time to set an expiration date for the customer’s subscription.

• Contract end date – Click the calendar button and select the contract end date.

#Add Baseline management service

To add the baseline management service to a tenant, select the tenant and click Add services. Enable the toggle of the Baseline management service and click Continue. Complete the subscription information for this service, and click Save and continue. The APElements Baseline Management app will be registered in the Microsoft Entra admin center.

• Subscription type – Select the subscription type for this service: Trial or Subscription.

  NOTE

  For Trial, you can assign up to 5 customers, and the subscription expiration date is fixed. This number is calculated among all premium services.

• Source – Select a value to indicate the source of your subscription.

• Payment type – Select the payment type.

• Tenants – Select the number of tenants you want to assign the subscription.

• Subscription expiration date – By default, Same as pooled subscription is selected to keep the same expiration date as the pooled subscription. You can select Expire now or select Specify a time to set an expiration date for the customer’s subscription.

• Contract end date – Click the calendar button and select the contract end date.

The following table lists the permissions required by the APElements Baseline Management app.

API	Permission	Type
Microsoft Graph	Application.ReadWrite.All (Read and write all terms of use agreements)	Application
Microsoft Graph	CustomSecAttributeDefinition.ReadWrite.All (Read and write custom security attribute definitions)	Application
Microsoft Graph	DeviceManagementApps.ReadWrite.All (Read and write Microsoft Intune apps)	Application
Microsoft Graph	DeviceManagementConfiguration.ReadWrite.All (Read and write Microsoft Intune device configuration and policies)	Application
Microsoft Graph	DeviceManagementManagedDevices.ReadWrite.All (Read and write Microsoft Intune devices)	Application
Microsoft Graph	DeviceManagementRBAC.ReadWrite.All (Read and write Microsoft Intune RBAC settings)	Application
Microsoft Graph	DeviceManagementServiceConfig.ReadWrite.All (Read and write Microsoft Intune configuration)	Application
Microsoft Graph	Directory.ReadWrite.All (Read and write directory data)	Application
Microsoft Graph	Group.Create (Create groups)	Application
Microsoft Graph	Group.ReadWrite.All (Read and write all groups)	Application
Microsoft Graph	GroupMember.ReadWrite.All (Read and write all group memberships)	Application
Microsoft Graph	IdentityRiskEvent.ReadWrite.All (Read and write all risk detection information)	Application
Microsoft Graph	IdentityRiskyServicePrincipal.ReadWrite.All (Read and write all identity risky service principal information)	Application
Microsoft Graph	IdentityRiskyUser.ReadWrite.All (Read and write all risky user information)	Application
Microsoft Graph	Organization.ReadWrite.All (Read and write organization information)	Application
Microsoft Graph	OrganizationalBranding.ReadWrite.All (Read and write organizational branding information)	Application
Microsoft Graph	Policy.Read.All (Read your organization's policies)	Application
Microsoft Graph	Policy.ReadWrite.AccessReview (Read and write your organization's directory access review default policy)	Application
Microsoft Graph	Policy.ReadWrite.ApplicationConfiguration (Read and write your organization's application configuration policies)	Application
Microsoft Graph	Policy.ReadWrite.AuthenticationFlows (Read and write authentication flow policies)	Application
Microsoft Graph	Policy.ReadWrite.AuthenticationMethod (Read and write all authentication method policies)	Application
Microsoft Graph	Policy.ReadWrite.Authorization (Read and write your organization’s authorization policy)	Application
Microsoft Graph	Policy.ReadWrite.ConditionalAccess (Read and write your organization's conditional access policies.)	Application
Microsoft Graph	RoleManagement.ReadWrite.Directory (Read and write all directory RBAC settings)	Application
Microsoft Graph	User.ReadWrite.All (Read and write all users’ full profiles)	Application
Microsoft Graph	Application.ReadWrite.OwnedBy (Manage apps that this app creates or owns)	Application
Microsoft Graph	IdentityProvider.ReadWrite.All (Read and write identity providers)	Application
Microsoft Graph	Policy.ReadWrite.ExternalIdentities (Read and write your organization's external identities policy)	Application
Microsoft Graph	RoleManagementPolicy.ReadWrite.Directory (Read, update, and delete all policies for privileged role assignments of your company's directory)	Application
Microsoft Graph	Policy.ReadWrite.CrossTenantAccess (Read and write your organization’s cross tenant access policy)	Application
Microsoft Graph	SharePointTenantSettings.ReadWrite.All (Read and change SharePoint and OneDrive tenant settings)	Application
Microsoft Graph	OrgSettings-Forms.ReadWrite.All (Read and write organization-wide Microsoft Forms settings)	Application
Microsoft Graph	OrgSettings-AppsAndServices.ReadWrite.All (Read and write organization-wide apps and services settings)	Application
Microsoft Graph	OrgSettings-Todo.ReadWrite.All (Read and write organization-wide Microsoft To Do settings)	Application
Microsoft Graph	ReportSettings.ReadWrite.All (Read and write all admin report settings)	Application
Microsoft Graph	OrgSettings-Microsoft365Install.ReadWrite.All (Read and write organization-wide Microsoft 365 apps installation settings)	Application
Microsoft Graph	OrgSettings-DynamicsVoice.ReadWrite.All (Read and write organization-wide Dynamics customer voice settings)	Application
Microsoft Graph	SecurityEvents.Read.All (Read your organization's security events)	Application
Office 365 Exchange Online	Exchange.ManageAsApp (Manage Exchange as application)	Application
Skype and Teams Tenant Admin API	application_access (application_access)	Application
ProjectWorkManagement	OrgSettings-Planner.ReadWrite.All (Read and write organization-wide Microsoft Planner settings)	Application
SharePoint	Sites.FullControl.All (Have full control of all site collections)	Application

Source	Configuration	Property
Microsoft 365	DeviceConditionalAccessPolicy	Comment
Microsoft 365	DeviceConditionalAccessPolicy	Enabled
Microsoft 365	DeviceConditionalAccessPolicy	Name
Microsoft 365 Admin	OrgSettings > MicrosoftPlanner	PlannerAllowCalendarSharing
Microsoft 365 Admin	OrgSettings > Reports	AdminCenterReportDisplayConcealedNames
Microsoft Entra ID	AuthenticationFlowsPolicy	SelfServiceSignUpEnabled
Microsoft Entra ID	B2BManagementPolicy	InvitationsAllowedAndBlockedDomainsPolicy
Microsoft Entra ID	ActivityBasedTimeoutPolicies	DisplayName (Key)
Microsoft Entra ID	ActivityBasedTimeoutPolicies	Id
Microsoft Entra ID	ActivityBasedTimeoutPolicies	AzurePortalTimeOut
Microsoft Entra ID	ActivityBasedTimeoutPolicies	DefaultTimeOut
Microsoft Entra ID	Directorysettings	DisplayName
Microsoft Entra ID	Directorysettings	Id
Microsoft Entra ID	Directorysettings	Settings
Microsoft Entra ID	Directorysettings	TemplateId

#Add User and device management service

To add the user and device management service to a tenant, select the tenant and click Add services. Enable the toggle of the User and device management service and click Continue. Complete the subscription information for this service, and click Next. Select a tenant type, Cloud only or Hybrid, and click Save. Keep in mind that once a tenant type is defined, it cannot be altered. Please configure it carefully.

• Subscription type – Select the subscription type for this service: Trial or Subscription.

  NOTE

  For Trial, you can assign up to 5 customers, and the subscription expiration date is fixed. This number is calculated among all premium services.

• Source – Select a value to indicate the source of your subscription.

• Payment type – Select the payment type.

• Tenants – Select the number of tenants you want to assign the subscription.

• Subscription expiration date – By default, Same as pooled subscription is selected to keep the same expiration date as the pooled subscription. You can select Expire now or select Specify a time to set an expiration date for the customer’s subscription.

• Contract end date – Click the calendar button and select the contract end date.

The following table lists the permissions required by the APElements Security and Analysis app.

API	Permission	Type
Azure Rights Management Services	Content.DelegatedReader (Read protected content on behalf of a user)	Application
Azure Rights Management Services	Content.SuperUser (Read all protected content for this tenant)	Application
Microsoft Graph	AdministrativeUnit.ReadWrite.All (Read and write administrative units)	Application
Microsoft Graph	AuditLog.Read.All (Read all audit log data)	Application
Microsoft Graph	CallRecords.Read.All (Read all call records)	Application
Microsoft Graph	Channel.ReadBasic.All (Read the names and descriptions of all channels)	Application
Microsoft Graph	ChannelMember.Read.All (Read the members of all channels)	Application
Microsoft Graph	ChannelSettings.ReadWrite.All (Read and write the names, descriptions, and settings of all channels)	Application
Microsoft Graph	Directory.ReadWrite.All (Read and write directory data)	Application
Microsoft Graph	Files.Read.All (Read files in all site collections)	Application
Microsoft Graph	Group.ReadWrite.All (Read and write all groups)	Application
Microsoft Graph	GroupMember.ReadWrite.All (Read and write all group memberships)	Application
Microsoft Graph	InformationProtectionPolicy.Read.All (Read all published labels and label policies for an organization)	Application
Microsoft Graph	Reports.Read.All (Read all usage reports)	Application
Microsoft Graph	RoleManagement.ReadWrite.Directory (Read and write all directory RBAC settings)	Application
Microsoft Graph	Sites.ReadWrite.All (Read and write items in all site collections)	Application
Microsoft Graph	Team.ReadBasic.All (Get a list of all Teams)	Application
Microsoft Graph	TeamMember.ReadWrite.All (Add and remove members from all Teams)	Application
Microsoft Graph	TeamSettings.ReadWrite.All (Read and change all Teams' settings)	Application
Microsoft Graph	User.ReadWrite.All (Read and write all users’ full profiles)	Application
Microsoft Graph	ReportSettings.Read.All (Read all admin report settings)	Application
Microsoft Graph	Policy.ReadWrite.AuthenticationMethod (Read and write all authentication method policies)	Application
Microsoft Graph	BitlockerKey.Read.All (Read BitLocker keys)	Application
Microsoft Graph	Device.ReadWrite.All (Read and write devices)	Application
Microsoft Graph	DeviceManagementApps.ReadWrite.All (Read and write Microsoft Intune apps)	Application
Microsoft Graph	DeviceManagementConfiguration.ReadWrite.All (Read and write Microsoft Intune device configuration and policies)	Application
Microsoft Graph	DeviceManagementManagedDevices.PrivilegedOperations.All (Perform user-impacting remote actions on Microsoft Intune devices)	Application
Microsoft Graph	DeviceManagementManagedDevices.ReadWrite.All (Read and write Microsoft Intune devices)	Application
Microsoft Graph	DeviceManagementServiceConfig.ReadWrite.All (Read and write Microsoft Intune configuration)	Application
Microsoft Graph	Policy.ReadWrite.DeviceConfiguration (Read and write your organization's device configuration policies)	Application
Microsoft Graph	UserAuthenticationMethod.ReadWrite.All (Read and write all users' authentication methods)	Application
Microsoft Graph	Policy.Read.All (Read your organization's policies)	Application
Microsoft Information Protection Sync Service	UnifiedPolicy.Tenant.Read (Read all unified policies of the tenant)	Application
Office 365 Exchange Online	Exchange.ManageAsApp (Manage Exchange as application)	Application
Office 365 Exchange Online	full_access_as_app (Use Exchange Web Services with full access to all mailboxes)	Application
Office 365 Management APIs	ActivityFeed.Read (Read activity data for your organization)	Application
Power BI Service	Tenant.Read.All (View all content in tenant)	Application
SharePoint	Sites.FullControl.All (Have full control of all site collections)	Application
SharePoint	User.ReadWrite.All (Read and write user profiles)	Application

#Add Workspace management service

To add the workspace management service to a tenant, select the tenant and click Add services. Enable the toggle of the Workspace management and/or Workspace management - Storage optimization service and click Continue. Complete the subscription information for this service, and click Next.

• Subscription type – Select the subscription type for this service: Trial or Subscription.

  NOTE

  For Trial, the subscription expiration date is fixed.

• Source – Select a value to indicate the source of your subscription.

• Payment type – Select the payment type.

• User seats – Select the number of users you want to assign the Workspace management subscription.

• Capacity – Configure the capacity for the Workspace management - Storage optimization subscription.

• Subscription expiration date – By default, Same as pooled subscription is selected to keep the same expiration date as the pooled subscription. You can select Expire now or select Specify a time to set an expiration date for the customer’s subscription.

• Contract end date – Click the calendar button and select the contract end date.

Click Save and continue to add the services. You can then go to the process center to check the progress.

The following table lists the permissions required by the APElements Security and Analysis app.

API	Permission	Type
Azure Rights Management Services	Content.DelegatedReader (Read protected content on behalf of a user)	Application
Azure Rights Management Services	Content.SuperUser (Read all protected content for this tenant)	Application
Microsoft Graph	AdministrativeUnit.ReadWrite.All (Read and write administrative units)	Application
Microsoft Graph	AuditLog.Read.All (Read all audit log data)	Application
Microsoft Graph	CallRecords.Read.All (Read all call records)	Application
Microsoft Graph	Channel.ReadBasic.All (Read the names and descriptions of all channels)	Application
Microsoft Graph	ChannelMember.Read.All (Read the members of all channels)	Application
Microsoft Graph	ChannelSettings.ReadWrite.All (Read and write the names, descriptions, and settings of all channels)	Application
Microsoft Graph	Directory.ReadWrite.All (Read and write directory data)	Application
Microsoft Graph	Files.Read.All (Read files in all site collections)	Application
Microsoft Graph	Group.ReadWrite.All (Read and write all groups)	Application
Microsoft Graph	GroupMember.ReadWrite.All (Read and write all group memberships)	Application
Microsoft Graph	InformationProtectionPolicy.Read.All (Read all published labels and label policies for an organization)	Application
Microsoft Graph	Reports.Read.All (Read all usage reports)	Application
Microsoft Graph	RoleManagement.ReadWrite.Directory (Read and write all directory RBAC settings)	Application
Microsoft Graph	Sites.ReadWrite.All (Read and write items in all site collections)	Application
Microsoft Graph	Team.ReadBasic.All (Get a list of all Teams)	Application
Microsoft Graph	TeamMember.ReadWrite.All (Add and remove members from all Teams)	Application
Microsoft Graph	TeamSettings.ReadWrite.All (Read and change all Teams' settings)	Application
Microsoft Graph	User.ReadWrite.All (Read and write all users’ full profiles)	Application
Microsoft Graph	ReportSettings.Read.All (Read all admin report settings)	Application
Microsoft Graph	Policy.ReadWrite.AuthenticationMethod (Read and write all authentication method policies)	Application
Microsoft Graph	BitlockerKey.Read.All (Read BitLocker keys)	Application
Microsoft Graph	Device.ReadWrite.All (Read and write devices)	Application
Microsoft Graph	DeviceManagementApps.ReadWrite.All (Read and write Microsoft Intune apps)	Application
Microsoft Graph	DeviceManagementConfiguration.ReadWrite.All (Read and write Microsoft Intune device configuration and policies)	Application
Microsoft Graph	DeviceManagementManagedDevices.PrivilegedOperations.All (Perform user-impacting remote actions on Microsoft Intune devices)	Application
Microsoft Graph	DeviceManagementManagedDevices.ReadWrite.All (Read and write Microsoft Intune devices)	Application
Microsoft Graph	DeviceManagementServiceConfig.ReadWrite.All (Read and write Microsoft Intune configuration)	Application
Microsoft Graph	Policy.ReadWrite.DeviceConfiguration (Read and write your organization's device configuration policies)	Application
Microsoft Graph	UserAuthenticationMethod.ReadWrite.All (Read and write all users' authentication methods)	Application
Microsoft Graph	Policy.Read.All (Read your organization's policies)	Application
Microsoft Information Protection Sync Service	UnifiedPolicy.Tenant.Read (Read all unified policies of the tenant)	Application
Office 365 Exchange Online	Exchange.ManageAsApp (Manage Exchange as application)	Application
Office 365 Exchange Online	full_access_as_app (Use Exchange Web Services with full access to all mailboxes)	Application
Office 365 Management APIs	ActivityFeed.Read (Read activity data for your organization)	Application
Power BI Service	Tenant.Read.All (View all content in tenant)	Application
SharePoint	Sites.FullControl.All (Have full control of all site collections)	Application
SharePoint	User.ReadWrite.All (Read and write user profiles)	Application