Manage Tenants

If a tenant is already registered in AvePoint Online Services, the associated customer account will be automatically mapped to the tenant, and this customer-to-tenant mapping cannot be modified. For an unregistered tenant, you must manually onboard a customer and map it to the tenant.

Before onboarding customers or adding services, you must first push an admin app to each target tenant. Select the desired tenant, click Authorize, and then click Push and closeto initiate the authorization process.

To manually onboard and map a customer to a tenant, select the tenant and click Onboard and map customers. Complete the customer information and click Invite and close. Once onboarded, the customer account will appear in the customers list. Search for the customer by organization name and select the target customer account. Click Apply changes to apply the updates. Once applied, the customer-to-tenant mapping cannot be modified.

To add the baseline management service to a tenant, select the tenant and click Add services. Enable the toggle of the service and click Continue. Complete the subscription information for this service, and click Save and continue.

- **Subscription** **type** – Select the subscription type for this service: **Trial** or **Subscription**.

	> ***Note**: For **Trial**, you can assign up to 5 customers, and the subscription expiration date is fixed. This number is calculated among all premium services.

- **Source** – Select a value to indicate the source of your subscription.

- **Payment type** – Select the payment type.

- **Tenants** – Select the number of tenants you want to assign the subscription.

- **Subscription expiration date** – By default, **Same as pooled** **subscription** is selected to keep the same expiration date as the pooled subscription. You can select **Expire now** or select **Specify a time** to set an expiration date for the customer’s subscription.

- **Contract end date** – Click the calendar button and select the contract end date.

*Note: Certain configurations in the baseline management service are not supported for tenants managed through Microsoft CSP integration. Refer to the following table for the detailed configurations.

Source	Configuration	Property
Microsoft 365	DeviceConditionalAccessPolicy	Comment
Microsoft 365	DeviceConditionalAccessPolicy	Enabled
Microsoft 365	DeviceConditionalAccessPolicy	Name
Microsoft 365 Admin	OrgSettings > MicrosoftPlanner‎	PlannerAllowCalendarSharing
Microsoft 365 Admin	OrgSettings > Reports	AdminCenterReportDisplayConcealedNames
Microsoft Entra ID	AuthenticationFlowsPolicy	SelfServiceSignUpEnabled
Microsoft Entra ID	B2BManagementPolicy	InvitationsAllowedAndBlockedDomainsPolicy
Microsoft Entra ID	ActivityBasedTimeoutPolicies	DisplayName (Key)
Microsoft Entra ID	ActivityBasedTimeoutPolicies	Id
Microsoft Entra ID	ActivityBasedTimeoutPolicies	AzurePortalTimeOut
Microsoft Entra ID	ActivityBasedTimeoutPolicies	DefaultTimeOut
Microsoft Entra ID	Directorysettings	DisplayName
Microsoft Entra ID	Directorysettings	Id
Microsoft Entra ID	Directorysettings	Settings
Microsoft Entra ID	Directorysettings	TemplateId

On the Integrations > Microsoft CSP > Tenants page, you can find the following information:

- **Display name** – The display name of the Microsoft 365 tenant.

- **Primary domain name** – The primary domain associated with the Microsoft 365 tenant.

- **Microsoft ID** – The unique Microsoft-generated identifier for the Microsoft 365 tenant.

- **Tenant** **status** **in Microsoft** **CSP** – The current tenant status within Microsoft CSP.

- **Customer** – The customer account to which Microsoft 365 tenant belongs.

- **Admin app consent** – The current authorization status of the admin app.

To ensure regular updates, Elements automatically syncs tenants from Microsoft CSP partner accounts every day. If immediate synchronization is required, you can manually initiate the process by clicking Sync tenants.

The following table lists the permissions required by the admin app pushed to the tenant.

API	Permission	Type
Microsoft Graph	Application.ReadWrite.All(Read and write all applications)	Delegated
Microsoft Graph	DeviceManagementApps.ReadWrite.All(Read and write Microsoft Intune apps)	Delegated
Microsoft Graph	DeviceManagementManagedDevices.ReadWrite.All(Read and write Microsoft Intune devices)	Delegated
Microsoft Graph	DeviceManagementRBAC.ReadWrite.All(Read and write Microsoft Intune RBAC settings)	Delegated
Microsoft Graph	Directory.ReadWrite.All(Read and write directory data)	Delegated
Microsoft Graph	GroupMember.ReadWrite.All(Read and write group memberships)	Delegated
Microsoft Graph	IdentityRiskEvent.ReadWrite.All(Read and write risk event information)	Delegated
Microsoft Graph	IdentityRiskyServicePrincipal.ReadWrite.All(Read and write all identity risky service principal information)	Delegated
Microsoft Graph	IdentityRiskyUser.ReadWrite.All(Read and write risky user information)	Delegated
Microsoft Graph	Organization.ReadWrite.All(Read and write organization information)	Delegated
Microsoft Graph	OrganizationalBranding.ReadWrite.All(Read and write organizational branding information)	Delegated
Microsoft Graph	Policy.Read.All(Read your organization's policies)	Delegated
Microsoft Graph	Policy.ReadWrite.AccessReview(Read and write your organization's directory access review default policy)	Delegated
Microsoft Graph	Policy.ReadWrite.ApplicationConfiguration(Read and write your organization's application configuration policies)	Delegated
Microsoft Graph	Policy.ReadWrite.AuthenticationFlows(Read and write authentication flow policies)	Delegated
Microsoft Graph	Policy.ReadWrite.AuthenticationMethod(Read and write authentication method policies)	Delegated
Microsoft Graph	Policy.ReadWrite.Authorization(Read and write your organization's authorization policy)	Delegated
Microsoft Graph	Policy.ReadWrite.ConditionalAccess(Read and write your organization's conditional access policies)	Delegated
Microsoft Graph	RoleManagement.ReadWrite.Directory(Read and write directory RBAC settings)	Delegated
Microsoft Graph	User.ReadWrite.All(Read and write all users' full profiles)	Delegated
Microsoft Graph	Policy.ReadWrite.DeviceConfiguration(Read and write your organization's device configuration policies)	Delegated
Microsoft Graph	DeviceManagementServiceConfig.ReadWrite.All(Read and write Microsoft Intune configuration)	Delegated
Microsoft Graph	DeviceManagementConfiguration.ReadWrite.All(Read and write Microsoft Intune Device Configuration and Policies)	Delegated
Microsoft Graph	IdentityProvider.ReadWrite.All(Read and write identity providers)	Delegated
Microsoft Graph	Policy.ReadWrite.ExternalIdentities(Read and write your organization's external identities policy)	Delegated
Microsoft Graph	RoleManagementPolicy.ReadWrite.Directory(Read, update, and delete all policies for privileged role assignments of your company's directory)	Delegated
Microsoft Graph	Policy.ReadWrite.CrossTenantAccess(Read and write your organization's cross tenant access policies)	Delegated
Microsoft Graph	SharePointTenantSettings.ReadWrite.All(Read and change SharePoint and OneDrive tenant settings)	Delegated
Microsoft Graph	OrgSettings-Forms.ReadWrite.All(Read and write organization-wide Microsoft Forms settings)	Delegated
Microsoft Graph	OrgSettings-AppsAndServices.ReadWrite.All(Read and write organization-wide apps and services settings)	Delegated
Microsoft Graph	OrgSettings-Todo.ReadWrite.All(Read and write organization-wide Microsoft To Do settings)	Delegated
Microsoft Graph	ReportSettings.ReadWrite.All(Read and write admin report settings)	Delegated
Microsoft Graph	OrgSettings-Microsoft365Install.ReadWrite.All(Read and write organization-wide Microsoft 365 apps installation settings)	Delegated
Microsoft Graph	OrgSettings-DynamicsVoice.ReadWrite.All(Read and write organization-wide Dynamics customer voice settings)	Delegated
Microsoft Graph	Policy.ReadWrite.MobilityManagement(Read and write your organization's mobility management policies)	Delegated
Microsoft Graph	Directory.AccessAsUser.All(Access directory as the signed in user)	Delegated
Microsoft Graph	Group.ReadWrite.All(Read and write all groups)	Delegated
Microsoft Graph	Agreement.ReadWrite.All(Read and write all terms of use agreements)	Delegated
Microsoft Graph	CustomSecAttributeDefinition.ReadWrite.All(Read and write custom security attribute definitions)	Delegated
Microsoft Graph	SecurityEvents.Read.All(Read your organization’s security events)	Delegated
Office 365 Exchange Online	Exchange.Manage(Manage Exchange configuration)	Delegated
Office 365 SharePoint Online	AllSites.FullControl(Have full control of all site collections)	Delegated
PowerApps Service	User(Access the PowerApps Service API)	Delegated
ProjectWorkManagement	OrgSettings-Planner.ReadWrite.All(Read and write organization-wide Microsoft Planner settings)	Delegated
Skype and Teams Tenant Admin API	user_impersonation(Access Microsoft Teams and Skype for Business data as the signed in user)	Delegated

Manage Baselines

Supported Baseline Configurations

Deploy Configurations to a Tenant

Restore Tenant Configurations

View and Modify Tenant Configurations

View Workspaces of a Tenant

User Template Management

License Unit Cost Profile Management

AD Naming Profile Management

View Overview Statistics of a Tenant

Manage Users

Create a User

Manage User Personal Information

Manage Groups

Create a Group

Edit a Group

Campaigns for SharePoint Banner

Campaigns for Teams

Campaigns for Emails

Microsoft CSP

Manage Resellers

Manage Subscriptions and Licenses for a Tenant

ArrowSphere

Manage Resellers

Manage Subscriptions and Licenses for a Tenant

Ingram Micro Xvantage

Manage Resellers

Manage Subscriptions and Licenses for a Tenant

Integration with ConnectWise

Manage Tenants

Supported Baseline Configurations

Create a User

Manage User Personal Information

Create a Group

Edit a Group

Manage Resellers

Manage Subscriptions and Licenses for a Tenant

Manage Resellers

Manage Subscriptions and Licenses for a Tenant

Manage Resellers

Manage Subscriptions and Licenses for a Tenant

#Manage Tenants

Manage Tenants