To run Simeon with Delegated Authentication, the Sync must authenticate with an Entra ID non-guest user. This user can be assigned any roles. The roles assigned to this user will determine Simeon's access to the configurations in the tenant.
If you would like to Sync all configurations in the tenant, the user account used for Delegated Authentication should be assigned the Global Administrator role and the Exchange Online Admin role (with permissions for Address lists).
If you would prefer not to use a Global Administrator with Simeon, you can Sync most configurations in the tenant by applying the following minimum roles:
Minimum required roles to Sync all configurations without a Global Administrator:
- Authentication Policy Administrator
- Required to manage Authentication policy settings
- Intune administrator
- Required to manage Intune/Endpoint
- Compliance administrator
- Required to manage security compliance center
- Exchange administrator
- Require to manage Exchange Online settings
- User administrator
- Required to create users and groups
- Teams administrator
- Required to manage Teams settings
- Application administrator
- Required to manage app registrations and service principles
- Groups administrator
- Required to manage groups
- Security administrator
- Required to manage configurations in Azure AD
- Cloud device administrator
- Required to read/write Device registration policy
- SharePoint administrator
- Required to read/write SharePoint settings
-
Assign an Exchange Online Admin role with the following permissions:
- Address lists
- Required for Exchange Online settings
- Address lists
Without the Global Administrator Role, you can read but cannot apply changes to Azure Active Directory User Settings