CiraSync Service Account Requirements for Cloud Environments

Cloud-Only Environment

Use Case: For organizations running Azure AD and and syncing directly to Office 365 mailboxes in Exchange Online.

In this scenario no on-prem accounts are needed.

O365 Service Account Requirements

• • Mail-enabled (to store UCM software configuration and licenses).
  • Able to receive mail from the internet (for licensing).
  • Retention policies and archiving must be disabled.
  • CiraSync Application Consent must be set up.

We will use Graph API to read Azure AD which will require Global Admin approval. Following are permissions used for accessing Azure AD:

Graph API Permissions Required

• Read directory data.
• Read user profiles.
• Access organization directory.

Please note that set up in this environment does not need a dedicated on-prem user. System account will be used to start itrezzo services and itrezzo server Admin user to access UCM Admin application. Additional role based users can be added using UCM Admin Security configuration. We have two options for authenticating access to targeted user mailboxes:

Authentication Method

1. Certificate-Based Authentication

   • A certificate can be created using the tool available in Itrezzo Admin and set with a desired expiration date.
   • Global Admin approval is required for certificate creation.
   • Certificate Overview: https://itrezzo.com/support/certificate-based-authorization-with-itrezzo-ucm/
   • With this option, after the initial setup, the Application Impersonation role can be removed from the O365 service account.

Alternative Setup Without a Service Account

If you do not want to use a service account, you can create an account with local admin privileges on the server. This local admin account can still start CiraSync, CiraSync On-Prem, and Contact Manager as a local administrator.