docsMicrosoft365 ConnectorsManually Assign Remediation Roles

Manually Enabling Remediation Roles for Optimize365

This guide walks you through enabling the required Remediation Roles for Optimize365’s remediation app registration, allowing the platform to securely perform write and configuration changes across your Microsoft 365 environment.

The remediation app registration requires elevated roles beyond Global Reader. These roles enable Optimize365 to fix misconfigurations, enforce baselines, and apply security/compliance changes automatically.

You can enable the required permissions for Optimize365 using one of the following methods:

  1. Manual Configuration via the Microsoft 365 Admin Portal
    Follow step-by-step instructions to assign the necessary roles directly through the portal interface.

  2. Automated Setup via PowerShell Script
    Run a pre-built script to streamline the setup process and assign all roles with minimal manual effort.

Prerequisites

  • A Global Administrator user with access to Microsoft Entra-ID.

Why These Roles Are Required

Optimize365 remediation features go beyond visibility. They require write permissions to enforce security and compliance changes across Microsoft 365 services.

Without these roles, Optimize365 will be limited to read-only scanning.

The required roles are:

  • Exchange Administrator
  • Security Administrator
  • Compliance Administrator
  • Conditional Access Administrator
  • Authentication Administrator
  • SharePoint Administrator
  • Teams Administrator
  • User Administrator
  • Application Administrator
  • Privileged Role Administrator
  • Authentication Policy Administrator
  • Cloud Application Administrator
  • Groups Administrator
  • Privileged Authentication Administrator
  • Security Operator
  • Azure Information Protection Administrator
  • Cloud Device Administrator
  • Global Secure Access Administrator
  • Compliance Data Administrator

Enabling Remediation Roles

Step 1: Verify & Assign Remediation Roles (Per Tenant)

Option 1

  1. Sign in to the Microsoft Entra admin center
  2. Browse to Entra ID > Roles & admins (Press Show more.. if you can’t see it)
  3. Select the Exchange Administrator role to open its details

Role-Remediation-Step01

  1. Select Add assignments and search for “Optimize365-Write” (AppId: e5099652-03bb-4940-8490-3b3ca8e75369) and press Add

Role-Remediation-Step02

  1. It will appear on the list once it has been added

Role-Remediation-Step03

⚠️ You must repeat steps 3–5 for each of the roles listed above (not just Exchange Administrator).

Option 2

# PowerShell script to assign remediation roles to Optimize365
 
Connect-MgGraph
 
# AppId of the remediation app registration
$appId = "e5099652-03bb-4940-8490-3b3ca8e75369"
 
# Roles to assign
$rolesToAssign = @(
    "Exchange Administrator",
    "Security Administrator",
    "Compliance Administrator",
    "Conditional Access Administrator",
    "Authentication Administrator",
    "SharePoint Administrator",
    "Teams Administrator",
    "User Administrator",
    "Application Administrator",
    "Privileged Role Administrator",
    "Authentication Policy Administrator",
    "Cloud Application Administrator",
    "Groups Administrator",
    "Privileged Authentication Administrator",
    "Security Operator",
    "Azure Information Protection Administrator",
    "Cloud Device Administrator",
    "Global Secure Access Administrator",
    "Compliance Data Administrator"
)
 
# Get service principal for Optimize365
$servicePrincipal = Get-MgServicePrincipal -Filter "appId eq '$appId'"
if (-not $servicePrincipal) {
    Write-Host "❌ Remediation service principal not found. Verify AppId." -ForegroundColor Red
    exit
}
 
Write-Host "✅ Found remediation service principal: $($servicePrincipal.DisplayName)" -ForegroundColor Green
 
foreach ($roleName in $rolesToAssign) {
    Write-Host "`nProcessing role: $roleName" -ForegroundColor Cyan
 
    $role = Get-MgDirectoryRole -Filter "DisplayName eq '$roleName'"
 
    if (-not $role) {
        Write-Host "⚠️ Role $roleName not active, activating..." -ForegroundColor Yellow
        $roleTemplate = Get-MgDirectoryRoleTemplate -Filter "DisplayName eq '$roleName'"
        if ($roleTemplate) {
            $role = New-MgDirectoryRole -RoleTemplateId $roleTemplate.Id
            Write-Host "✅ Activated $roleName" -ForegroundColor Green
        } else {
            Write-Host "❌ Could not find role template for $roleName" -ForegroundColor Red
            continue
        }
    }
 
    $members = Get-MgDirectoryRoleMember -DirectoryRoleId $role.Id
    if ($members | Where-Object { $_.Id -eq $servicePrincipal.Id }) {
        Write-Host "✅ Already assigned: $roleName" -ForegroundColor Green
    } else {
        Write-Host "Adding remediation app to $roleName..." -ForegroundColor Yellow
        try {
            New-MgDirectoryRoleMemberByRef -DirectoryRoleId $role.Id -BodyParameter @{
                "@odata.id" = "https://graph.microsoft.com/v1.0/directoryObjects/$($servicePrincipal.Id)"
            }
            Write-Host "✅ Successfully assigned $roleName" -ForegroundColor Green
        } catch {
            Write-Host "❌ Failed to assign $roleName: $_" -ForegroundColor Red
        }
    }
}
 
Disconnect-MgGraph
Write-Host "`n✅ Remediation roles assignment complete" -ForegroundColor Green
 
## Need Help?
 
Contact [email protected] if you encounter any issues.
Manually Assign a Global ReaderM365 Mixed Licenses Strategy