Required permissions and scopes

In order to operate correctly, the management agent requires an account with permission to manage the objects, which has an associated service account that has access to the appropriate API scopes.

Note that granting the scopes to the service account is not enough. The user object must either have admin rights, or have delegated permissions to the required object.


You only require permissions for the object types you want to manage. The minimum scopes required for each object type are shown below.

Note that the required scopes have changed between V1 and V2 depending on what functionality of the Connector you're using. You could need to review the scopes when upgrading the agent to avoid permission errors.

E.g. the following errors indicate that the scopes for the User Schema needs to be reviewed:

"Permission to read the user custom schema was denied" "Permission related TokenResponseException while reading the user custom schema"


If delegates or send-as addresses are required, then the following scopes are also required (Requires v2 management agent or later)








classroom (Requires v2 management agent or later)


Older versions of the management agent

Please note, that versions of the MA prior to build 1.1.6663 require all scopes to be granted to the service account

Last updated