The account that EmpowerID uses to connect to Office 365 must have the ability to create a service principal that allows the application to access your Office 365 tenant’s information. By default, EmpowerID uses an Office 365 account with the Global Admin role to create the service principal. If you do not want to use a Global Admin account, you will need to provide a service principal account with either one of the below permissions (depending on whether the service principal account is to be used for tenant administration):
Directory Readers permissions — Read permission only; this type of account does not provide tenant administrative capabilities
User Account Administrator — This type of account provides user administrative capabilities within the tenant.
The service principal can be created in PowerShell. For more information, see Microsoft’s article at https://docs.microsoft.com/en-us/powershell/azure/create-azure-service-principal-azureps?view=azps-3.3.0. Please note that if you chose to provide your own service principal, the account must be maintained by your organization.