Microsoft 365 Integration Q&A

The integration setup is simple and follows Microsoft's recommended best practices using their standard OAuth flow. For instructions, refer to Enable the Microsoft 365 Integration. As part of the integration, a user assigned to the Global Administrator role for their Cloud Solution Provider (CSP) tenant authenticates against Microsoft 365 and allows access to their tenant and their clients' tenants. After this authentication, an application is created within Azure Active Directory (Azure AD) that stores the permissions required by Datto RMM. For this integration to work, the CSP tenant must have a valid granular delegated admin privileges (GDAP) relationship set up for each of its client tenants. For detailed information about the Microsoft permissions and configurations required for integration setup, refer to Prerequisites.

This integration is secured by standard RMM security functionality that follows industry best practices, such as multifactor authentication. Datto RMM is hosted in Amazon Web Services (AWS), a secure environment. Refer to Infrastructure and security. With a few exceptions (for example: creating TAP, resetting password), confidential information does not pass between Datto RMM and the browser. Most information passes between the browser and Microsoft during authentication, with Microsoft in control, and between private Datto RMM components existing in AWS and Microsoft. Authentication and authorization are provided by OAuth 2.0, and the system leverages the latest security practices from Microsoft, such as GDAP. We have implemented Microsoft identity platform and OAuth 2.0 authorization code flow.

This integration is designed for CSP tenants. While you will be able to connect to a non-CSP tenant, content won't render on various pages in Datto RMM.

Providing users the ability to utilize the same automation/scripting engine available for endpoints and applying it to Microsoft 365 is a long-term goal for this integration.

A PSA connection is not currently available. PSA integration capabilities will be expanded in later releases.

Datto RMM will follow the Microsoft security recommendations and only allow tenants with GDAP access. Currently, the integration works only for tenants with Global Administrator GDAP permissions, but access will be expanded in future releases.

Yes. Refer to Sync Microsoft 365 client tenants to Datto RMM.

We have not designed or tested this functionality for on-premises AD. While you are welcome to test it out, Datto RMM does not formally support this option and cannot provide instructions for making it work.

Any actions involving Microsoft 365 data will appear in the Datto RMM Activity Log, but the data will not appear in Microsoft audit logs. Although desirable for Datto RMM users, Microsoft does not have the ability to write actions to their audit logs.

The integration is currently included in your existing Datto RMM license. However, future releases may require an additional cost.

The integration is applicable to any cloud-based Microsoft 365 license. In the future, advanced functionality may be offered to those with Business Premium and E3/E5 plans.

Devices are matched by their hostnames: the device names within Microsoft and those currently existing in the Datto RMM account (within the sites the user has access to) and queried in the database. If a match exists, the devices are linked. Refer to Devices in User details.

Yes, but not using this integration. For guidance, refer to Deploying the Datto RMM Agent using Microsoft Intune.

Yes, as long as you are using a browser that is already authenticated to Microsoft, you will be redirected to the applicable portal for the applicable tenant. Refer to All Tenants in Microsoft 365 menu.

The following global search options are currently available for this integration: M365 User Email and M365 User Name. Refer to Global search.

This access restriction is slated for the future. At this time, you can configure security level permissions to restrict access to actions on the All Users page and user details pages or to the entire Microsoft 365 integration menu. Refer to Microsoft 365 in Permissions.

Two options are available:

• If you no longer want this functionality in Datto RMM, you will have the ability to turn off the integration from the Integrations page. Refer to Disable the Microsoft 365 Integration.
• If you need to purge the connection from one specific client tenant, you can simply unsync the tenant from the integration. Refer to Unsync Microsoft 365 client tenants from Datto RMM.

The RMM Ideas page in the Kaseya Community is the space to share feedback. The Datto RMM team is looking to advance the functionality for this integration over the course of future releases. Your feedback will go a long way in helping us build an optimal solution.