Microsoft 365 Integration FAQ
This topic provides answers to questions about integrating Microsoft 365 with Datto RMM.
How is the connection between Datto RMM and Microsoft 365 established?
The integration setup is simple and follows Microsoft's recommended best practices using their standard OAuth flow. For instructions, refer to Enable the Microsoft 365 Integration. As part of the integration, a user assigned to the Global Administrator role for their Cloud Solution Provider (CSP) tenant authenticates against Microsoft 365 and allows access to their tenant and their clients' tenants. After this authentication, an application is created within Microsoft Entra ID that stores the permissions required by Datto RMM. For this integration to work, the CSP tenant must have a valid granular delegated admin privileges (GDAP) relationship set up for each of its client tenants. For detailed information about the Microsoft permissions and configurations required for integration setup, refer to Prerequisites.
What security measures factor into this integration?
This integration is secured by standard RMM security functionality that follows industry best practices, such as multifactor authentication. Datto RMM is hosted in Amazon Web Services (AWS), a secure environment. Refer to Infrastructure and security. With a few exceptions (for example: creating TAP, resetting password), confidential information does not pass between Datto RMM and the browser. Most information passes between the browser and Microsoft during authentication, with Microsoft in control, and between private Datto RMM components existing in AWS and Microsoft. Authentication and authorization are provided by OAuth 2.0, and the system leverages the latest security practices from Microsoft, such as GDAP. We have implemented Microsoft identity platform and OAuth 2.0 authorization code flow.
If I don’t have a CSP, can I still use this integration?
This integration is designed for CSP tenants. While you will be able to connect to a non-CSP tenant, content won't render on various pages in Datto RMM.
Will I be able to create jobs and run automation for Microsoft 365?
Providing users the ability to utilize the same automation/scripting engine available for endpoints and applying it to Microsoft 365 is a long-term goal for this integration.
Will I be able to sync Microsoft 365 data to my Professional Services Automation (PSA) software?
A PSA connection is not currently available. PSA integration capabilities will be expanded in later releases.
What if I only have a direct login to my client's tenant and don’t have GDAP access enabled?
Datto RMM will follow the Microsoft security recommendations and only allow tenants with GDAP access. Currently, the integration works only for tenants with Global Administrator GDAP permissions, but access will be expanded in future releases.
Is it possible to onboard only specific tenants?
Yes. Refer to Sync Microsoft 365 client tenants to Datto RMM.
Will this integration work for on-premises Active Directory?
We have not designed or tested this functionality for on-premises AD. While you are welcome to test it out, Datto RMM does not formally support this option and cannot provide instructions for making it work.
Are activity/audit data visible in both Datto RMM and Microsoft 365?
Any actions involving Microsoft 365 data will appear in the Datto RMM Activity Log, but the data will not appear in Microsoft audit logs. Although desirable for Datto RMM users, Microsoft does not have the ability to write actions to their audit logs.
Will this integration be free or charged for?
The integration is currently included in your existing Datto RMM license. However, future releases may require an additional cost.
Which Microsoft 365 subscriptions are supported?
The integration is applicable to any cloud-based Microsoft 365 license. In the future, advanced functionality may be offered to those with Business Premium and E3/E5 plans.
How does the device linking work?
Devices are matched by their hostnames: the device names within Microsoft and those currently existing in the Datto RMM account (within the sites the user has access to) and queried in the database. If a match exists, the devices are linked. Refer to Devices in User details.
Can I deploy the Datto RMM Agent using Microsoft Intune?
Yes, but not using this integration. For guidance, refer to Deploying the Datto RMM Agent using Microsoft Intune.
Will the links to the Microsoft client portals automatically log me in?
Yes, as long as you are using a browser that is already authenticated to Microsoft, you will be redirected to the applicable portal for the applicable tenant. Refer to All Tenants in Microsoft 365 menu.
Will I be able to search across all users using the global search bar?
The following global search options are currently available for this integration: M365 User Email and M365 User Name. Refer to Global search.
Can I restrict access to specific tenants using security levels?
This access restriction is slated for the future. At this time, you can configure security level permissions to restrict access to actions on the All Users page and user details pages or to the entire Microsoft 365 integration menu. Refer to Microsoft 365 in Permissions.
How do I remove the integration for one or all of my clients?
Two options are available:
- If you no longer want this functionality in Datto RMM, you will have the ability to turn off the integration from the Integrations page. Refer to Disable the Microsoft 365 Integration.
- If you need to purge the connection from one specific client tenant, you can simply unsync the tenant from the integration. Refer to Unsync Microsoft 365 client tenants from Datto RMM.
Where can I provide my ideas for future consideration?
The RMM Ideas page in the Kaseya Community is the space to share feedback. The Datto RMM team is looking to advance the functionality for this integration over the course of future releases. Your feedback will go a long way in helping us build an optimal solution.
