Microsoft 365 Integration

About the integration

The Microsoft 365 Integration provides the opportunity to administer your Microsoft 365 tasks through a single user management platform. This integration streamlines otherwise complex workflows and gives technicians access to the most essential Microsoft 365 data and user management actions directly in Datto RMM.

Upon connecting a Cloud Solution Provider (CSP) tenant, Datto RMM automatically fetches all of your client tenants. You have the option to freely sync or unsync specific tenants to or from the integration at any time.

The integration offers quick access to the following resources:

  • A dedicated Microsoft 365 menu in Datto RMM.
  • An overview of synced tenants that includes seamless navigation to the various Microsoft client portals. Refer to All Tenants.
  • A comprehensive user overview for each client tenant. Refer to All Users.
  • A dedicated details page for each user featuring a user summary, list of enrolled devices, information about the groups the user is added to, and sign-in logs. Refer to User details.

Tiered security level permissions created specifically for this integration allow you to limit access for certain users in your Datto RMM account. Refer to Microsoft 365 in Permissions.

To learn more, refer to Microsoft 365 Integration Q&A.

Prerequisites

The Microsoft 365 Integration with Datto RMM requires a Microsoft Azure account with Cloud Solution Provider (CSP).

IMPORTANT  The connection for the integration must be made by a CSP tenant.

We recommend setting up a service account specific to Datto to authenticate the integration: dattointegration@[your domain].com. This will ensure the integration bypasses your Conditional Access policies, remains active, and limits issues in the future.

For this integration to work, a certain configuration is required in Microsoft 365. For guidance, review the following steps and watch the video demonstration.

Step 1: Service account permissions

Configure the following settings in Microsoft Entra:

  • The integrating service account must be assigned the Global Administrator role for initial setup. Because perpetual Global Administrator rights are not required, we recommend leveraging Privileged Identity Management (PIM) so you can make this user eligible for the role when required and reduce your attack surface. Microsoft documentation: Learn about Privileged Identity Management.
  • The authenticating user requires Microsoft multifactor authentication (MFA), which can be enforced through Conditional Access or per-user MFA settings. The MFA for this user cannot be performed through a third-party application, such as Duo. (MFA through a third-party application is adequate for other users in the account.)
  • NOTE  The user must be excluded from any policies enforcing sign-in restrictions outside the norm of requiring MFA.

Step 2: Service account role

Configure the following settings in Microsoft Entra:

  • The integrating service account must be part of two security groups: the AdminAgents security group and the security group assigned to the GDAP relationship, as described in the next section (step 3).

Step 3: GDAP relationship configuration

NAVIGATION  Microsoft Partner Center > Customers > Administer > select a customer > select an admin relationship

Configure the following settings in Microsoft Partner Center:

  • The authenticating user must add a granular delegated admin privileges (GDAP) relationship with all client tenants.
  • T-Minus 365 blog: Learn about GDAP.

  • Each GDAP relationship must have a security group assigned, and the integrating service account must be part of that security group. The group must be granted one of the following roles: Global Admin, Cloud Application Admin, or Application Admin.
  • NOTE  Privileged Role Admin is no longer a viable role option for this integration.

NOTE  If a client tenant has more than one GDAP relationship, Microsoft observes only the GDAP relationship that was created most recently. As mentioned, the Microsoft authentication requires the security group on the integrating account and GDAP relationship to be the same. If such is the case on one of the GDAP relationships but not on the one most recently created, then the sync will fail.

API permissions

In Azure Active Directory, applications are authorized to call APIs when they are granted permissions as part of the consent process.

Upon setting up the Microsoft 365 Integration from within Datto RMM, you will be required to accept a few Microsoft API permissions to ensure adequate functionality. Refer to step 8 in Enable the Microsoft 365 Integration.

These required permissions will be configured automatically in your integrated CSP tenant once you accept. For your reference, the following table lists the permissions:

API Permission Category Permission Type Description
Microsoft Graph Application Application.ReadWrite.All Delegated Read and write all applications.
Microsoft Graph DelegatedAdminRelationship DelegatedAdminRelationship.ReadWrite.All Delegated Manage Delegated Admin relationships with customers.
Microsoft Graph Directory Directory.ReadWrite.All Delegated Read and write directory data.
Microsoft Graph OpenId permissions offline_access Delegated Maintain access to data you have given it access to.
Microsoft Graph OpenId permissions openid Delegated Sign users in.
Microsoft Partner Center Permissions user_impersonation Delegated Access Partner Center.

Features

How to...