Microsoft 365 Integration

SECURITY  Administrator (to enable the integration)

SECURITY  To configure user access to this integration, refer to Microsoft 365 in Permissions.

NAVIGATION  Setup > Integrations > Microsoft 365

NAVIGATION  Microsoft 365

About the integration

The Microsoft 365 Integration provides the opportunity to administer your Microsoft 365 tasks through a single user management platform. This integration streamlines otherwise complex workflows and gives technicians access to the most essential Microsoft 365 data and user management actions directly in Datto RMM.

Upon connecting a Cloud Solution Provider (CSP) tenant, Datto RMM automatically fetches all of your client tenants. You have the option to freely sync or unsync specific tenants to or from the integration at any time.

The integration offers quick access to the following resources:

  • A dedicated Microsoft 365 menu in Datto RMM.
  • An overview of synced tenants that includes seamless navigation to the various Microsoft client portals. Refer to All Tenants.
  • A comprehensive user overview for each client tenant. Refer to All Users.
  • A dedicated details page for each user featuring a user summary, list of enrolled devices, information about the groups the user is added to, and sign-in logs. Refer to User details.
  • The option to create and onboard, edit, or offboard Microsoft 365 users directly from within Datto RMM. Refer to Microsoft 365 user management.

Tiered security level permissions created specifically for this integration allow you to limit access for certain users in your Datto RMM account. Refer to Microsoft 365 in Permissions.

To learn more, refer to Microsoft 365 Integration Q&A.

Prerequisites

The Microsoft 365 Integration with Datto RMM requires a Microsoft Azure account with Cloud Solution Provider (CSP).

IMPORTANT  The connection for the integration must be made by a CSP tenant.

We recommend setting up a service account specific to Datto to authenticate the integration: dattointegration@[your domain].com. This will ensure the integration bypasses your Conditional Access policies, remains active, and limits issues in the future.

For this integration to work, a certain configuration is required in Microsoft 365. For guidance, review the following steps and watch the video demonstration.

Step 1: Service account permissions

Configure the following settings in Microsoft Entra:

  • The integrating service account must be assigned the Global Administrator role for initial setup. Because perpetual Global Administrator rights are not required, we recommend leveraging Privileged Identity Management (PIM) so you can make this user eligible for the role when required and reduce your attack surface. Microsoft documentation: Learn about Privileged Identity Management.
  • The authenticating user requires Microsoft multifactor authentication (MFA), which can be enforced through Conditional Access or per-user MFA settings. The MFA for this user cannot be performed through a third-party application, such as Duo. (MFA through a third-party application is adequate for other users in the account.)

    • NOTE  The user must be excluded from any policies enforcing sign-in restrictions outside the norm of requiring MFA.

    NOTE  The service account must successfully authenticate with MFA during the initial connection for the integration to work properly. If there are any exceptions in the Conditional Access policy that allow MFA to be bypassed during this connection, tenants will not be pulled in to Datto RMM.

Step 2: Service account role

Configure the following settings in Microsoft Entra:

  • The integrating service account must be part of two security groups: the AdminAgents security group and the security group assigned to the GDAP relationship, as described in the next section (step 3).

Step 3: GDAP relationship configuration

NAVIGATION  Microsoft Partner Center > Customers > Administer > select a customer > select an admin relationship

Configure the following settings in Microsoft Partner Center:

  • The authenticating user must add a granular delegated admin privileges (GDAP) relationship with all client tenants.

    • T-Minus 365 blog: Learn about GDAP.

  • Each GDAP relationship must have a security group assigned, and the integrating service account must be part of that security group. The group must be granted one of the following roles: Global Admin, Cloud Application Admin, or Application Admin.

    • NOTE  Privileged Role Admin is no longer a viable role option for this integration.

NOTE  If a client tenant has more than one GDAP relationship, Microsoft observes only the GDAP relationship that was created most recently. As mentioned, the Microsoft authentication requires the security group on the integrating account and GDAP relationship to be the same. If such is the case on one of the GDAP relationships but not on the one most recently created, then the sync will fail.

API permissions

In Azure Active Directory, applications are authorized to call APIs when they are granted permissions as part of the consent process.

Upon setting up the Microsoft 365 Integration from within Datto RMM, you will be required to accept a few Microsoft API permissions to ensure adequate functionality. Refer to step 8 in Enable the Microsoft 365 Integration.

These required permissions will be configured automatically in your integrated CSP tenant once you accept. For your reference, the following table lists the permissions:

API Permission Category Permission Type Description
Microsoft Graph Application Application.ReadWrite.All Delegated Read and write all applications.
Microsoft Graph DelegatedAdminRelationship DelegatedAdminRelationship.ReadWrite.All Delegated Manage Delegated Admin relationships with customers.
Microsoft Graph Directory Directory.ReadWrite.All Delegated Read and write directory data.
Microsoft Graph OpenId permissions offline_access Delegated Maintain access to data you have given it access to.
Microsoft Graph OpenId permissions openid Delegated Sign users in.
Microsoft Partner Center Permissions user_impersonation Delegated Access Partner Center.

Features

To access the tenant sync table, navigate to Setup > Integrations > Microsoft 365 > Tenants.

Once the Microsoft 365 Integration is enabled, Datto RMM automatically fetches all of your Microsoft 365 client tenants. Any tenants in this list can be freely synced to or unsynced from Datto RMM while the integration is active. Manual tenant syncing is required to begin using the integration. For instructions, refer to Sync Microsoft 365 client tenants to Datto RMM.

The tenant sync table displays the following information:

Field Sortable? Description
Tenant Name The name of the tenant as it exists in Azure Active Directory.
To narrow the list, click the filter icon , enter a term, and click Apply. To see the full list, click Reset.
Tenant ID   Displays the tenant ID.
To narrow the list, click the filter icon , enter a term, and click Apply. To see the full list, click Reset.
Status Displays the sync status of the tenant, which can be one of the following:
  • Synced: The tenant is successfully synced to Datto RMM.
  • Deactivated: The tenant is either not yet synced or has been unsynced from Datto RMM. Refer to Sync Microsoft 365 client tenants to Datto RMM.
  • Failed: An attempt to sync or unsync the tenant to/from Datto RMM was unsuccessful. Another attempt may resolve the failure.
  • Pending: The tenant is in the process of syncing to Datto RMM.

To narrow the list, click the filter icon and select one or more sync statuses.

You can filter both of the columns. The Filtered by bar displays all applied column filters. If a filter search term includes wildcard characters (for example, underscores and percent signs), they serve as normal characters if they are preceded by a backslash. For details, refer to Wildcard characters. Click the X next to any filter to remove that filter or click Reset Filters to remove all filters. If no filter is applied, the Filtered by bar displays Unfiltered. The filter selection in the columns will persist the next time the page is accessed.

The table density is set to condensed theme by default. To change it to relaxed theme, click the density toggle icon. The selection will persist across all pages.

The number of results displayed can be specified by selecting the desired number from the pagination control. This selection will persist the next time the page is accessed.

Action buttons

The action buttons are unavailable if no row is selected in the table. The check boxes allow you to select one or more rows. Select all rows shown on a page by selecting the check box in the table header. You can also use the drop-down arrow next to the check box in the table header to choose one of the following options: Select none, Select all on page, or Select all rows across all pages. If you choose to select all rows across all pages, the check boxes of the rows will not be selected; however, the page will indicate that all rows have been selected.

Action Button Description
Sync Initiates the operation to sync the selected tenants to Datto RMM. Refer to Sync Microsoft 365 client tenants to Datto RMM.
Unsync Initiates the operation to unsync the selected tenants from Datto RMM. Refer to Unsync Microsoft 365 client tenants from Datto RMM.

NOTE  If your own tenant (the primary tenant) is synced, it cannot be unsynced.

Once the Microsoft 365 Integration is enabled and tenants are synced, the All Tenants page and All Users page can be used to view Microsoft 365 data. Refer to Enable the Microsoft 365 Integration and Sync Microsoft 365 client tenants to Datto RMM.

You can easily access these pages from the Microsoft 365 menu in the left navigation menu.

To access the All Tenants page, navigate to Microsoft 365 > All Tenants.

List of tenants

IMPORTANT  Only the tenants you have manually synced will appear in this list. Refer to Sync Microsoft 365 client tenants to Datto RMM.

This page allows you to open Microsoft client portals directly from Datto RMM. The portals open in new tabs.

NOTE   The redirects to the Microsoft portals comply with Microsoft user permissions. If a user clicks a link in Datto RMM to navigate to a Microsoft page they do not have permission to access, Microsoft will block the user's access.

The badge in the table header shows the number of synced client tenants.

The table displays the following information:

Field Sortable? Description
Tenant Name The name of the tenant as it exists in Azure Active Directory.
To narrow the list, click the filter icon , enter a term, and click Apply. To see the full list, click Reset.
Users   Click View Users to open the list of users that belong to the tenant. Refer to All Users.
Entra Admin Portal*   Click the arrow to manage the tenant in this portal.
Azure Portal*   Click the arrow to manage the tenant in this portal.
Exchange Admin*   Click the arrow to manage the tenant in this portal.
M365 Admin*   Click the arrow to manage the tenant in this portal.
Intune Admin*   Click the arrow to manage the tenant in this portal.
M365 Defender*   Click the arrow to manage the tenant in this portal.
SharePoint Admin*   Click the arrow to manage the tenant in this portal.
Teams Admin*   Click the arrow to manage the tenant in this portal.

NOTE  *Users with the proper access in Datto RMM will be able to see and click these links but will require the proper permissions in Microsoft 365 to access the related areas within the tenant.

The columns can be reordered and resized. The order and size of the columns will persist the next time the page is accessed.

You can filter the Tenant Name column. The Filtered by bar displays all applied column filters. If a filter search term includes wildcard characters (for example, underscores and percent signs), they serve as normal characters if they are preceded by a backslash. For details, refer to Wildcard characters. Click the X next to any filter to remove that filter or click Reset Filters to remove all filters. If no filter is applied, the Filtered by bar displays Unfiltered. The filter selection will not persist the next time the page is accessed as the table will return to the default view (unfiltered).

The table density is set to condensed theme by default. To change it to relaxed theme, click the density toggle icon. The selection will persist across all pages.

The number of results displayed can be specified by selecting the desired number from the pagination control. This selection will persist the next time the page is accessed.

Action buttons

To access the available action buttons, click the Row Actions icon. The action buttons are unavailable if no row is selected or if the action is not applicable to the selected rows. The check boxes allow you to select one or more rows. Select all rows shown on the page by selecting the check box in the table header.

The following table lists all available action buttons:

Action Button Description
Export Selected Rows to CSV In the confirmation dialog box, select whether to show table headers in the file by toggling the Show table headers in the exported CSV button. Click Confirm to download the file. Any column selections, filters, and sorting that have been applied to the table will also be applied in the CSV file. A maximum number of 500 rows can be exported to a single CSV file. The Export All (Max. 500) Rows to CSV action is available without selecting any row in the table.
Export All (Max. 250) Rows to CSV
Uncheck All Clears all selected rows. The number of selected rows is indicated next to the Row Actions icon.

To access the All Users page, navigate to Microsoft 365 > All Users.

Create User

For complete instructions on the Create User action button in the upper-right corner of the page, refer to Microsoft 365 user management.

List of users

By default, the page displays all users across all tenants. To populate a list of users from specific tenants, select one or more tenants from the Select Tenant drop-down menu.

You can filter by one or more tenants using the filter icon in the Tenant Name column. Refer to Tenant Name.

You can also open this list from the All Tenants page. Click View Users in the Users column. Refer to Users in List of tenants.

The badge in the table header shows the number of users in the currently displayed list, whether filtered or unfiltered.

NOTE  This list supports up to 999 users. The first 999 users fetched by Microsoft are those that sync to the integration.

The table displays the following information:

Field Sortable? Description
Display Name The display name of the user as it exists in Microsoft.
To narrow the list, click the filter icon , enter a term, and click Apply. To see the full list, click Reset.

NOTE  This field is searchable via global search. Refer to Global search.
Email The username/user principal name (user email address) as it exists in Microsoft.
To narrow the list, click the filter icon , enter a term, and click Apply. To see the full list, click Reset.

NOTE  This field is searchable via global search. Refer to Global search.
User Role The user role(s) assigned to the user in Microsoft.
To narrow the list, click the filter icon , enter a term, and click Apply. To see the full list, click Reset.
Tenant Name The name of the client tenant, which the user belongs to, as it exists in Azure Active Directory.
To narrow the list, click the filter icon , enter a term, and click Apply. To see the full list, click Reset.

NOTE  You can change the selected tenant from the Select Tenant drop-down menu at the top of the page.
User Type The user type assigned to the user in Microsoft.
To narrow the list, click the filter icon , enter a term, and click Apply. To see the full list, click Reset.
M365 Sign In Status

Displays whether or not signing into this user account has been blocked, as follows:

  • Enabled: Sign-ins into this user account are not blocked.
  • Blocked: Sign-ins into this user account have been blocked either from the Block sign-in option on the Active users page in the Microsoft 365 admin center or from the Block Sign in option available directly in Datto RMM.

Refer to Block Sign In/Unblock Sign In in User details.
Click the filter icon and click All, Enabled, or Blocked to filter by the sign-in status.
Last Sign In Displays how long ago the user's latest sign-in occurred.
Time stamps reflect the user time zone and preferred date format configured on the Setup > My Settings page. Hovering over any time stamp will show its date in the alternative format. Refer to User Time Zone and Date Format.
Click the filter icon and select one of the following options: Last 24 Hours, Last 7 Days, Last 14 Days, Last 30 Days, Last 60 Days, Last 90 Days, Last 180 Days, or Custom where you can specify a custom start/end date and time by using the calendar.
The Sign in Logs card displays additional sign-in information. Refer to Signin Logs.
Last Password Reset Date Displays how long ago the user's latest password reset occurred.
Time stamps reflect the user time zone and preferred date format configured on the Setup > My Settings page. Hovering over any time stamp will show its date in the alternative format. Refer to User Time Zone and Date Format.
Click the filter icon and select one of the following options: Last 24 Hours, Last 7 Days, Last 14 Days, Last 30 Days, Last 60 Days, Last 90 Days, Last 180 Days, or Custom where you can specify a custom start/end date and time by using the calendar.
Licenses Displays the Microsoft licenses assigned to this user.
To narrow the list, click the filter icon , enter a term, and click Apply. To see the full list, click Reset.

The columns can be reordered and resized. The order and size of the columns will persist the next time the page is accessed.

You can filter any columns with the filter icon . The Filtered by bar displays all applied column filters. If a filter search term includes wildcard characters (for example, underscores and percent signs), they serve as normal characters if they are preceded by a backslash. For details, refer to Wildcard characters. Click the X next to any filter to remove that filter or click Reset Filters to remove all filters. If no filter is applied, the Filtered by bar displays Unfiltered. The filter selection in the columns will persist the next time the page is accessed.

The table density is set to condensed theme by default. To change it to relaxed theme, click the density toggle icon. The selection will persist across all pages.

The number of results displayed can be specified by selecting the desired number from the pagination control. This selection will persist the next time the page is accessed.

Action buttons

To access all action buttons, click the Row Actions icon.

The action buttons are unavailable or become unavailable if no row is selected in the table or if the action button is not applicable to the selected rows. The check boxes allow you to select one or more rows. Select all rows shown on a page by selecting the check box in the table header. You can also use the drop-down arrow next to the check box in the table header to choose one of the following options: Select none, Select all on page, or Select all rows across all pages. If you choose to select all rows across all pages, the check boxes of the rows will not be selected; however, the page will indicate that all rows have been selected.

NOTE  When all rows are selected across all pages, only certain action buttons are supported, which is indicated in the All Rows column in the following table.

The user actions are also available on the individual user details pages. Refer to Action buttons in User details.

Action Button All Rows Description
Reset Password

 

 Available only when one user is selected. Refer to Reset Password in User details.
Export Selected Rows to CSV   In the confirmation dialog box that appears, select whether to show table headers in the file by turning on the toggle for Show table headers in the exported CSV. Click Confirm to download the file or Cancel to close out of the dialog box. Any column selections, filters, and sorting that have been applied to the table will also be applied in the CSV file.
Export All Rows to CSV

This action button is available only if all rows have been selected across all pages in the table. In the confirmation dialog box that appears, click Confirm to download the file or Cancel to close out of the dialog box.

Pop-up notifications will inform you of the start and completion of the CSV export action. Click the X to close the notification; otherwise, the notification will automatically be cleared after five minutes.

Any column selections, filters, and sorting that have been applied to the table will also be applied in the CSV file.
Create Temporary Access Password

 

 Available only when one user is selected. Refer to Create Temporary Access Password in User details.
Block Sign In/Unblock Sign In

 

 Available only when one user is selected. Refer to Block Sign In/Unblock Sign In in User details.
Revoke All User Sessions

 

 Available only when one user is selected. Refer to Revoke All User Sessions in User details.
Edit User

 

 Available only when one user is selected. Refer to Editing a Microsoft 365 user in Datto RMM.
Offboard User

 

 Available only when one user is selected. Refer to Offboarding a user or revoking a user's access.
Uncheck All

 

 Clears all selected rows. The number of selected rows is indicated next to the Row Actions icon.

NOTE  This action button is not available if all rows have been selected across all pages in the table. To clear all selected rows across all pages, use the Select none option from the drop-down arrow next to the check box in the table header.

To access the details page for a specific user, navigate to Microsoft 365 > All Users, select a tenant, and click a User Name.

Within the Microsoft 365 menu in the left navigation menu, up to five of the most recently viewed users are listed for quick access.

When a user details page is open, you can view each of the available cards by scrolling down on the page or jump to a specific card by selecting it in the upper-left corner of the page underneath the user's name. Refer to Cards.

NOTE  Datto RMM currently stores any user-related information, and all data securely passes through the Microsoft API.

To access all action buttons, click the More icon in the upper-right corner of the page.

The user actions are also available on the All Users page when one user is selected in the table. Refer to Action buttons in All Users.

The following table lists all available action buttons:

Action Button Description
Reset Password Upon confirmation, creates a new reset password for the selected user. Click Confirm to execute the action or Cancel to close out of the dialog box.

In the next dialog box that appears, click Copy Reset Password to copy the password to your clipboard.

The following description from Microsoft explains the results of this action:
"Copy the password and give it to the user. The user will be required to change the password during the next sign-in process. The temporary password never expires. The next time the user signs in, the password will still work, regardless how much time has passed since the temporary password was generated."

Learn about resetting a user's password.
Create Temporary Access Password

IMPORTANT  To successfully create a Temporary Access Password (TAP) for a user, their tenant must have the Temporary Access Pass policy enabled in Azure Active Directory, and the user must not be excluded from the policy. Learn how to enable the Temporary Access Pass policy in Azure Active Directory.

Automatically creates a new TAP for the selected user. In the dialog box that appears, click Copy Temporary Access Password to copy the password to your clipboard.

The following descriptions from Microsoft explain the TAP:

  • "A TAP doesn’t replace a user’s password."
  • "You provide this value to the user."
  • "The most common use for a Temporary Access Pass is for a user to register authentication details during the first sign-in or device setup, without the need to complete extra security prompts."

Learn about the Temporary Access Pass.
Block Sign In/Unblock Sign In Instantly blocks sign-ins into the user account.

The following description from Microsoft explains the results of this action:
"Blocking someone prevents anyone from signing in as this user and is a good idea when you think their password or username may have been compromised. When you block someone, it immediately stops any new sign-ins for that account, and if they’re signed in, they’ll be automatically signed out from all Microsoft services within 60 minutes."

If sign-ins are currently blocked for the selected user, this option changes to Unblock Sign in, which instantly turns off the block.

NOTE  In the Microsoft 365 admin center, these same options are available upon selecting a user from the Active users page, and changes to this setting are immediately reflected in Datto RMM.

The sign-in status of a user is displayed in the M365 Sign in Status field on the All Users page and user details page. Refer to M365 Sign In Status in All Users and M365 Sign In Status in User details.
Revoke All User Sessions Instantly revokes all user sessions for the selected user.

The following description from Microsoft explains the result of this action:
"This will revoke all sessions for the user, requiring the user to re-sign in from all devices."
Edit User

Refer to Editing a Microsoft 365 user in Datto RMM.
Offboard User

Refer to Offboarding a user or revoking a user's access.

Cards

The Details card provides a summary of the selected user.

These details are retrieved from Microsoft and can be managed from the following areas:

  • NAVIGATION  Microsoft 365 admin center > Users > Active users > select a user > Account tab

  • NAVIGATION  Microsoft Azure > Azure Active Directory > Users > select a user > Properties tab

The following table displays the information available in the card:

Field Description
Full Name The Display name of the user as it exists in Microsoft.

NOTE  This field is searchable via global search. Refer to Global search.
User Principal Name The username/user principal name as it exists in Microsoft.

NOTE  This field is searchable via global search. Refer to Global search.
Alias Displayed if configured in Microsoft or via Datto RMM. Refer to Microsoft 365 user management.
User Type Displays Member or Guest.
Job Title Displayed if configured in Microsoft or via Datto RMM. Refer to Microsoft 365 user management.
Company Name Displayed if configured in Microsoft or via Datto RMM. Refer to Microsoft 365 user management.
Department Displayed if configured in Microsoft or via Datto RMM. Refer to Microsoft 365 user management.
Employee ID Displayed if configured in Microsoft or via Datto RMM. Refer to Microsoft 365 user management.
Employee Type Displayed if configured in Microsoft or via Datto RMM. Refer to Microsoft 365 user management.
Employee Hire Date Displayed if configured in Microsoft or via Datto RMM. Refer to Microsoft 365 user management.
Office Location Displayed if configured in Microsoft or via Datto RMM. Refer to Microsoft 365 user management.
Manager Displayed if configured in Microsoft or via Datto RMM. Refer to Microsoft 365 user management.
Address Displayed if configured in Microsoft or via Datto RMM. Refer to Microsoft 365 user management.
City Displayed if configured in Microsoft or via Datto RMM. Refer to Microsoft 365 user management.
State Displayed if configured in Microsoft or via Datto RMM. Refer to Microsoft 365 user management.
Postcode Displayed if configured in Microsoft or via Datto RMM. Refer to Microsoft 365 user management.
Country Displayed if configured in Microsoft or via Datto RMM. Refer to Microsoft 365 user management.
Business Phone Displayed if configured in Microsoft or via Datto RMM. Refer to Microsoft 365 user management.
Mobile Phone Displayed if configured in Microsoft or via Datto RMM. Refer to Microsoft 365 user management.
Email Displayed if configured in Microsoft or via Datto RMM. Refer to Microsoft 365 user management.
Usage Location Displayed if configured in Microsoft or via Datto RMM. Refer to Microsoft 365 user management.

The Roles card provides a summary of the selected user's roles.

Click Manage User Roles to add or remove user roles.

You can filter any columns with the filter icon . The Filtered by bar displays all applied column filters.If a filter search term includes wildcard characters (for example, underscores and percent signs), they serve as normal characters if they are preceded by a backslash. For details, refer to Wildcard characters.Click the X next to any filter to remove that filter or click Reset Filters to remove all filters.If no filter is applied, the Filtered by bar displays Unfiltered.The filter selection in the columns will not persist the next time the page is accessed as the table will return to the default view.

The table density is set to condensed theme by default. To change it to relaxed theme, click the density toggle icon. The selection will persist across all pages.

The number of results displayed can be specified by selecting the desired number from the pagination control. This selection will persist the next time the page is accessed.

Action buttons

To access the available action buttons, click the Row Actions icon. The action buttons are unavailable if no row is selected or if the action is not applicable to the selected rows. The check boxes allow you to select one or more rows. Select all rows shown on the page by selecting the check box in the table header.

The following table lists all available action buttons:

Action Button Description
Export Selected Rows to CSV In the confirmation dialog box, select whether to show table headers in the file by toggling the Show table headers in the exported CSV button. Click Confirm to download the file. Any column selections, filters, and sorting that have been applied to the table will also be applied in the CSV file. A maximum number of 500 rows can be exported to a single CSV file. The Export All (Max. 500) Rows to CSV action is available without selecting any row in the table.
Export All (Max. 250) Rows to CSV
Uncheck All Clears all selected rows. The number of selected rows is indicated next to the Row Actions icon.

The Licenses card provides a license summary of the selected user.

Click Manage User Licenses to add or remove user licenses.

NOTE  License information is retrieved live to ensure no conflicts are encountered during user creation. Upon adding a license, the license will be applied instantaneously to the user account.

These details are retrieved from Microsoft and can be managed from the following areas:

  • NAVIGATION  Microsoft 365 admin center > Users > Active users > select a user > Account tab

  • NAVIGATION  Microsoft Azure > Azure Active Directory > Users > select a user > Properties tab

The following table displays the information available in the card:

Field Description
Tenant Name The name of the client tenant the user belongs to, as it exists in Azure Active Directory. Refer to All Tenants.
Primary Domain The Primary domain of the client tenant the user belongs to, as it exists in Azure Active Directory.
User Principal Name The User principal name/Username of the user as it exists in Microsoft.
Usage Location The Usage location of the user as it exists in Microsoft.
M365 Sign In Status

Displays whether or not signing into this user account has been blocked, as follows:

  • Enabled: Sign-ins into this user account are not blocked.
  • Blocked: Sign-ins into this user account have been blocked either from the Block sign-in option on the Active users page in the Microsoft 365 admin center or from the Block Sign in option available directly in Datto RMM.

Refer to Block Sign In/Unblock Sign In in Action buttons.
Last Sign In Displays how long ago the user's latest sign-in occurred.
Time stamps reflect the user time zone and preferred date format configured on the Setup > My Settings page. Hovering over any time stamp will show its date in the alternative format. Refer to User Time Zone and Date Format.
The Sign in Logs card displays additional sign-in information. Refer to Signin Logs.
Last Password Modification Displays how long ago the user's latest password change occurred.
Time stamps reflect the user time zone and preferred date format configured on the Setup > My Settings page. Hovering over any time stamp will show its date in the alternative format. Refer to User Time Zone and Date Format.

List of licenses assigned to the user

 Displays the license details, including the product, status, service enablement, and assignment path.

You can filter any columns with the filter icon . The Filtered by bar displays all applied column filters. If a filter search term includes wildcard characters (for example, underscores and percent signs), they serve as normal characters if they are preceded by a backslash. For details, refer to Wildcard characters.Click the X next to any filter to remove that filter or click Reset Filters to remove all filters. If no filter is applied, the Filtered by bar displays Unfiltered. The filter selection in the columns will not persist the next time the page is accessed as the table will return to the default view.

The table density is set to condensed theme by default. To change it to relaxed theme, click the density toggle icon. The selection will persist across all pages.

The number of results displayed can be specified by selecting the desired number from the pagination control. This selection will persist the next time the page is accessed.

The Devices card shows devices enrolled for the user. If no devices are enrolled, the list is empty.

The device details are retrieved from Microsoft, and additional device properties and device management options are accessible in the following areas:

  • NAVIGATION  Microsoft Azure > Azure Active Directory > Users > select a user > Devices

  • NAVIGATION  Microsoft Intune admin center > Devices (only devices enrolled to Microsoft Intune)

The badge in the table header shows the number of devices enrolled for the user.

The table displays the following information:

Field Sortable? Description
Type The device type.
To narrow the list, click the filter icon , enter a term, and click Apply. To see the full list, click Reset.
Hostname The hostname of the device. 
If the device is also enrolled in Datto RMM, the hostname is clickable. Click the link to open the device summary page. Refer to Device summary.
To narrow the list, click the filter icon , enter a term, and click Apply. To see the full list, click Reset.
OS The version of the operating system on the device.
To narrow the list, click the filter icon , enter a term, and click Apply. To see the full list, click Reset.
Compliance

Displays whether or not the device is compliant, as follows:

  • Compliant: The device is compliant with the rules of the Microsoft compliance policy targeting it.
  • Non Compliant: The device is not compliant with the rules of the Microsoft compliance policy targeting it.
  • Not applicable: The device is not targeted by a Microsoft compliance policy.

Click the filter icon and select Compliant, Non Compliant, or Not applicable to filter by device compliance. You can select more than one option at a time.
Last Sign In Displays how long ago the device was last signed into.
Time stamps reflect the user time zone and preferred date format configured on the Setup > My Settings page. Hovering over any time stamp will show its date in the alternative format. Refer to User Time Zone and Date Format.
Join Type The method used to enroll the device.
Click the filter icon and select any number of enrollment types to filter the list.

You can filter any columns with the filter icon . The Filtered by bar displays all applied column filters. If a filter search term includes wildcard characters (for example, underscores and percent signs), they serve as normal characters if they are preceded by a backslash. For details, refer to Wildcard characters. Click the X next to any filter to remove that filter or click Reset Filters to remove all filters. If no filter is applied, the Filtered by bar displays Unfiltered. The filter selection in the columns will not persist the next time the page is accessed as the table will return to the default view.

The table density is set to condensed theme by default. To change it to relaxed theme, click the density toggle icon. The selection will persist across all pages.

The number of results displayed can be specified by selecting the desired number from the pagination control. This selection will persist the next time the page is accessed.

Action buttons

To access the available action buttons, click the Row Actions icon. The action buttons are unavailable if no row is selected or if the action is not applicable to the selected rows. The check boxes allow you to select one or more rows. Select all rows shown on the page by selecting the check box in the table header.

The following table lists all available action buttons:

Action Button Description
Export Selected Rows to CSV In the confirmation dialog box, select whether to show table headers in the file by toggling the Show table headers in the exported CSV button. Click Confirm to download the file. Any column selections, filters, and sorting that have been applied to the table will also be applied in the CSV file. A maximum number of 500 rows can be exported to a single CSV file. The Export All (Max. 500) Rows to CSV action is available without selecting any row in the table.
Export All (Max. 250) Rows to CSV
Uncheck All Clears all selected rows. The number of selected rows is indicated next to the Row Actions icon.

The details of any groups the user is assigned to are retrieved from Microsoft. Learn about groups and access rights in Azure Active Directory.

Click Manage User Groups to add or remove groups.

The badge in the table header shows the number of groups the user is assigned to. If the user is not assigned to any groups, the list is empty.

The table displays the following information:

Field Sortable? Description
Group Name The name of the group as it exists in Microsoft.
To narrow the list, click the filter icon , enter a term, and click Apply. To see the full list, click Reset.
Group Type The group type, as set in Microsoft.
To narrow the list, click the filter icon , enter a term, and click Apply. To see the full list, click Reset.
Email The email address of the group as it exists in Microsoft.
To narrow the list, click the filter icon , enter a term, and click Apply. To see the full list, click Reset.
Assignable to Role Displays whether or not the group can be assigned to roles, as follows:
  • Yes: In Microsoft, the Azure AD roles can be assigned to the group option is set to Yes for the group.
  • No: In Microsoft, the Azure AD roles can be assigned to the group option is set to No for the group.

Learn about using Azure AD groups to manage role assignments.

Click the filter icon and click All, Yes, or No to filter by groups that can have roles assigned and those that cannot.

You can filter any columns with the filter icon . The Filtered by bar displays all applied column filters.If a filter search term includes wildcard characters (for example, underscores and percent signs), they serve as normal characters if they are preceded by a backslash. For details, refer to Wildcard characters. Click the X next to any filter to remove that filter or click Reset Filters to remove all filters. If no filter is applied, the Filtered by bar displays Unfiltered. The filter selection in the columns will not persist the next time the page is accessed as the table will return to the default view.

The table density is set to condensed theme by default. To change it to relaxed theme, click the density toggle icon. The selection will persist across all pages.

The number of results displayed can be specified by selecting the desired number from the pagination control. This selection will persist the next time the page is accessed.

Action buttons

To access the available action buttons, click the Row Actions icon. The action buttons are unavailable if no row is selected or if the action is not applicable to the selected rows. The check boxes allow you to select one or more rows. Select all rows shown on the page by selecting the check box in the table header.

The following table lists all available action buttons:

Action Button Description
Export Selected Rows to CSV In the confirmation dialog box, select whether to show table headers in the file by toggling the Show table headers in the exported CSV button. Click Confirm to download the file. Any column selections, filters, and sorting that have been applied to the table will also be applied in the CSV file. A maximum number of 500 rows can be exported to a single CSV file. The Export All (Max. 500) Rows to CSV action is available without selecting any row in the table.
Export All (Max. 500) Rows to CSV
Uncheck All Clears all selected rows. The number of selected rows is indicated next to the Row Actions icon.

The sign-in logs are retrieved from Microsoft. Learn about sign-in logs in Azure Active Directory.

The badge in the table header shows the number of user sign-ins logged. If no sign-ins are logged, the list is empty.

The table displays the following information:

Field Sortable? Description
Sign In Date Displays how long ago the sign-in occurred.
Time stamps reflect the user time zone and preferred date format configured on the Setup > My Settings page. Hovering over any time stamp will show its date in the alternative format. Refer to User Time Zone and Date Format.
Sign In Status Displays if the sign-in occurred with our without errors.
Click the filter icon and select Failure, Interrupted, or Success to filter by the status.
Device Compliant

Displays whether or not the device is compliant, as follows:

  • Compliant: The device is compliant with the rules of the Microsoft compliance policy targeting it.
  • Non Compliant: The device is not compliant with the rules of the Microsoft compliance policy targeting it.
  • Not applicable: The device is not targeted by a Microsoft compliance policy.

Click the filter icon and select Compliant, Non Compliant, or Not applicable to filter by device compliance. You can select more than one option at a time.
Device The hostname of the device, if available from Microsoft.
To narrow the list, click the filter icon , enter a term, and click Apply. To see the full list, click Reset.
IP Address The IP address the sign-in occurred from.
Microsoft provides the following description of IP addresses in relation to sign-ins:
"There's no definitive connection between an IP address and where the computer with that address is physically located. Mobile providers and VPNs issue IP addresses from central pools that are often far from where the client device is actually used. Currently, converting IP address to a physical location is a best effort based on traces, registry data, reverse lookups and other information."
To narrow the list, click the filter icon , enter a term, and click Apply. To see the full list, click Reset.
Authentication Requirement Displays if authentication was required for the sign-in.
Location The town, state, and country associated with the IP address the sign-in occurred from.
To narrow the list, click the filter icon , enter a term, and click Apply. To see the full list, click Reset.
Resource The resource used to sign in.
To narrow the list, click the filter icon , enter a term, and click Apply. To see the full list, click Reset.
Conditional Access Policy Displays any Microsoft Conditional Access policies that applied to the user and application during sign-in. If no policy applied, the field displays N/A. Refer to Conditional Access Status.
To narrow the list, click the filter icon , enter a term, and click Apply. To see the full list, click Reset.

You can filter any columns with the filter icon . The Filtered by bar displays all applied column filters. If a filter search term includes wildcard characters (for example, underscores and percent signs), they serve as normal characters if they are preceded by a backslash. For details, refer to Wildcard characters. The Filtered by bar displays all applied column filters. Click the X next to any filter to remove that filter or click Reset Filters to remove all filters. If no filter is applied, the Filtered by bar displays Unfiltered. The filter selection in the columns will not persist the next time the page is accessed as the table will return to the default view.

The table density is set to condensed theme by default. To change it to relaxed theme, click the density toggle icon. The selection will persist across all pages.

The number of results displayed can be specified by selecting the desired number from the pagination control. This selection will persist the next time the page is accessed.

Action buttons

To access the available action buttons, click the Row Actions icon. The action buttons are unavailable if no row is selected or if the action is not applicable to the selected rows. The check boxes allow you to select one or more rows. Select all rows shown on the page by selecting the check box in the table header.

The following table lists all available action buttons:

Action Button Description
Export Selected Rows to CSV In the confirmation dialog box, select whether to show table headers in the file by toggling the Show table headers in the exported CSV button. Click Confirm to download the file. Any column selections, filters, and sorting that have been applied to the table will also be applied in the CSV file. A maximum number of 500 rows can be exported to a single CSV file. The Export All (Max. 500) Rows to CSV action is available without selecting any row in the table.
Export All (Max. 250) Rows to CSV
Uncheck All Clears all selected rows. The number of selected rows is indicated next to the Row Actions icon.

How to...

Complete the following steps in Datto RMM to enable the integration:

  1. Navigate to Setup > Integrations > Microsoft 365.
  2. In the Authenticate tab, which is selected by default, click Turn On.

  3. In the Tenant ID field that appears, enter your tenant ID for the CSP tenant you wish to integrate. This tenant ID must match the CSP tenant of the account you authenticate with in step 6.

    4. NOTE  To learn how to find your tenant ID, refer to this Microsoft article.

  4. Click Save.

  5. The button will change in appearance and show that Datto RMM is in the process of integrating.
  6. Datto RMM will redirect to the Microsoft login page. Select or add the account that corresponds with the tenant ID entered in step 3.

  7. If not already signed in, sign in to the account.
  8. Once successfully signed in, Microsoft will display a list of requested permissions. For more information, refer to API permissions in Prerequisites. Click Accept.
  9. The page will redirect to Datto RMM, where you will see a list of client tenants in the Tenants tab of the Microsoft 365 card. You must manually sync tenants to begin using the integration. For instructions, refer to Sync Microsoft 365 client tenants to Datto RMM.

The Microsoft 365 Integration is now successfully enabled.

NOTE  You can check the status of the integration any time from the Authenticate tab in the Microsoft 365 card. If enabled, the button in the card displays Saved and authenticated.

BEFORE YOU BEGIN  Refer to Enable the Microsoft 365 Integration.

Once the Microsoft 365 Integration is enabled, Datto RMM automatically fetches all of your Microsoft 365 client tenants. The status of all tenants remains Deactivated in the tenant sync table until manually synced.

NOTE  Your own tenant (the primary tenant) can be synced but cannot be unsynced.

For details about the full functionality available in the tenant sync table, refer to Client tenant syncing.

Steps

To sync tenants, complete the following steps:

  1. Navigate to Setup > Integrations > Microsoft 365 > Tenants.
  2. Select the tenants you wish to sync. For details about check box selection functionality, refer to Action buttons.
  3. Click Sync.
  4. In the confirmation dialog box that appears, click Confirm to complete the action or Cancel to close out of the dialog box. A pop-up notification will indicate if the tenant sync operation has initiated.
  5. The sync process may take some time. You will notice the status of syncing tenants changes to Pending.
  6. The status Synced indicates a tenant has been successfully synced.

Datto RMM automatically creates an enterprise application in Azure Active Directory for each of the client tenants you have GDAP access to. Learn about GDAP. Application creation requires a couple seconds per tenant.

Synced tenant data and user data are now accessible from the Microsoft 365 menu in the left navigation menu.

NOTE  If a synced tenant does not show on the All Tenants page, verify your Microsoft configuration meets the prerequisites of this integration. Refer to Prerequisites.

NOTE  Specific tenants can be unsynced at any time. Refer to Unsync Microsoft 365 client tenants from Datto RMM.

The status Synced in the tenant sync table indicates a tenant is currently synced to Datto RMM, but specific tenants can be unsynced at any time.

For details about the full functionality available in the tenant sync table, refer to Client tenant syncing.

Steps

To unsync tenants, complete the following steps:

  1. Navigate to Setup > Integrations > Microsoft 365 > Tenants.
  2. Select the tenants you wish to unsync. For details about check box selection functionality, refer to Action buttons.
  3. Click Unsync.
  4. In the confirmation dialog box that appears, click Confirm to complete the action or Cancel to close out of the dialog box. A pop-up notification will indicate if the tenant unsync operation has initiated.
  5. The unsync process may take some time.
  6. The status Deactivated indicates a tenant has been successfully unsynced.

Data for any unsynced tenants are no longer accessible from the Microsoft 365 menu in the left navigation menu.

NOTE  Specific tenants can be resynced at any time. Refer to Sync Microsoft 365 client tenants to Datto RMM.

If you disable the integration, all of the integration and authentication settings will be deleted. Any enterprise applications that had been created for previously synced client tenants will be automatically deleted from Azure Active Directory. You can re-enable the integration at any time.

  1. In Datto RMM, navigate to Setup > Integrations.
  2. The Datto Continuity tab is selected by default. Click the Microsoft 365 tab.
  3. Click Turn Off.
  4. Click Confirm to execute the action or Cancel to close out of the dialog box.