Microsoft 365 Integration

Connect your Microsoft 365 tenant via the Microsoft Graph API to automatically collect user accounts, license information, email security posture, MFA enrollment, and Teams/Exchange activity data.

Integration Method: Uses Microsoft Graph API with OAuth 2.0 authentication and supports GDAP (Granular Delegated Admin Privileges) for MSP partners.

What Data Is Collected

Microsoft 365 provides critical evidence for identity management, email security, and collaboration controls:

Users & Identities

User Accounts - Complete directory of all M365 users
Account Status - Active, disabled, guest users, mailbox status
User Details - Display name, email, department, job title
Account Creation - When created, last modified, last sign-in
License Assignment - Which licenses assigned per user

Multi-Factor Authentication (MFA)

MFA Enrollment Status - Enabled, enforced, or disabled per user
MFA Methods - Phone, authenticator app, FIDO2 keys
MFA Coverage - Percentage of users with MFA enabled
Conditional Access - Policy enforcement, device compliance
Authentication Methods - Registered methods per user

Licensing & Subscriptions

License Types - E3, E5, Business Premium, etc.
License Counts - Total purchased vs. assigned
License Utilization - Unused licenses (cost optimization)
Per-User Licensing - Which users have which licenses
Subscription Status - Active, trial, expired

Email Security

Email Protection - Exchange Online Protection (EOP) status
Advanced Threat Protection - Defender for Office 365 features
Mailbox Audit - Audit logging enabled/disabled per mailbox
Retention Policies - Email retention and archiving
Anti-Spam/Malware - Protection policies in place
DMARC/SPF/DKIM - Email authentication status (if PowerDMARC integrated)

Groups & Teams

Microsoft 365 Groups - Group membership, owners
Teams - Active teams, members, channels
Distribution Lists - Email groups and memberships
Security Groups - Access control groups

Devices

Enrolled Devices - Intune-managed devices
Device Compliance - Compliant vs. non-compliant devices
Device Types - Windows, iOS, Android, macOS
Device Policies - Conditional access policies applied

Communication Intelligence (Advanced)

Exchange Email Analysis - Work extraction from sent emails
Teams Message Analysis - Work done via Teams conversations
Communication Patterns - Customer touchpoints, response times
Sentiment Analysis - Communication tone and quality

Compliance Mapping

Microsoft 365 data automatically satisfies these compliance controls:

Compliance Framework	Controls Satisfied	Evidence Provided
CIS Controls v8.1	5.1, 5.2, 5.3, 5.4, 6.1, 6.2, 16.1, 16.11	Account management, access control, MFA, email security
NIST CSF 2.0	ID.AM-2, PR.AC-1, PR.AC-7, PR.DS-5, DE.CM-1	Software inventory, identity management, authentication, malware protection, monitoring
CMMC Level 2	AC.1.001, AC.2.007, IA.1.076, IA.2.078, SC.2.179	Access control, MFA, account management, external connections
HIPAA Security Rule	164.308(a)(3), 164.308(a)(4), 164.312(a)(1), 164.312(d)	Access management, workforce clearance, authentication, email encryption
SOC 2	CC6.1, CC6.2, CC6.6, CC6.7, CC7.2	User access controls, authentication, MFA, system monitoring
PCI DSS v4.0	7.1, 8.3, 8.4, 8.5	Access control, MFA, authentication management

Example: CIS Control 5.3

Control Requirement:

“Require multi-factor authentication for all administrative access”

Microsoft 365 Evidence:

✅ MFA Enrollment: 94% of users (47 of 50 users)
✅ Last Sync: 1 hour ago
✅ MFA Details:
   - Admins with MFA: 5 of 5 (100%)
   - Standard Users with MFA: 42 of 45 (93.3%)
   - Users Without MFA: 3 (flagged for remediation)
   - MFA Methods: Authenticator App (40), Phone (7)
   - Conditional Access: Enforced for admin roles
✅ Gap Identified: 3 users need MFA enrollment
   → Users: [email protected], [email protected], [email protected]

Status: PARTIALLY SATISFIED (94% coverage, 100% for admins)
Recommendation: Enroll remaining 3 users in MFA

Setup Instructions

Step 1: Register Application in Azure AD

Log in to Azure Portal (https://portal.azure.com)
Navigate to Azure Active Directory → App registrations
Click New registration
Configure application:
- Name: “LanternOps Integration”
- Supported account types: “Accounts in this organizational directory only”
- Redirect URI: Web → https://lanternops.app/integrations/microsoft/callback
Click Register
Copy Application (client) ID (you’ll need this)
Copy Directory (tenant) ID (you’ll need this)

Step 2: Create Client Secret

In your app registration, navigate to Certificates & secrets
Click New client secret
Configure secret:
- Description: “LanternOps Integration Secret”
- Expires: 24 months (recommended)
Click Add
Copy secret value immediately (shown only once!)

Step 3: Grant API Permissions

In your app registration, navigate to API permissions
Click Add a permission
Select Microsoft Graph
Select Application permissions (not delegated)
Add these permissions:

Required Permissions:

User.Read.All                - Read user profiles
Group.Read.All               - Read groups and memberships
Directory.Read.All           - Read directory data
Organization.Read.All        - Read organization info
AuditLog.Read.All           - Read audit logs
Policy.Read.All             - Read conditional access policies
UserAuthenticationMethod.Read.All - Read MFA methods
Mail.Read                   - Read mailboxes (for communication intelligence)
MailboxSettings.Read        - Read mailbox settings
Calendars.Read              - Read calendar (for communication intelligence)
Team.ReadBasic.All          - Read Teams metadata

Click Add permissions
Click Grant admin consent for [Your Organization]
Verify all permissions show green checkmark

Step 4: Configure LanternOps Integration

Log in to LanternOps
In the sidebar, click Integrations
Click the Configure button next to Microsoft 365
Click Add Customer Tenant
Enter credentials:
- Tenant Name: “Customer Name - Microsoft 365”
- Tenant ID: [Paste from Step 1]
- Domain: Primary domain (e.g., customer.onmicrosoft.com)
- Client ID: [Paste from Step 1]
- Client Secret: [Paste from Step 2]
- Auth Mode: Select “Direct Tenant (SAM)” or “GDAP” for MSP partners
- Customer: Map to existing customer in LanternOps
Click the Save button
Click the Test Connection button
For OAuth flows: Click Authorize and sign in with appropriate admin account
Grant permissions when prompted

Step 5: Configure Sync Settings

Sync settings are managed through the Microsoft Graph sync tasks. The system automatically syncs:

Default Sync Entities:

Users - Active directory users and identities
Groups - Microsoft 365 Groups and security groups
Devices - Intune-managed devices (if applicable)
Licenses - Subscription and license assignments
Mail - Mailbox settings and email data (for Communication Intelligence)
Teams - Teams metadata and activity (for Communication Intelligence)

Sync Frequency: Every 1 hour (Graph API uses delta queries for efficiency)

Advanced Options: Configure specific endpoints to sync in the tenant settings:

Security Endpoints: Secure Score, Conditional Access policies
Compliance Endpoints: Audit logs, mailbox settings
Communication Intelligence: Email and Teams message harvesting

Sync runs automatically in background via Celery tasks.

Step 6: Run Initial Sync

In the sidebar, click Integrations
Click the Configure button next to Microsoft 365
Navigate to the Sync Progress tab
Select your customer tenant
Click the Sync Now button (or select specific endpoints to sync)
First sync takes 20-40 minutes (imports all users, groups, devices, licenses)
Monitor progress on the Sync Progress page:
- View sync status per endpoint
- Check records synced count
- Review any errors or warnings
Verify data appears:
- Check the customer tenant detail page
- Review user count, license count, security score
- Verify last sync timestamps are recent

GDAP Support (For MSPs)

Granular Delegated Admin Privileges (GDAP) is supported for MSP partners.

GDAP Setup

Establish GDAP Relationship in Partner Center
Ensure GDAP includes these roles:
- Directory Readers (minimum)
- Global Reader (recommended)
- Reports Reader (for analytics)
In LanternOps, configure integration with Customer Tenant ID
Use MSP application credentials (not customer credentials)

Benefits:

✅ Least-privilege access (more secure than DAP)
✅ Time-limited delegated access
✅ Audit trail of partner access
✅ Granular role assignment

Customer Mapping

For MSPs managing multiple M365 tenants:

Multi-Tenant Configuration

Setup Multiple Integrations:

In the sidebar, click Integrations
Click the Configure button next to Microsoft 365
Click Add Customer Tenant
Enter tenant-specific credentials (Tenant ID, Client ID, Secret)
Map to specific LanternOps customer

Auto-Mapping:

LanternOps matches M365 tenant domain to customer domain
Example: acme.onmicrosoft.com → Customer “Acme Corporation”

Manual Mapping:

If auto-match fails, manually select customer from dropdown
Saved for future syncs

Sync Schedule

Default Frequency: Every 1 hour

Why Hourly?

User changes happen frequently (new hires, terminations)
Security events need fast detection (MFA disabled, new admin)
License changes require quick updates
Email security posture can shift rapidly

What Gets Synced Each Cycle:

Data Type	Sync Method	Records Updated
Users	Incremental (delta query)	Only new/changed users
Groups	Incremental (delta query)	Only new/changed groups
Devices	Incremental	Only new/changed devices
Licenses	Full	All subscriptions (lightweight)
MFA Status	Incremental	Only changed enrollment status
Mailboxes	Incremental (delta query)	Only new/modified mailboxes
Teams Messages	Incremental (delta query)	Last 7 days only
Exchange Emails	Incremental (delta query)	Last 7 days only

First Sync vs. Subsequent Syncs:

First Sync: 20-40 minutes (full tenant import)
Incremental Sync: 3-8 minutes (delta changes only)

Delta Query Optimization: Microsoft Graph delta queries ensure we only fetch changed data, reducing API calls by 90%+

Communication Intelligence

Advanced feature for service delivery tracking.

What It Does

Analyzes Exchange emails and Teams messages to automatically detect:

Work Extraction:

Customer support provided via email/Teams
Project work discussed in communications
Incidents handled through messaging
Time spent on customer communications

Pattern Detection:

Customer touchpoints per week
Response time to customer requests
Communication volume trends
Escalation patterns

Sentiment Analysis:

Positive/negative communication tone
Customer satisfaction signals
Relationship health indicators

Setup Requirements

Prerequisites:

Microsoft 365 integration configured
Communication Intelligence feature enabled in LanternOps plan
Additional API permissions granted (see Step 3 above):
- Mail.Read
- Calendars.Read
- Team.ReadBasic.All

Configuration:

Navigate to Communication Intelligence → Settings
Enable Exchange Email Harvesting
Enable Teams Message Harvesting
Set Harvest Frequency: Every 15 minutes (for real-time analysis)
Configure Target Accounts: Select user mailboxes to monitor (e.g., support@, team leads)

Privacy Note: Only analyzes emails/messages sent to/from customers. Internal communications are excluded.

Real-Time Sync

Webhook Support:

Microsoft Graph change notifications provide <5 minute latency
New customer emails trigger immediate analysis
Critical messages prioritized for AI analysis

Use Cases:

Prove customer support delivery in QBRs
Track work done that wasn’t ticketed (hidden revenue)
Identify customers needing attention (low communication = risk)
Demonstrate response time SLA compliance

Monitoring & Troubleshooting

Check Sync Health

Navigate to ETL Health Dashboard (/platform/etl/):

Healthy Sync Indicators:

🟢 Status: Healthy
✅ Failure Rate: <4%
⏱️ Last Sync: Within last 1 hour
📊 Records Synced: >0 users per sync

Common Issues

”Authentication Failed” Error

Cause: Invalid credentials or expired client secret

Solution:

Verify Tenant ID, Client ID, and Client Secret are correct
Check if Client Secret expired (Azure Portal → App Registration → Certificates & secrets)
If expired, generate new secret and update in LanternOps
Ensure Admin Consent granted for API permissions
Try Re-authorize button in LanternOps

”Insufficient Permissions” Error

Cause: Missing API permissions or admin consent not granted

Solution:

Navigate to Azure Portal → App Registrations → API Permissions
Verify all required permissions are listed (see Step 3 above)
Click Grant admin consent button
Verify all permissions show green checkmark (not gray)
Wait 5 minutes for permissions to propagate
Try sync again

”No Users Found” After Sync

Cause: Permissions issue or wrong tenant ID

Solution:

Verify Tenant ID is correct (Azure Portal → Azure AD → Overview)
Check API permission User.Read.All is granted
Ensure Admin Consent granted (not just “Granted” but “Granted for [Org]”)
Test with Microsoft Graph Explorer (https://developer.microsoft.com/graph/graph-explorer):
- Sign in with admin account
- Try query: GET https://graph.microsoft.com/v1.0/users
- Should return user list
If Graph Explorer works but LanternOps doesn’t, contact support

”Token Refresh Failed” Error

Cause: Client secret expired or app registration deleted

Solution:

Check Azure Portal → App Registrations → verify app still exists
Check Certificates & secrets → verify secret hasn’t expired
If expired, generate new secret and update in LanternOps
Click Re-authorize to refresh tokens

”Rate Limit Exceeded” Error

Cause: Too many API requests to Microsoft Graph (rare with delta queries)

Solution:

Automatic recovery: ETL system retries after 15 minutes
If persistent: Reduce sync frequency to every 2 hours (not recommended)
Best practice: Keep hourly sync but reduce scope (disable Teams/Exchange if not needed)

Verify Data Accuracy

After first sync, verify:

User Count Matches
- Azure AD: Count active users
- LanternOps: Navigate to Identity → Users
- Counts should match exactly
MFA Status Accurate
- Select several users in LanternOps
- Check their MFA status
- Verify matches Azure AD (Azure Portal → Users → MFA Status)
License Data Present
- Navigate to Licensing → Overview
- Should see all M365 subscriptions (E3, E5, etc.)
- License counts should match Microsoft 365 Admin Center
Groups Synced
- Navigate to Identity → Groups
- Verify groups appear
- Check group memberships are correct

Business Value

Security Value

MFA Enrollment Tracking:

Real-time visibility into MFA coverage
Identify users without MFA (security risk)
Track MFA adoption over time
Prove access control for compliance

Example Customer Value:

“94% of your users have MFA enabled, protecting against 99.9% of account compromise attacks. We’ve identified 3 users who still need MFA - we’ll enroll them this week to achieve 100% coverage and full CMMC compliance.”

Cost Optimization

License Utilization:

Find unused licenses (assigned but never used)
Identify over-licensed users (E5 when E3 would suffice)
Calculate cost savings opportunity

Example:

License Audit Results:
✅ Total Licenses: 50
❌ Unused Licenses: 7 (never signed in)
💰 Cost: 7 × $23/month = $161/month wasted
💰 Annual Savings: $1,932 if licenses removed

Recommendation: Remove 7 unused licenses

Compliance Value

Frameworks Covered:

CIS Controls (8 controls satisfied)
NIST CSF (5 controls satisfied)
CMMC Level 2 (5 controls satisfied)
HIPAA (4 controls satisfied)
SOC 2 (5 controls satisfied)
PCI DSS (4 controls satisfied)

Audit Package Includes:

User account inventory
MFA enrollment evidence
Access control policies
Email security configuration
Audit logging status
Evidence timestamps

Revenue Opportunities

Microsoft 365 data powers automatic opportunity detection:

MFA Gaps:

Find users without MFA
Upsell: “MFA enrollment service - $500 one-time”

License Optimization:

Unused licenses → Cost savings proposal
Under-licensed users → Upgrade recommendation
Missing features → Upsell E3 to E5

Security Gaps:

No Advanced Threat Protection → Upsell Defender for Office 365
No email encryption → Recommend compliance add-ons
Guest user sprawl → Identity governance service

Communication Intelligence:

Prove hidden work delivered (not in tickets)
Demonstrate value in QBRs
Find customers needing attention (low communication = churn risk)

Average Revenue Found: $2,000-$5,000 per customer

Best Practices

Setup

✅ Use Application permissions (not delegated) for background sync
✅ Grant all required permissions before first sync
✅ Use long-lived client secret (24 months) to avoid frequent rotation
✅ For MSPs: Use GDAP instead of legacy DAP

Ongoing Maintenance

✅ Review MFA Dashboard weekly
✅ Check license utilization monthly
✅ Monitor ETL Health Dashboard for sync issues
✅ Rotate client secret before expiration (set calendar reminder)

Security

✅ Credentials are encrypted at rest (AES-256)
✅ Never shared across MSP tenants
✅ Use read-only permissions (LanternOps never writes to M365)
✅ Enable conditional access for admin accounts in Azure AD

Performance

✅ Keep sync frequency at 1 hour for fresh data
✅ Use delta queries to minimize API calls (enabled by default)
✅ First sync during off-hours (takes 20-40 minutes)
✅ Monitor failure rate (should be <4%)

API Permissions Reference

Minimum Required Permissions

Core Identity & Access:

User.Read.All - Read all users
Group.Read.All - Read all groups
Directory.Read.All - Read directory data
Organization.Read.All - Read org settings

Security & Compliance:

AuditLog.Read.All - Read audit logs
Policy.Read.All - Read conditional access
UserAuthenticationMethod.Read.All - Read MFA status

Communication Intelligence (Optional):

Mail.Read - Read mailboxes
MailboxSettings.Read - Read mailbox settings
Calendars.Read - Read calendars
Team.ReadBasic.All - Read Teams metadata

Permission Type: Application (not Delegated)

Admin Consent Required: Yes (Global Administrator)

Next Steps

Verify User Data
- Check Identity → Users
- Confirm user counts and MFA status
- Review license assignments
Set Up MFA Monitoring
- Navigate to Security → MFA Dashboard
- Review coverage percentage
- Identify users needing MFA enrollment
Enable Communication Intelligence (Optional)
- Configure email/Teams harvesting
- Set target mailboxes to monitor
- Communication Intelligence Guide
Generate Compliance Evidence
- Navigate to Compliance → Audit Packages
- Select framework (e.g., CMMC, HIPAA)
- See M365 evidence for identity/access controls

Questions?

What if users aren’t syncing?
How does GDAP work with LanternOps?
Why is my sync failing?
How do I find license optimization opportunities?
What is Communication Intelligence?
Contact Support