Microsoft 365 is managed through two APIs depending on the operation. The Microsoft Graph API handles the majority of M365 management β users, groups, mail, calendar, SharePoint, Teams, devices, and security. Exchange Online delegation (Full Access, Send As, Send on Behalf) uses a separate Exchange Admin API because Microsoft Graph does not support these operations. See Exchange Online Delegation for that setup.
Prerequisites
A Microsoft 365 tenant with Global Administrator access
The tenant must have the required licenses for the features you want to use
Step 1: Connect via OAuth
In Junto, go to the company's Integrations page.
Find Microsoft 365 and click Connect.
Authenticate with Global Administrator credentials for the customer's tenant.
Review and accept the requested permissions.
After authorization, you are redirected back to Junto with an active connection.
What the AI Agent Can Do
User Management
Tool | Description | Risk Level | Approval |
List Users | Browse and search users in the tenant | Low | None |
Get User Details | View user profile, licenses, sign-in activity | Low | None |
Create User | Create a new user account | High | Always |
Update User | Modify user properties | High | Always |
Delete User | Soft-delete a user account | High | Always |
Restore Deleted User | Restore a recently deleted user | High | Always |
Reset Password | Reset a user's password | High | Always |
Assign License | Add a license to a user | High | Always |
Remove License | Remove a license from a user | High | Always |
Group Management
Tool | Description | Risk Level | Approval |
List Groups | Browse and search groups | Low | None |
Get Group Details | View group members, owners, licenses | Low | None |
Create Group | Create a new security or M365 group | High | Always |
Delete Group | Delete a group | High | Always |
Add/Remove Members | Manage group membership | High | Always |
Assign/Remove Group License | Manage licenses at the group level | High | Always |
Mail & Mailbox
Tool | Description | Risk Level | Approval |
Get Mailbox Settings | View mailbox configuration and out-of-office | Low | None |
Set Out-of-Office | Configure automatic replies | High | Always |
List Inbox Rules | View mail forwarding and inbox rules | Low | None |
Create Inbox Rule | Set up mail forwarding rules | High | Always |
Calendar
Tool | Description | Risk Level | Approval |
List Events | View calendar events and free/busy | Low | None |
Create Event | Schedule a calendar event | High | Always |
Delete Event | Remove a calendar event | High | Always |
SharePoint & OneDrive
Tool | Description | Risk Level | Approval |
List Sites | Browse SharePoint sites | Low | None |
List Files | Browse document libraries and folders | Low | None |
Search Files | Search across files and sites | Low | None |
Create Folder | Create a new folder | Medium | Always |
Delete Item | Delete a file or folder | High | Always |
Manage Sharing | Create or remove sharing links | High | Always |
Teams
Tool | Description | Risk Level | Approval |
List Teams | View teams a user belongs to | Low | None |
Create Team | Create a new team | High | Always |
Add/Remove Members | Manage team membership | High | Always |
Create Channel | Add a channel to a team | Medium | Always |
Send Channel Message | Post a message to a channel | Medium | Always |
Archive Team | Archive or restore a team | High | Always |
Devices
Tool | Description | Risk Level | Approval |
List Devices | View Azure AD and Intune devices | Low | None |
Enable/Disable Device | Change device status | High | Always |
Remote Wipe | Wipe a managed device | High | Always |
Sync Device | Trigger an Intune sync | Medium | Always |
Get BitLocker Key | Retrieve a recovery key | High | Always |
Security & Identity
Tool | Description | Risk Level | Approval |
List Security Alerts | View active security alerts | Low | None |
List Risky Users | View users flagged as risky | Low | None |
Dismiss Risk | Clear a user's risk status | High | Always |
View Secure Score | Check the tenant's security posture | Low | None |
Conditional Access | View or toggle CA policies | High | Always |
Audit & Reporting
Tool | Description | Risk Level |
Sign-in Logs | View recent sign-in activity (requires Azure AD P1/P2) | Low |
Audit Logs | View directory change history | Low |
Mailbox Usage | Generate usage reports | Low |
License Requirements
Some features require specific licenses in the customer's tenant:
Feature | Required License |
Sign-in logs, Audit logs | Azure AD Premium P1 or P2 |
Identity Protection (risky users) | Azure AD Premium P2 |
Conditional Access policies | Azure AD Premium P1 or P2 |
Intune device management | Microsoft Intune or M365 E3/E5 |
Teams features | Microsoft Teams license |
BitLocker recovery keys | Azure AD Premium P1 or P2 |
Message trace | Exchange Online |
Troubleshooting
OAuth connection fails β Ensure you are signing in as a Global Administrator of the customer's tenant, not your own.
Missing data β Some features require specific licenses. Check the license table above.
Token expired β The integration refreshes tokens automatically. If the connection shows "Token expired", disconnect and reconnect.