Sign in
Get Help

Microsoft Integration


This integration enables the flow of data from Microsoft directly in to IT Glue. Tenants, Users and Mailbox information will sync automatically, staying accurate and up to date.

Benefits of this integration include:

  • Managing the options of your Microsoft asset including manual syncing and comparing data between IT Glue and Microsoft
  • Jump from IT Glue to a User List in the Tenant Portal when you click Manage on a synced Contact
  • Viewing logs related to your Microsoft integration in the Sync Logs

At any time, you can come back to the Active Integrations screen (Account > Integrations) to make changes to the integration.

The field mappings are set up automatically when you follow the instructions below. For more information, refer to our Microsoft Field Mapping KB article.


  • Manager or Administrator access to IT Glue
  • One available data source
  • Microsoft Cloud Partner certified to offer delegated administration
  • Delegated admin permissions to each of your clients' Microsoft tenants through your own Microsoft admin portal, rather than direct logins to their admin portals
    Note: We are aware of Microsoft's upcoming changes with granular delegated admin permissions (GDAP) and are working on a solution. Please continue to use Delegated admin permissions in each tenant to ensure that data will sync to IT Glue.

You will need to turn off a feature in Microsoft that conceals users, groups, and site names. If you do not turn off this feature then the integration will not be able to see mailbox usage. To prevent this issue, action the following steps in the Microsoft 365 Admin Center.

  1. In the Microsoft 365 Admin Center, navigate to Settings > Org Settings > Services.
  2. Select Reports.
  3. Clear Display concealed user, group, and site names in all reports, and click Save.

Please note that the Microsoft integration supports direct logins to client admin portals, but integrating in this way requires an additional data source and following the steps in this article for each client you wish to integrate.

 Before you start this integration, thoroughly review your existing contacts in IT Glue and ensure they follow the matching logic below. If existing contacts do not match exactly to this logic, the integration will create unwanted duplicates.

IT Glue Asset IT Glue Field Microsoft Field
 Contacts Email 
  1. Attempt match on any alias of the Microsoft user.
  2. Attempt match on the username value (e.g. the domain).
  3. Attempt match on combination of First Name + Last Name.


Configure Application

  1. Log in to your Microsoft Account.

  2. In the left-hand sidebar, click Admin centers > Azure Active Directory.


  3. In the new Dashboard window that opens, click Azure Active Directory > App registrations.


  4. Click + New registration.


  5. Complete the following actions in the Register an application screen.
    1. Name - Enter an application name that will be displayed to users of the app.
    2. Supported account types - Select the Accounts in any organizational directory and personal Microsoft accounts option to map to Azure AD only multi-tenant.

    3. Redirect URI (optional) - If desired, select Web in the drop-down menu and enter a URL for the app.


  6. Click the Register button at the bottom of the screen to access the newly created application.

Get Application ID and Tenant ID 

  1. In the left-hand column, click Azure Active Directory > App registrations and then All applications. Click on your newly configured application in the list.


  2. Click the Copy to clipboard icon beside the Application ID and Directory ID (Tenant ID) and paste them into IT Glue. Refer to the Integrating Microsoft with IT Glue section in this KB article.


Generate secret key

  1. In the left-hand column, click Certificate & secrets and then + New client secret. An Add a client secret screen will appear.


  2. Add a description for your client secret, select 24 months under Expires and then Add.


  3. In the Value column, click the Copy to clipboard icon beside the secret key and paste it in to IT Glue. Refer to the Integrating Microsoft with IT Glue section in this KB article.


    Note: After you save the configuration changes, the right-hand column will contain the client secret value. Be sure to copy the value for use in your client application code as it will not be accessible once you leave the page.

Add Permissions

You will need to add API access to complete the application. The APIs you need are Windows Azure Active Directory, which is automatically added when you create the application, and Microsoft Graph.

Important. On June 30th 2022, we will be deprecating support for the Azure Active Directory Graph API. Please update your API permissions using the "App Registrations" page in Azure to reflect the information provided here.
  1. Click API permissions in the left-hand menu.


    Important. You will see that Microsoft Graph has already assigned a default User.Read. permission. Click this permission and then Remove permission. Click Yes, remove to delete this permission.


  2. Once the default permission is removed, click the + Add a permission button.


  3. In the Request API permissions screen, click the Microsoft Graph button.


    • Click Application permissions and complete the following actions for each of the subsections:
      1. Directory - Check the box beside Directory.ReadWrite.All.
      2. Reports - Check the box beside Reports.Read.All
      3. User - Check the box beside User.Read.All




      Note: If you have configured this integration prior to May 25, 2022, review your API permissions to ensure they are up to date with this article.
      The following are the list of API permissions required for the integration:

      • AuditLog.Read.All
      • DeviceManagementManagedDevices.Read.All
      • Directory.Read.All
      • Directory.ReadWrite.All
      • Reports.Read.All
      • User.Read.All
        Important: ReadWrite access to directory data is required to add the created Azure application to the AdminAgents security group. Without this permission, this can only be done directly with Microsofts API or PowerShell. As of Sep 2018, the Microsoft 365 UI only supports adding new users to groups and not the applications.
  4. Save the changes by clicking Add permissions at the bottom of the screen.
  5. In the API permissions main screen, click the Grant admin consent for Company button.


  6. In the confirmation pop-up, click Yes.


Once consent is granted, you will see a confirmation banner at the top of the screen and that all permissions in the Status column reflect the same.

Important. To recap, please ensure that you select the Directory.ReadWrite.All permission for Microsoft Graph (step 4).

Integrating Microsoft with IT Glue

  1. In IT Glue, navigate to Account > Integration and click the + New button. Then, click on the Microsoft button.


  2. Enter the information you copied from the Get Application ID & Tenant ID and Generate secret key sections of this KB article and click Connect.


  3. After you enter your Microsoft login information in IT Glue, you'll be taken to the Sync your data Microsoft screen. Select the data you want to sync. By default, recommended options are listed first. Your options may look different than in the screenshot above.
    Note: As a best practice, we recommend that you only select the user subscriptions that you actively manage. If you would like to see licenses, ensure the Licenses checkbox under Other is selected.


  4. Select the Enhance Contacts with Azure Active Directory checkbox under Azure Active Directory Sync to further enhance your IT Glue contacts with Azure information. This feature pulls in fields for Status, Last Logon, and Last Password Change.
      • This is a Network Glue only field. Your account must have the Network Glue add-on in order to use.
      • In order to obtain all available Azure AD fields, the Microsoft Graph (Read all audit log data) permission must be enabled in the Azure Active Directory application.
      • The Last Logon field will only appear when the user has logged on in the past 30 days.
  5. Click the Save and continue button. The sync will be automatically queued in the Active Integrations main screen.
  6. By default, newly queued syncs are scheduled to take place one hour later. Use the manual sync option to prioritize the sync to start sooner. Click Actions and then Start Manual Sync.


  7. From the Active Integrations screen, you can see the overall sync status. When the sync is complete, the Status column changes from Syncing... to OK.
    Note: If you have a Microsoft Partner Network account with access to multiple tenants, disconnecting an Microsoft integration will not remove Admin privileges from your configured application. Remove these Admin privileges yourself or delete the configured application if no longer needed.

View synced contacts

IT Glue discovers tenants and users and tries to match them to your data in your account based on the following logic:

Rule Matches On
Organization Tenant name
Contact email address Username + "@" domain

If no organization can be matched automatically, suggestions will be made based on name similarity. If no suggestions can be made, you will have the option to create a new organization.

Tip! If you have two-way sync enabled in Kaseya BMS or Vorex PSA, all contacts created with your Microsoft integration can be automatically pushed to your PSA. For two-way sync instructions, review our Enable two-way sync KB article or one of the applicable KB articles below:

  1. From Account > Integrations, click on Actions and then Matching.


  2. Start with the Unmatched filter to review unmatched organizations.


  3. If you're happy with any suggested search, click Accept Suggestion to accept it, or, you can search for and choose a different organization using the Match To column. You can also choose to ignore organizations, which means they won't count as unmatched items in subsequent syncs.
    Warning. If you don't see an organization, click Actions > Create Organization to create (import) it. Make sure there is nothing to match first, so that you don't create a duplicate organization.


  4. Review all your unmatched organizations until they are all unmatched.
  5. If you change your mind about any of the matches, click Actions, choose Change Match, and then manually search for and choose a different organization.


    Note: Contact matching behaves slightly differently to standard matching logic. If no match can be made based on the criteria listed in the Prerequisites of this KB article, a new duplicate contact will be created without further user input.
  6. Once all organizations have been matched, you will need to start a new manual sync. Navigate to Account > Integration > Actions > Start Manual Sync. This second manual sync will sync all contacts and organizations in to IT Glue now that you've matched your organizations.
  7. When the sync is complete, click on any matched tenant to take you to the relevant organization. Then, click Contacts from the sidebar.


  8. Click on any contact that has corresponding data Microsoft and you will be able to see the additional data overlay as shown below.


  9. Continue onto the Office 365 License Integration KB article.

Have more questions?

Contact us

Was this article helpful?
2 out of 2 found this helpful

Provide feedback for the Documentation team!

Browse this section