Skip to content
Scopable logoScopable
IntegrationsLast updated: 2026-06-22

Microsoft 365 Integration Setup Guide

Connect Microsoft 365 to Scopable to discover your managed customer tenants and sync users, MFA status, and license assignments. No app registration required.

Scopable Team6 min read

Prerequisites

  • A Scopable account with admin permissions (the Manage Tenant Settings permission)
  • A Microsoft 365 Global Administrator to approve consent
  • GDAP (Granular Delegated Admin Privileges) relationships with the customers you manage
  • The Microsoft 365 tab enabled for your Scopable account

You do not need to register an Azure app. You do not need to copy client IDs or secrets. Connecting Microsoft 365 to Scopable is a one-click sign-in: a Global Administrator approves the connection once, and Scopable starts pulling your managed customers' user, MFA, and license data on your behalf.

This guide covers the tenant-level Microsoft 365 connection, the MSP-wide connection an admin sets up once. (There is a separate, personal "Connect Microsoft 365" option further down the same page that lets each individual user link their own mailbox for calendar and Teams meeting summaries. That is a different feature; this guide is about the tenant-level sync.)

What connecting Microsoft 365 does

Once connected, Scopable uses your Microsoft Partner Center relationships to:

  • Discover your managed customer tenants automatically.
  • Sync users for each customer, including multi-factor authentication (MFA) status.
  • Sync license assignments so you can see what each customer owns.
  • Match users to your existing contacts by email address.

This data powers user and MFA visibility, license inventory, and compliance (GRC) evidence collection. If you also run ConnectWise Manage, Microsoft 365 users link to the contacts you already synced from your PSA.

Two roles matter for this setup:

  • On the Scopable side: you need admin permissions, specifically the Manage Tenant Settings permission. Without it, the Connect M365 button is disabled.
  • On the Microsoft side: the person who approves the connection must be a Global Administrator of your Microsoft 365 tenant. A non-admin cannot grant the consent Scopable requests.

You also need GDAP (Granular Delegated Admin Privileges) relationships with the customers you want to sync. Scopable reads customer data through those delegated relationships. The roles that matter for this integration are:

  • Global Reader: read customer directory data
  • User Administrator: required to read MFA / authentication-method status
  • Reports Reader: a fallback path for MFA reporting

You do not create your own Azure AD app registration for this flow. Scopable uses a shared, Microsoft-verified multi-tenant application. The only Microsoft-side action you take is approving the consent screen in Step 3.

Step 2: Open the Microsoft 365 integration in Scopable

  1. Log in to Scopable as an Admin.
  2. Click Integrations in the left-side navigation under Administration.
  3. Open the Microsoft 365 tab.

On the Microsoft 365 Connection card you'll see the helper text: "Connect your Partner Center account to sync M365 user data, MFA status, and license info."

Don't see a Microsoft 365 tab? This integration is rolled out gradually. If the tab isn't visible under Integrations, it isn't enabled for your account yet. Contact Scopable to request access.

  1. Click Connect M365.
  2. Your browser is redirected to Microsoft's sign-in and consent screen.
  3. Sign in as a Global Administrator.
  4. Review the permissions Scopable requests (directory, users, licenses, reporting, and security read access) and click Accept.
  5. Microsoft redirects you back to Scopable, which securely stores the connection. The card now shows a sync status and a Connected Customers section.

There are no credentials to type anywhere in this flow. Choosing the right Microsoft account at the consent screen is the only input.

Step 4: Map customer tenants to your clients

So that each customer's users land under the right Scopable client, map your discovered Microsoft 365 tenants to clients.

  1. On the Microsoft 365 page, click Manage Tenant Mappings.
  2. The M365 Tenant Mapping page lists every discovered tenant with summary counts: Total Tenants, Mapped, and Unmapped.
  3. For each unmapped tenant, click Map. Scopable shows Suggested Matches (with a confidence score) and a Select Client search box.
  4. Choose the matching client and click Create Mapping.

To move faster, tick several unmapped tenants and use Map Selected to map them in bulk.

Unmapped tenants still sync users, but those users can't be linked to a client until you map the tenant. Mapping first keeps your data clean from the start.

Step 5: Run your first sync

Back on the Microsoft 365 page, click Trigger Sync to pull users, MFA status, and licenses. There's a short 30-second cooldown between manual syncs. You can re-check progress with Refresh Status at any time.

Troubleshooting

"You denied the authorization request" / access denied

The consent screen was cancelled, or the account used can't grant consent. Click Connect M365 again and Accept all requested permissions, signing in with a Global Administrator account.

A non-admin attempted to approve the connection. Have a Global Administrator complete the consent step.

"Your session has expired. Please try connecting again."

The one-time security token used during connect expired (it's valid for about 15 minutes) or was already used. Simply click Connect M365 again to restart.

"Microsoft did not provide a refresh token"

Microsoft didn't return the long-lived token Scopable needs, usually because not all requested permissions were approved. Reconnect and approve the full set.

A customer's MFA shows "unavailable"

Scopable couldn't read authentication methods for that tenant. Confirm your GDAP relationship includes User Administrator, and that the consent included authentication-method read access. Some MFA detail also depends on the customer holding Microsoft Entra ID P1 licensing.

A sync says it's already running

A sync lock is held while one is in progress (it clears itself automatically). Wait for the current run to finish, then trigger again.

"Your Microsoft authorization has expired or been revoked."

The stored authorization was revoked on the Microsoft side. Disconnect M365 and reconnect to re-establish consent.

Still stuck?

Email us at [email protected] with a screenshot of the error and we'll help you sort it out. A real person, not a chatbot.

Frequently Asked Questions

Do I need to create an Azure app registration?

No. Scopable uses a shared, Microsoft-verified multi-tenant app. The only Microsoft-side step is a Global Administrator approving the consent screen.

Who can set this up?

A Scopable admin with the Manage Tenant Settings permission starts the connection; a Microsoft 365 Global Administrator must approve the consent.

What data does Scopable pull?

Your managed customer tenants (via Partner Center), their users with MFA status, and license assignments. Users are matched to your existing Scopable contacts by email.

How do I make sure a customer's data shows under the right client?

Use Manage Tenant Mappings to map each Microsoft 365 tenant to a Scopable client. Suggested matches and bulk mapping make it quick.

What happens if I disconnect?

Disconnecting removes the synced Microsoft 365 data (user records, license records, and tenant-to-client mappings) along with the stored authorization. You'd reconnect and re-sync to restore it.

Why don't I see the Microsoft 365 tab?

The integration is enabled gradually. If you don't see it under Integrations, it isn't switched on for your account yet. Contact Scopable.

Related Resources