Overview
Torii integrates with Microsoft 365 and syncs users, licenses, usage, and external apps.
- You can connect multiple Microsoft 365 accounts to Torii.
- You can constantly stay updated with application information from our Integrations Page >> Integration Capabilities button >> Integration Capabilities table.
This article covers connecting Microsoft 365 using an App Registration (app-only authentication) — You provide a Tenant ID, Application (Client) ID, and Client Secret. Authentication is performed using the application's credentials (client credentials flow), so no interactive admin sign-in is required during setup or sync.
Prefer to connect with an administrator user instead? See Microsoft 365 (Admin user) Integration.
Requirements
To connect this integration, we require the following:
Accounts & Permissions
- An administrator who can register an application in Microsoft Entra ID and grant tenant-wide admin consent.
Scopes
Grant the following Microsoft Graph application permissions (with admin consent).
For data sync (required):
- User.Read.All - to read users.
- Directory.Read.All - to read groups, directory roles, and license (SKU) data.
- Reports.Read.All - to read Microsoft 365 usage and activity reports.
For workflow actions (only if you plan to run them):
- User.ReadWrite.All - to create, update, and delete users, assign/remove managers, change user type, and revoke sign-in sessions.
- Group.ReadWrite.All - to add and remove users from groups.
- User.EnableDisableAccount.All - to enable and disable user accounts.
- Mail.ReadWrite - to create email forwarding rules.
- MailboxSettings.ReadWrite - to enable and disable automatic replies (out-of-office).
- Calendars.ReadWrite - to delete calendars and calendar events, and remove calendar delegations.
- Files.ReadWrite.All - to migrate OneDrive user files.
Required keys
- Tenant ID (Directory ID)
- Application (Client) ID
- Client Secret
How to Generate the Required Values
Step 1: Register an application
- In the Microsoft Entra admin center, go to Entra ID > App registrations > New registration.
- Enter a name (for example, "Torii") and select Register.
- On the application's Overview page, copy the Directory (tenant) ID and the Application (client) ID.
Step 2: Create a client secret
- Open Certificates & secrets > New client secret.
- Add a description and select the longest available expiry (recommended, so the connection needs re-credentialing less often), then select Add.
- Copy the secret Value immediately.
Important
The client secret Value is shown only once, right after creation. Copy it before leaving the page; you cannot retrieve it later. When it expires, create a new secret and reconnect.
Step 3: Grant Microsoft Graph application permissions
- Open API permissions > Add a permission > Microsoft Graph > Application permissions.
- Add the permissions listed under Requirements > Scopes above — the read permissions for data sync, plus the write permissions if you plan to run workflow actions.
- Select Grant admin consent and confirm.
How to Connect the Integration
- Go to the Integrations page in Torii.
- Search for Microsoft 365 and click Connect.
- Select the App registration connection method.
- Enter the Tenant ID, Application (Client) ID, and Client Secret.
- To use workflow actions, choose the read/write permission option.
- Click Connect.
Additional Notes
- Supported workflow actions with this method (connect as read/write and grant the write permissions above): create / update / delete user, enable / disable account, assign / remove manager, change user type, revoke sign-in sessions, add / remove users from groups, create email forwarding rule, enable / disable automatic replies, delete calendars / calendar events, remove calendar delegations, and migrate OneDrive user files.
- Password reset (change user password) is not available with the app-registration method. To use it, connect with the Admin user (OAuth) method instead.
For any further questions, please contact Torii Support.