Vectis
All guides

Connect Microsoft 365

Microsoft 365 is how Vectis shows customer emails and upcoming meetings inline on each customer page — so a tech sees “last email 1:47pm — VPN down” before opening the ticket. It also drives MFA coverage + privileged-account evidence for the security posture page and compliance packs. Setup takes about 15 minutes: register an Entra ID app, grant six application permissions, paste the credentials here.

What Vectis does with Microsoft 365

  • Syncs email metadata from the technician mailboxes you list — sender, recipients, subject, a short preview, and the timestamp. Message bodies are neverstored in Vectis.
  • Syncs calendar events where a customer contact is an attendee — past week and upcoming 14 days.
  • Filters by customer domain — any message that doesn’t touch a known customer’s email domain is dropped before it ever reaches the database. Vectis does not scrape your whole mailbox.
  • Fetches full message bodies on-demand, only when a user clicks to expand one, and writes every fetch to the audit log.
  • Pulls MFA registration state per user + whether they sit in a privileged directory role. Used by the security posture page + compliance evidence packs. Only the method types a user registered (e.g. authenticator, FIDO2) are stored — never the devices themselves or any secrets.

What you'll need

  • Microsoft 365 / Entra ID admin access (technically: Global Admin, or Application Administrator + Privileged Role Administrator)
  • A list of technician mailbox UPNs to sync

1. Register an Entra ID app

  1. Sign in to entra.microsoft.com as a tenant admin.
  2. Open Identity → Applications → App registrations and click New registration.
  3. Name it “Vectis”, leave supported account types as “Single tenant”, and skip the redirect URI (not needed for app-only auth).
  4. On the new app’s Overview page, copy the Application (client) ID and Directory (tenant) ID — you’ll paste both into Vectis.

2. Grant the six application permissions

  1. On the app, open API permissions Add a permission Microsoft Graph Application permissions (not Delegated).
  2. Communications (email + calendar context):
    • Mail.Read — read mail in all mailboxes (the mailbox allow-list on the Vectis side is what actually scopes which ones we query)
    • Calendars.Read — read calendars in all mailboxes
    • User.Read.All — resolve UPNs / display names
  3. Security posture (MFA + privileged roles):
    • Reports.Read.All — pull the user-registration-details report (MFA / passwordless capability per user)
    • UserAuthenticationMethod.Read.All — read which authentication methods a user has registered (method types only, no secrets)
    • Directory.Read.All — enumerate directory roles to flag privileged accounts
  4. Back on API permissions, click Grant admin consent for <tenant>. The status column must turn to “Granted for” on all six — without this step, every Graph call 403s.
Application permissions grant the app the ability to read mail across the tenant. The actual scope of what Vectis pulls is constrained by the Technician Mailboxes list you set below — we never query mailboxes that aren’t on that list. Treat the list as the authoritative scope, not a convenience filter. MFA / role data is tenant-wide by design — the compliance evidence pack is about the entire tenant, not a mailbox subset.

3. Create a client secret

  1. On the app, open Certificates & secrets Client secrets New client secret.
  2. Description: “Vectis”. Expiry: pick a timeline you’ll remember to rotate against — 12 or 24 months is typical. Set a calendar reminder now for ~2 weeks before expiry.
  3. Click Add. Copy the Value (not the Secret ID) immediately — it is shown exactly once. If you miss it, delete the secret and create a new one.

4. Paste credentials into Vectis

  1. Go to Admin → Integrations and click Configure on Microsoft 365.
  2. Paste the Tenant ID, App Client ID, and Client Secret Value.
  3. In Technician Mailboxes, enter a comma-separated list of UPN-style emails (e.g. jane@msp.com, jack@msp.com). These are the MSP-staff mailboxes Vectis will sync context from.
  4. Click Test. You’ll see “Connected to <tenant> — N mailboxes configured” within a few seconds.
  5. Click Save, then trigger an initial sync.

What appears where

  • Customer hub → Communications section: recent emails (last 14 days) and upcoming calendar events, each expandable to a full body that’s fetched on-demand.
  • Customer hub → Security posture: MFA coverage %, privileged-account MFA %, and the list of privileged users (Global Admin, Exchange Admin, etc.) for that customer’s tenant. Customer match is by UPN domain.
  • /security cross-customer rollup: per-signal averages including MFA + privileged MFA across every customer the M365 connector observed.
  • Compliance evidence packs: MFA / privileged MFA populate the relevant CMMC / HIPAA / SOC 2 control rows with real numbers + evidence.
  • RBAC: admins see all matched communications. Members and viewers see only the ones where their own email is in the participant list. No elevation path — RBAC is enforced server-side before any body is fetched.
  • Audit log: every full-body fetch writes a row with the user ID + message ID.

Common errors

401 Unauthorized — Client secret is wrong, or it’s past its expiry date. Check Certificates & secrets for the expiry; rotate if needed.

403 Forbidden — Either the three API permissions are missing, OR tenant-wide admin consent wasn’t granted. Open Entra ID → App registrations → Vectis → API permissions and confirm all three show “Granted for <tenant>”.

404 on /organization — Tenant ID doesn’t resolve. Double-check you’re pasting the Directory (tenant) ID, not a subscription or user GUID.

“Enter at least one technician mailbox” — The mailbox allow-list is required. Vectis will not sync every mailbox in the tenant by design.

Still stuck?

Email support@mspvectis.com with the error message and we’ll unblock you.

Microsoft 365 | Vectis