Office 365 Employee Groups Integration
Connect Office 365 Employee Groups to Sprinto to automatically sync group memberships from Microsoft Entra ID for access reviews and compliance checks.
The Office 365 Employee Groups integration enables Sprinto to read employee group and group membership data from Microsoft Entra ID (formerly Azure Active Directory). This data is used to automate access reviews and group-based compliance checks.
This integration works only after Office 365 is connected as an Identity Provider in Sprinto. Sprinto uses Microsoft Graph read-only permissions to fetch groups, memberships, and basic organisation metadata. No changes are made to Office 365 data.
Prerequisites
Office 365 must already be connected to Sprinto as an Identity Provider
Global Administrator access to the Microsoft Entra ID tenant
Admin access in Sprinto
Permissions required
Sprinto follows the principle of least privilege and requests only the minimum Microsoft Graph permissions required to read group and organisation data.
On Office 365 (Microsoft Entra ID)
The following permissions are requested during authentication:
Group.Read.All
Read all groups
GroupMember.Read.All
Read group memberships
Organization.Read.All
Read organisation name
Domain.Read.All
Read tenant domain information
Application.Read.All
Read application metadata
Important
All permissions are read-only.
Sprinto does not create, modify, or delete users, groups, or applications in Office 365.
Admin consent is required during authentication.
On Sprinto
Admin access is required to configure integrations.
How it works
Once enabled, Sprinto connects to Microsoft Entra ID using OAuth authentication and retrieves:
Security and Microsoft 365 groups
Group memberships
Basic organisation metadata
Sprinto uses this data to:
Perform group-based access reviews
Validate compliance requirements linked to group membership
Keep access evidence continuously up to date
Sprinto runs an initial validation after connection and continues to sync group data periodically.
Connect Office 365 Employee Groups to Sprinto
Steps in Sprinto
Sign in to the Sprinto dashboard.
Go to Settings → Integrations.
Search for Office 365.
Ensure Office 365 (Identity Provider) shows as Connected.
Under Office 365 – Employee Groups, select Connect.
Review the permissions and data usage details, then select Next.
Confirm that you have admin access to Office 365.
Select Connect O365.
Steps in Microsoft Entra ID
When redirected, sign in using a Global Administrator account.
Review the requested Microsoft Graph permissions.
Grant admin consent to allow Sprinto to read group and organisation data.
After authentication, you are redirected back to Sprinto.
Confirm successful connection
Once the connection is complete:
The integration status updates to Connected
Sprinto begins the initial group and membership sync
Automated controls and checks linked to employee groups are activated
Post-integration behaviour (PCF flow)
After the integration is enabled:
Sprinto syncs employee groups and group memberships from Office 365
Group-based access reviews become available
Updates to group memberships are reflected automatically in subsequent syncs
If required, you can manually trigger a refresh from the integration page
Initial syncing may take several minutes, depending on the number of groups and users.
Troubleshooting
Unable to connect Employee Groups
Cause: Office 365 Identity Provider is not connected. Resolution: Connect Office 365 as an Identity Provider first, then retry the Employee Groups integration.
Admin consent prompt does not appear
Cause: The signed-in user does not have Global Administrator privileges. Resolution: Sign in using a Global Administrator account and retry the connection.
Groups or memberships not syncing
Cause: Required Microsoft Graph permissions were not granted or were revoked. Resolution: Reconnect the integration and grant admin consent for all requested permissions.
Last updated