# Office 365 Identity Provider and Access Review Integration

The Office 365 Identity Provider and Access Review integration enables Sprinto to securely sync user identity and access data from Microsoft Entra ID (formerly Azure Active Directory). This data powers people-related compliance checks and automated access reviews.

This integration is a **prerequisite** for enabling Office 365–based integrations such as **Employee Groups** and **Vendor Discovery**. Sprinto uses read-only Microsoft Graph permissions and does not modify any data in your Office 365 tenant.

**Prerequisites**

* Global Administrator access to the Microsoft Entra ID tenant
* Admin access in Sprinto

***

### Permissions required

Sprinto follows the principle of least privilege and requests only the permissions required to read identity, directory, and audit metadata.

#### On Office 365 (Microsoft Entra ID)

The following Microsoft Graph permissions are requested during authentication:

<table><thead><tr><th width="212.078125">Permission</th><th width="317.99609375">Purpose</th></tr></thead><tbody><tr><td><code>User.Read.All</code></td><td>Read user profiles</td></tr><tr><td><code>Organization.Read.All</code></td><td>Read organisation details</td></tr><tr><td><code>Reports.Read.All</code></td><td>Read sign-in and usage reports</td></tr><tr><td><code>Directory.Read.All</code></td><td>Read directory objects and relationships</td></tr><tr><td><code>AuditLog.Read.All</code></td><td>Read audit and sign-in logs</td></tr></tbody></table>

**Important**

* All permissions are **read-only**.
* Sprinto does not create, update, or delete users, roles, or groups.
* Admin consent is required during authentication.

#### On Sprinto

* Admin access is required to configure integrations.

***

### How it works

Once connected, Sprinto authenticates with Microsoft Entra ID using OAuth and retrieves:

* User identities and basic profile information
* Directory relationships and roles
* Sign-in and audit metadata

Sprinto uses this information to:

* Power identity-based compliance checks
* Enable access review workflows
* Act as a foundation for Office 365–based downstream integrations

Sprinto performs an initial validation after connection and continues to sync identity data automatically.

***

### Connect Office 365 Identity Provider and Access Review to Sprinto

#### Steps in Sprinto

1. Sign in to the Sprinto dashboard.
2. Go to **Settings → Integrations**.
3. Search for **Office 365**.

<figure><img src="https://3220032727-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEsyn5VMU6e0OyGjRtKgx%2Fuploads%2Fb9AetzG6PACyNoSNHN7k%2FScreenshot%202025-12-30%20at%2014.35.55.png?alt=media&#x26;token=c5b7bffe-af62-4f70-b729-4f23535c7cfa" alt="" width="563"><figcaption></figcaption></figure>

4. Under **Office 365 – Identity Provider and Access Review**, select **Connect**.
5. Review the permissions and data usage details, then select **Next**.

<figure><img src="https://3220032727-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEsyn5VMU6e0OyGjRtKgx%2Fuploads%2FccI8ZvPhCORmUOpGUbcw%2FScreenshot%202025-12-30%20at%2014.37.34.png?alt=media&#x26;token=6aafc249-9f1f-4890-b8ad-110d3f2bb05a" alt="" width="375"><figcaption></figcaption></figure>

4. Confirm that you have admin access to Office 365.
5. Select **Connect Office365** to start authentication.

<figure><img src="https://3220032727-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEsyn5VMU6e0OyGjRtKgx%2Fuploads%2Fb36JclfJJ4gJBAQAwmZT%2FScreenshot%202025-12-30%20at%2014.38.15.png?alt=media&#x26;token=ad134079-6c65-494c-95d8-f39784e0ad62" alt="" width="375"><figcaption></figcaption></figure>

***

#### Steps in Microsoft Entra ID

1. When redirected, sign in using a **Global Administrator** account.
2. Review the requested Microsoft Graph permissions.
3. Grant **admin consent** to allow Sprinto to read identity and audit data.

After authorisation, you are redirected back to Sprinto.

***

#### Confirm successful connection

Once the connection is complete:

* The integration status updates to **Connected**
* Identity data begins syncing into Sprinto
* Access review–related controls and checks are activated

***

### Post-integration behaviour (PCF flow)

After the integration is enabled:

* Sprinto syncs user identities and directory metadata from Office 365
* Access reviews become available across supported controls
* Changes to users, roles, or status are reflected automatically in subsequent syncs
* Downstream integrations such as **Employee Groups** and **Vendor Discovery** can now be enabled

Initial syncing may take several minutes, depending on tenant size.

***

### Troubleshooting

#### Unable to connect Office 365

**Cause:** The signed-in user does not have Global Administrator privileges.\
**Resolution:** Sign in using a Global Administrator account and retry the integration.

***

#### Admin consent prompt does not appear

**Cause:** Permissions were previously partially granted or blocked.\
**Resolution:** Reconnect the integration and explicitly grant admin consent for all requested permissions.

***

#### Identity data not syncing

**Cause:** One or more required Microsoft Graph permissions were revoked.\
**Resolution:** Reconnect the integration and reapprove all requested permissions.

***

If you want, I can next:

* Align this article terminology with the **Office 365 Employee Groups** article for consistency, or
* Prepare a **shared prerequisite reference** page for all Office 365–based integrations.