Breadcrumbs

Add Microsoft 365 to SaaS Agent

Task List

Task #

Task

Performed by

1

Prepare Microsoft 365 for use with CI Sync

Azure Admin

2

Add Microsoft 365 as a Source System using the CI Sync SaaS UI

CI Sync Admin

3

Check status of new Microsoft 365 Source System connection

CI Sync Admin

4

Perform Updates in ServiceNow (if required)

ServiceNow Admin

Task 1: Prepare Microsoft 365 for use with CI Sync

  1. In the Azure Portal, navigate to Azure Active Directory -> App Registrations and click New Registration

CleanShot 2025-04-04 at 13.56.22@2x-20250404-025640.png

  1. On the Register an application form complete as follows:

    1. Enter the Name (Note: Syncfish recommend using “CI Sync Agent Connector for Microsoft 365”)

    2. Under Supported account types select “Accounts in this organizational directory only ({Your Domain/Tenant Name} only - Single tenant)”

    3. Click Register

CleanShot 2025-04-04 at 13.54.58@2x-20250404-025542.png

  1. Navigate to API permissions and click Add Permission

CleanShot 2025-04-04 at 13.59.01@2x-20250404-025922.png

  1. Click on Microsoft Graph

CleanShot 2025-04-04 at 14.01.20@2x-20250404-030141.png

  1. Click on Application permissions

CleanShot 2025-04-04 at 14.02.29@2x-20250404-030247.png


  1. Use the Select permissions list to scroll down and select each of the following depending on which record types you will be synchronizing (see “Additional Information about required API Permissions” below):

    1. First, find and expand the Calendars set, then tick/select
      Calendars.Read.All

    2. Next, find and expand the Group set, then tick/select
      Group.Read.All

    3. Next, find and expand the GroupMember set, then tick/select
      GroupMember.Read.All

    4. Next, find and expand the Sites set, then tick/select
      Sites.Read.All

    5. Next, find and expand the User set, then tick/select
      User.Read.All

    6. Next, find and expand the Mailboxes set, then tick/select
      MailboxSettings.Read.All

    7. Next, find and expand the Calendars set, then tick/select
      Calendars.Read.All

    8. Finally, click the Add permission button


Additional Information about required API Permissions

The following record sets are available for selection when creating a synchronization job with Microsoft 365 as the source system and ServiceNow as the destination system. CI Sync requires access permissions to the related Microsoft 365 objects (via the Microsoft Graph API).

CleanShot 2026-01-13 at 17.11.00@2x-20260113-161106.png

When selecting the API permissions you only need to select those resources/record sets you intend to synchronize via CI Sync. The table below shows which API permissions relate to each recordset.

API Permission

SharePoint Sites

M365 Groups, Members, Owners

DLs, Members, Owners

Shared Mailboxes

OOO Events

Group.Read.All

X

X

X



GroupMember.Read.All

X

X

X



Sites.Read.All

X





User.Read

X

X #1

X #1



User.Read.All

X

X #1

X #1

X


MailboxSettings.Read




X


Calendars.Read




X

x

#1 User.Read and User.Read.All only required for sync Members and/or Owners of M365 Groups or Distribution Lists.

Here are the Azure Portal UI instructions for selecting the various API permisssions.

CleanShot 2025-04-04 at 14.15.01@2x-20250404-031539.png
CleanShot 2025-04-04 at 14.12.11@2x-20250404-031217.png
CleanShot 2025-04-04 at 14.13.03@2x-20250404-031309.png
CleanShot 2025-04-04 at 14.13.37@2x-20250404-031345.png
CleanShot 2025-04-04 at 14.11.39@2x-20250404-031145.png

  1. You should now be back on the API Permissions form showing the list of permissions you selected (see screen shot below to validate you have selected the required permissions).

    1. Now, Click Grant admin consent for {Your Domain Name}

CleanShot 2025-04-04 at 14.20.42@2x-20250404-032104.png

  1. Click Yes to confirm granting Admin Consent.  The resulting screen should look as shown below.

Screenshot 2025-07-06 175308.png


  1. Using the left-hand menu, navigate and select Certificates & secrets.  Select “Client secrets (0)” in the middle of the form and then click the “New client secret” button.

CleanShot 2025-04-04 at 14.24.38@2x-20250404-032452.png

  1. Enter a unique Description for the secret associated with this CI Sync Agent Connector for M365 App Registration (e.g. “CI Sync Agent Connector for M365 Client Secret”).

  2. Then, select a suitable Expires duration based on your organisational policy.  Finally click the Add button.

CleanShot 2025-04-04 at 14.26.01@2x-20250404-032625.png


Guidance Note

It is recommended you set a reminder prior to the expiry date of the Secret (i.e. a reminder to regenerate in Azure and then update the secret in the CI Sync Agent Config Utility).

  1. The form now displays the generated secret value (shown in the Value field)

    1. Use the copy option to make a copy of the value in the Value field.

CleanShot 2025-07-02 at 09.43.47@2x-20250701-234507.png

Data Capture Note

  1. The Value is only available while you remain on this screen. You must make a copy of the Value before leaving this form.

  2. Make sure you copy the “Value” and NOT the “Secret ID”.

Make sure the secret stored securely and in a way that can be shared with the CI Sync Admin so they can use it when the follow the instructions later in this page.

  1. Return to the Overview page for the App Registration.

    1. Use the copy option to make a copy of the “Application (client) ID” GUID value and the “Directory (tenant) ID” GUID value.

CleanShot 2025-04-04 at 14.33.48@2x-20250404-033548.png

You have now granted the App Registration object (i.e. the CI Sync Agent Connector for M365) read permissions to Microsoft 365 which will allow you to use the CI Sync User Interface to schedule synchronization jobs using that same Microsoft 365 as a synchronization source.

Data Capture Summary

As a reminder, you should have captured the following information when completing the above steps.

  1. The Secret Value (from Step 12 above). This is the Client Secret value.

  2. The Application (client) ID (from Step 13 directly above).

  3. The Directory (tenant) ID (also from Step 13 directly above).

Make sure any secrets or sensitive information is stored securely and in a way that can be shared with the CI Sync Admin.

These values will be used later by the person following the instructions in Task 2 immediately below.

Task 2: Add Microsoft 365 as a Source System using the CI Sync SaaS UI

  1. Login to your CI Sync SaaS instance at https://YourCo.syncfish.app

  2. In the CI Sync UI, navigate to Settings > Connections.

  3. Find the “SaaS Agent” sub-heading under the Source Connections section. If you don’t see “SaaS Agent” it means your CI Sync instance hasn’t been configured for this feature. Please contact your Sync representative to discuss.

  4. On the right hand side of the form, click the +Add button.

CleanShot 2025-06-25 at 18.03.19@2x-20250625-080339.png

  1. The New Connection form now appears. Use the Connection Type drop down list to select the source system you wish to add (in this case Microsoft 365).

CleanShot 2025-10-08 at 09.34.29@2x-20251007-233516-20260112-135736.png

  1. Update the fields using these instructions

    1. Connection name

      1. This is a friendly name that represents the source system connection.

      2. The name you enter here will appear when you create a new sync job and are selecting from the available source system list.

      3. Note: Syncfish recommend using a textual suffix on the connection name if for any reason you have setup multiple CI Sync Connections to Microsoft 365.

    2. Alias: Please ingore this field (it is not used for the CI Sync Cloud Agent and is being deprecated).

    3. Environments

      1. Select from the available choices Production, Test, or Production/Test (the latter being both).

      2. The selection you make for this field affects which source systems appear when you create a new sync job (i.e. when you are selecting the source system list based on the “Environment” you have chosen for the sync job). See this page for more details on creating a CI Sync job: Run a Small Initial Sync Job (then run more).

      3. FYI: CI Sync allows a source system to be both Production/Test because CI Sync only reads from a source system (it doesn’t write to it). Destination systems can only be Test or Production (not both).

    4. Directory (tenant) ID

      1. Paste the Azure/Entra Directory (tenant) ID captured by your Azure Admin in Task 1 above.

    5. Application (client) ID

      1. Paste the App Registration Application (client) ID captured by your Azure Admin in Task 1 above.

    6. Client Secret Value

      1. Paste the Client Secret Secret Value captured by your Azure Admin in Task 1 above.

    7. The click the Consent to update fields checkbox.

    8. Finally click the Create connection button.

You will be returned to the main settings screen and your new source system connection will appear in the list as shown below.

image-20260211-041715.png

Task 3: Check status of new Microsoft 365 Source System connection

  1. To check the status of the newly added Microsoft 365 Source System connection click the green Check Status link. This will test whether your CI Sync Microsoft 365 connection can successfully reach and authenticate to the Azure Entra ID defined in the connection itself.

  2. image-20260211-041902.png

    If the connection is successful, you will see a green dot next to the source connection name.

  3. image-20260211-042228.png

    To test again in the future, you can click the green Refresh Status button.

  4. If the test is unsuccessful, you will see a red dot next to the source connection name and an error message underneath. If you need assistance resolving an error, please contact Syncfish support.

This means you are ready to run a sync job using the new source connection using these high-level instructions: Run a Small Initial Sync Job (then run more).

Task 4: Perform Updates in ServiceNow (if required)

Guidance Note

Syncfish recommend the person setting up the source system described in this guide discusses this particular task with their ServiceNow system administrator. 

A ServiceNow administrator will need to perform these steps.

Syncfish recommend following these instructions in your non-production ServiceNow environment for testing synchronization jobs.

Only once exhaustive testing in non-production is complete, repeat this process in your ServiceNow production environment.

In this section your ServiceNow SME will assess various updates to ServiceNow to support this CI Sync connector:

  • Task 4a: Assess if the CMDB CI Class Models plug-in is required

  • Task 4b: Assess if additional permissions are required

  • Task 4c: (Optional though recommended) Assess your ServiceNow CI forms and update to include additional Related Lists

Task 4a: Assess if the CMDB CI Class Models plug-in is required

The recordsets available to the CI Sync Microsoft 365 connector do not require the ServiceNow CMDB CI Class Models plug-in. Therefore you can ingore/skip this task.

Task 4b: Assess if additional permissions are required

Context

Depending on the options you choose when creating a sync job from Microsoft 365, CI Sync will create CI-to-CI relationships between objects such as Microsoft 365 Groups, the Group Members of those Groups, and the Group Owners of those Groups. Similar relationships are created for Distribution Lists and the members of those DLs.

CI Sync needs to define several allowed user relationship types (as distinct from the actual relationships themselves) within ServiceNow to support the CI-to-CI relationship examples noted above. The allowed user relationship types are stored in the cmdb_rel_user_type table.

The standard/out-of-the-box roles provided by ServiceNow (and recommended by Syncfish during S3 - Configure ServiceNow for CI Sync) do not provide access to the cmdb_rel_user_type table. Therefore, the CI Sync Integration User account created during S3 - Configure ServiceNow for CI Sync requires additional permissions to write to the cmdb_rel_user_type table.

Syncfish provides a ServiceNow updateset to prepare your ServiceNow instance for CI Sync. The updateset does the following:

  • Creates a read/write/create ACL on the cmdb_rel_user_type table.

  • Applies the ACL on the cmdb_rel_user_type table and assigns the ACL to the ServiceNow role called “Asset” (which is one of the roles granted to the CI Sync Integration Account created during S3 - Configure ServiceNow for CI Sync).

Instructions

Follow these steps to apply the updateset provided by Syncfish:

  1. Download the update set from Syncfish at the below URL:
    https://downloads.syncfish.app/servicenow/cisync-ms365-connector-permissions.xml

  2. Login to your ServiceNow instance with Admin permissions.

  3. Open a browser and navigate to your ServiceNow instance

  4. In the left nav menu search for “Retrieved Update Sets” and click to open

  5. Right click on the column heading row and select “Import XML

CleanShot 2025-06-10 at 18.34.18@2x-20250610-083554.png

  1. Select “Choose File

  2. Select the downloaded file “cisync-cmdb-key-value.xml

  3. Click to open the Update Set

CleanShot 2025-08-04 at 18.45.24@2x-20250804-084545.png

  1. Click “Preview Update Set

  2. If there are no preview errors, Click “Close”.

  3. Click “Commit Update Set”.

  4. Your ServiceNow instance is now ready to receive Tag data from Azure via sync jobs from CI Sync.

This task is not applicable as there are no additional related lists needed in ServiceNow for the source system connector described on this page.