Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.neoagent.io/llms.txt

Use this file to discover all available pages before exploring further.

Neo Agents manage the full Microsoft estate — cloud and on-prem — through a small set of API-backed tools. You don’t enable individual operations like “Create User” or “Reset Password” one at a time. Instead, you connect the Microsoft 365 integration, choose which permission groups the agent can use, and the matching tools turn on automatically.
These tools appear in your agent automatically once you configure Microsoft 365, Active Directory, or Exchange permissions on the workflow’s Integrations tab — there’s no separate toggle in the tool list. See Microsoft 365 integration for the permission model.

The Tools

ToolWhat It CoversEnvironment
Microsoft Graph APIUsers, groups, licenses, directory roles, devices, conditional access, domainsEntra ID (cloud)
Execute PowerShell (Exchange)Mailboxes, permissions, recipients, distribution groups, mail flow, transport rules, complianceExchange Online and Exchange Server
Execute PowerShell (Active Directory)On-prem users, computers, OUs, groups, infrastructure queries, Entra Connect syncOn-prem Active Directory (via RMM)
In hybrid environments Neo routes each operation to the right place — for example, it makes the password change on-prem and triggers an Azure AD Connect sync so it propagates to the cloud.

What Agents Can Do

Create, update, disable, enable, and delete users in Entra ID or on-prem Active Directory. Assign managers, set job titles and departments, and update user properties.
Reset passwords, unlock accounts, revoke sign-in sessions, reset MFA, and block or unblock sign-in. In hybrid environments, Neo makes the change on-prem and syncs it to the cloud automatically.
Assign and remove Microsoft 365 licenses, and look up friendly license names from SKU IDs. To buy or cancel licenses through a marketplace (Pax8, Partner Center, and others), see the dedicated Purchase License, Cancel License, and List License Subscriptions tools.
Add and remove users from security groups, Microsoft 365 groups, distribution lists, and mail-enabled security groups. Search and list groups across Entra ID and on-prem AD.
Assign and remove Entra ID directory roles (Global Admin, Exchange Admin, User Admin, and so on) and view a user’s current role assignments.
Convert mailboxes to shared, create and delete shared mailboxes, configure delegation (full access, send-as, send-on-behalf), and set up or remove email forwarding. Works with Exchange Online and on-prem Exchange Server.
List, view, create, update, and delete Conditional Access policies. Destructive changes always require technician approval, regardless of workflow settings.
View user devices in Intune; remote wipe and retire mobile devices. Device deletion is always blocked for safety.
Full AD and Exchange Server management via your RMM: user and computer accounts, organizational units, group operations, infrastructure queries, mailbox and recipient management, mail flow, and Entra Connect sync triggers.

Permissions & Safety

Each Microsoft integration is split into permission groups, and every group has an access level:
LevelWhat the agent can do
DisabledNo access to this category
Read OnlyQuery and list operations only
Read / WriteFull access including create, update, and delete
You can require technician approval on any permission group, and some destructive operations (deleting a user, wiping a device) always require approval even when the group doesn’t. A few operations (deleting a domain, deleting a device) are blocked entirely. Quick-start profiles — Read Only, Helpdesk, IT Admin, Full Automation — configure every permission group at once.

Configure Microsoft 365 permissions

Full details on Graph, Active Directory, and Exchange permission groups, access levels, and quick-start profiles.
Start with Read Only or Helpdesk and keep technician approval on for writes. Expand the permissions as you build confidence in the agent’s behavior.