These tools appear in your agent automatically once you configure Microsoft 365, Active Directory, or Exchange permissions on the workflow’s Integrations tab — there’s no separate toggle in the tool list. See Microsoft 365 integration for the permission model.
The Tools
| Tool | What It Covers | Environment |
|---|---|---|
| Microsoft Graph API | Users, groups, licenses, directory roles, devices, conditional access, domains, app registrations | Entra ID (cloud) |
| Execute PowerShell (Exchange) | Mailboxes, permissions, recipients, distribution groups, mail flow, transport rules, compliance | Exchange Online and Exchange Server |
| Execute PowerShell (Active Directory) | On-prem users, computers, OUs, groups, infrastructure queries, Entra Connect sync | On-prem Active Directory (via RMM) |
What Agents Can Do
User lifecycle
User lifecycle
Create, update, disable, enable, and delete users in Entra ID or on-prem Active Directory. Assign managers, set job titles and departments, and update user properties.
Passwords & security
Passwords & security
Reset passwords, unlock accounts, revoke sign-in sessions, reset MFA, and block or unblock sign-in. In hybrid environments, Neo makes the change on-prem and syncs it to the cloud automatically.
Licensing
Licensing
Assign and remove Microsoft 365 licenses, and look up friendly license names from SKU IDs. To buy or cancel licenses through a marketplace (Pax8, Partner Center, and others), see the dedicated Purchase License, Cancel License, and List License Subscriptions tools.
Groups
Groups
Add and remove users from security groups, Microsoft 365 groups, distribution lists, and mail-enabled security groups. Search and list groups across Entra ID and on-prem AD.
Directory roles
Directory roles
Assign and remove Entra ID directory roles (Global Admin, Exchange Admin, User Admin, and so on) and view a user’s current role assignments.
Mailboxes
Mailboxes
Convert mailboxes to shared, create and delete shared mailboxes, configure delegation (full access, send-as, send-on-behalf), and set up or remove email forwarding. Works with Exchange Online and on-prem Exchange Server.
Conditional Access
Conditional Access
List, view, create, update, and delete Conditional Access policies. Destructive changes always require technician approval, regardless of workflow settings.
Devices
Devices
View user devices in Intune; remote wipe and retire mobile devices. Device deletion is always blocked for safety.
App registrations & OAuth governance
App registrations & OAuth governance
Review app registrations, service principals, and OAuth consent grants — app inventory, third-party app audits, client secret expiry checks. Create dedicated app registrations (for example, a send-only Mail.Send app for a notifications mailbox) and client secrets. Every write requires technician approval, and Neo can only manage apps it created. Admin consent always stays with your technician — Neo prepares the consent link, a Global Admin clicks it. Client secret values are never exposed to the agent or written to ticket notes — when Neo creates a secret, the value is pushed to a one-time secure link (the same self-destructing link used for password resets) that the agent shares for retrieval.
On-prem Active Directory & Exchange Server
On-prem Active Directory & Exchange Server
Full AD and Exchange Server management via your RMM: user and computer accounts, organizational units, group operations, infrastructure queries, mailbox and recipient management, mail flow, and Entra Connect sync triggers.
Permissions & Safety
Each Microsoft integration is split into permission groups, and every group has an access level:| Level | What the agent can do |
|---|---|
| Disabled | No access to this category |
| Read Only | Query and list operations only |
| Read / Write | Full access including create, update, and delete |
Configure Microsoft 365 permissions
Full details on Graph, Active Directory, and Exchange permission groups, access levels, and quick-start profiles.