> ## Documentation Index > Fetch the complete documentation index at: https://docs.neoagent.io/llms.txt > Use this file to discover all available pages before exploring further. # Microsoft 365 Tools > How Neo Agents manage Entra ID, Active Directory, Exchange, and Intune Neo Agents manage the full Microsoft estate — cloud and on-prem — through a small set of API-backed tools. You don't enable individual operations like "Create User" or "Reset Password" one at a time. Instead, you connect the Microsoft 365 integration, choose which **permission groups** the agent can use, and the matching tools turn on automatically. These tools appear in your agent automatically once you configure Microsoft 365, Active Directory, or Exchange permissions on the workflow's **Integrations** tab — there's no separate toggle in the tool list. See [Microsoft 365 integration](/integrations/m365/intro) for the permission model. ## The Tools | Tool | What It Covers | Environment | | ----------------------------------------- | ------------------------------------------------------------------------------------------------- | ----------------------------------- | | **Microsoft Graph API** | Users, groups, licenses, directory roles, devices, conditional access, domains, app registrations | Entra ID (cloud) | | **Execute PowerShell (Exchange)** | Mailboxes, permissions, recipients, distribution groups, mail flow, transport rules, compliance | Exchange Online and Exchange Server | | **Execute PowerShell (Active Directory)** | On-prem users, computers, OUs, groups, infrastructure queries, Entra Connect sync | On-prem Active Directory (via RMM) | In hybrid environments Neo routes each operation to the right place — for example, it makes the password change on-prem and triggers an Azure AD Connect sync so it propagates to the cloud. For hybrid tenants without AD Connect sync ("Hybrid (no AD Connect sync)" in Company Settings), Neo writes to both directories directly instead — same change, same values, applied to on-prem AD and Entra ID independently. ## What Agents Can Do Create, update, disable, enable, and delete users in Entra ID or on-prem Active Directory. Assign managers, set job titles and departments, and update user properties. Reset passwords, unlock accounts, revoke sign-in sessions, reset MFA, and block or unblock sign-in. In hybrid environments, Neo makes the change on-prem and syncs it to the cloud automatically. Assign and remove Microsoft 365 licenses, and look up friendly license names from SKU IDs. To **buy or cancel** licenses through a marketplace (Pax8, Partner Center, and others), see the dedicated [Purchase License](/agents/tools/m365/purchase-license), [Cancel License](/agents/tools/m365/cancel-license), and [List License Subscriptions](/agents/tools/m365/list-license-subscriptions) tools. Add and remove users from security groups, Microsoft 365 groups, distribution lists, and mail-enabled security groups. Search and list groups across Entra ID and on-prem AD. Assign and remove Entra ID directory roles (Global Admin, Exchange Admin, User Admin, and so on) and view a user's current role assignments. Convert mailboxes to shared, create and delete shared mailboxes, configure delegation (full access, send-as, send-on-behalf), and set up or remove email forwarding. Works with Exchange Online and on-prem Exchange Server. List, view, create, update, and delete Conditional Access policies. Destructive changes always require technician approval, regardless of workflow settings. View user devices in Intune; remote wipe and retire mobile devices. Device deletion is always blocked for safety. Review app registrations, service principals, and OAuth consent grants — app inventory, third-party app audits, client secret expiry checks. Create dedicated app registrations (for example, a send-only Mail.Send app for a notifications mailbox) and client secrets. Every write requires technician approval, and Neo can only manage apps it created. Admin consent always stays with your technician — Neo prepares the consent link, a Global Admin clicks it. **Client secret values are never exposed to the agent or written to ticket notes** — when Neo creates a secret, the value is pushed to a one-time secure link (the same self-destructing link used for password resets) that the agent shares for retrieval. Full AD and Exchange Server management via your RMM: user and computer accounts, organizational units, group operations, infrastructure queries, mailbox and recipient management, mail flow, and Entra Connect sync triggers. ## Permissions & Safety Each Microsoft integration is split into permission groups, and every group has an access level: | Level | What the agent can do | | ---------------- | ------------------------------------------------ | | **Disabled** | No access to this category | | **Read Only** | Query and list operations only | | **Read / Write** | Full access including create, update, and delete | You can require **technician approval** on any permission group, and some destructive operations (deleting a user, wiping a device) always require approval even when the group doesn't. A few operations (deleting a domain, deleting a device) are blocked entirely. Quick-start profiles — **Read Only**, **Helpdesk**, **IT Admin**, **Full Automation** — configure every permission group at once. Full details on Graph, Active Directory, and Exchange permission groups, access levels, and quick-start profiles. Start with **Read Only** or **Helpdesk** and keep technician approval on for writes. Expand the permissions as you build confidence in the agent's behavior.