Skip to main content
Neo integrates with Microsoft 365, Active Directory, and Exchange to automate the full spectrum of identity, mailbox, and security operations — across cloud, on-prem, and hybrid environments. Connect once, and your AI agents can handle everything from password resets to full user onboarding and offboarding.

What Neo Can Do

Create, update, disable, enable, and delete users in Entra ID or on-prem Active Directory. Assign managers, update job titles and departments, and manage user properties — all from a single agent.
Reset passwords, unlock accounts, revoke sign-in sessions, reset MFA, and manage authentication methods. Block and unblock user sign-in. In hybrid environments, Neo makes changes on-prem and triggers Azure AD Connect sync automatically.
Assign and remove Microsoft 365 licenses. Look up friendly license names from SKU IDs. Works with direct Microsoft licensing, Pax8, and Partner Center.
Add and remove users from security groups, Microsoft 365 groups, distribution lists, and mail-enabled security groups. Search and list groups across Entra ID and on-prem AD. In hybrid environments, Neo automatically routes group operations to the correct directory.
Assign and remove Entra ID directory roles (Global Admin, Exchange Admin, User Admin, etc.). View a user’s current role assignments.
Convert mailboxes to shared, create new shared mailboxes, and delete shared mailboxes. Set up and remove email forwarding. Configure mailbox delegation (full access, send-as, send-on-behalf). Works with Exchange Online and on-prem Exchange Server.
Grant and revoke full access, send-as, and send-on-behalf permissions. Add and remove recipient permissions. View current mailbox permission assignments.
List, view, create, update, and delete Conditional Access policies. Destructive operations always require technician approval regardless of workflow settings.
View user devices in Intune. Remote wipe and retire mobile devices. Device deletion is always blocked for safety.
Full AD management via RMM: user and computer management, organizational units, group operations, infrastructure queries, and Entra Connect sync triggers.
All Exchange operations work on-prem too: mailbox management, permissions, recipients and contacts, distribution groups, mail flow and transport rules, address lists and policies, compliance and auditing.
Need an operation that’s not listed? Let us know — we add new capabilities regularly.

Granular Permission Controls

Every agent workflow has its own permission configuration. You control exactly what the agent can and cannot do — per integration, per operation category.

Microsoft Graph

8 permission groups covering users, groups, licensing, security, roles, devices, conditional access, and domains

Active Directory

6 permission groups covering users, groups, computers, OUs, infrastructure, and Entra Connect sync

Exchange

7 permission groups covering mailboxes, permissions, recipients, distribution groups, mail flow, address lists, and compliance
Each permission group has three access levels:
LevelWhat the agent can do
DisabledNo access to this category
Read OnlyQuery and list operations only
Read / WriteFull access including create, update, and delete
You can also require technician approval for any permission group — the agent will pause and wait for a technician to approve before executing write operations.
Built-in safety guardrails: Some destructive operations (like deleting a user or wiping a device) always require technician approval, even if the permission group doesn’t have it enabled. Other operations (like deleting a domain) are blocked entirely.
Quick-start profiles let you configure all permission groups at once:
ProfileBest for
Read OnlyMonitoring and reporting agents
HelpdeskTier 1 agents — password resets, group changes, basic user updates
IT AdminTier 2/3 agents — user lifecycle, licensing, mailbox management
Full AutomationFully autonomous agents — all operations, no approval required

Works Everywhere

Neo supports cloud, on-prem, and hybrid Microsoft environments — configured independently per client company.
EnvironmentIdentityMailbox
CloudEntra ID via Microsoft Graph APIExchange Online via Graph + PowerShell
On-premActive Directory via RMM + PowerShellExchange Server via RMM + PowerShell
HybridOn-prem AD with Azure AD Connect syncExchange Hybrid (on-prem cmdlets + cloud routing)
Identity provider and mailbox provider are configured separately — you can mix and match. For example, on-prem AD with Exchange Online, or Entra ID with on-prem Exchange Server.

Connect Cloud Tenants

Two ways to connect Neo to customer Microsoft 365 tenants:
GDAPDirect Consent
Who consentsMSP admin, using GDAP access — no customer involvementA tenant admin in each customer tenant
How Neo authenticatesStandard client_credentials (same for both)Standard client_credentials
CSP enrollment requiredYesNo
Best forMSPs managing many tenants — onboard without waiting for each customer’s adminIndividual tenants, or non-CSP scenarios

GDAP (coming soon)

CSP partners can consent to Neo on behalf of customers using existing GDAP access.

Direct Consent

A tenant admin in each customer tenant consents to the Neo app directly.

Connect On-Prem Environments

On-prem

Connect on-premises Active Directory and Exchange environments via RMM.
Hybrid environments: Configure as on-prem — Neo executes operations on your domain controller and Azure AD Connect syncs changes to the cloud.