Documentation Index
Fetch the complete documentation index at: https://docs.neoagent.io/llms.txt
Use this file to discover all available pages before exploring further.
Overview
Use this recipe when new users are created in on-prem Active Directory and then synced to Microsoft 365 through Azure AD Connect. In a hybrid identity environment, Neo creates or updates the user in Active Directory, then triggers an Azure AD Connect sync so the change appears in Entra ID and Microsoft 365.If users are created directly in Entra ID, use the cloud Microsoft 365 setup. If users only exist in local Active Directory and never sync to Microsoft 365, use on-prem Active Directory setup without Hybrid.
When to use Hybrid
| Scenario | Company identity provider |
|---|---|
| Users are created in on-prem AD and synced to Microsoft 365 | Hybrid |
| Users are created only in Microsoft Entra ID | Entra ID |
| Users are created only in local Active Directory | On-prem AD |
Setup checklist
| Check | What the MSP needs to do |
|---|---|
| Company is configured as Hybrid | Set Identity Provider Type to Hybrid in Company Settings |
| Neo can run AD PowerShell | Set the AD runner hostname, upload the Neo wrapper script, and run an RMM sync |
| Neo can trigger AD Connect sync | Set the AD Connect server hostname and make sure the service account can trigger sync |
| Optional license buying is configured | If the agent should buy Microsoft licenses, connect a license marketplace integration and add the company’s marketplace ID |
Configure the company
Go to Companies in Neo and open the end-client company. Set:- Identity Provider Type: Hybrid
- AD Runner Hostname: the RMM device Neo should use to run Active Directory commands
- AD Connect Server Hostname: the server running Azure AD Connect
- AD Service Account Username / Password: only if the runner needs a dedicated domain service account
Hostnames must match the device names discovered from your RMM. See the on-prem setup guide for field details.
Configure the RMM path
Neo runs on-prem Active Directory commands through your RMM. Before using a hybrid onboarding agent:Upload the wrapper script
Follow the Neo wrapper script setup for your RMM.
Sync RMM devices and scripts
After uploading the script, run an RMM sync in Neo so the script and devices are discoverable.
Confirm the runner machine
If Neo should run AD commands from a runner instead of directly on the domain controller, follow the runner machine setup.
Verify connectivity
Run the checks in Verify Connectivity before running the agent live.
Configure the onboarding agent
Create or edit an Onboard/Offboard M365 User agent or workflow. On the agent’s Integrations tab, use a Microsoft 365 access profile that allows the onboarding work you want Neo to perform. For hybrid onboarding, the key requirement is that Neo can make the on-prem AD change and trigger Azure AD Connect sync. If the agent also needs to create or manage mailboxes through on-prem Exchange, see Exchange Hybrid setup.Common errors
| Error | Meaning | Action |
|---|---|---|
AD Connect sync is only available for hybrid environments | The agent tried to sync AD changes, but the company is configured as On-prem AD | Set the company Identity Provider Type to Hybrid, or remove AD Connect sync from the agent if the company is truly on-prem-only |
Neo wrapper script not found in RMM | Neo cannot run PowerShell through the RMM | Upload the Neo wrapper script, then run an RMM sync |
Target server not found in RMM | The configured runner hostname does not match an RMM device | Update the hostname in Company Settings or sync RMM devices |
No license marketplace integration is configured | Neo cannot buy licenses automatically | Connect a license marketplace integration |
Marketplace company ID is not set | Neo knows the marketplace, but not this company’s marketplace ID | Add the company’s marketplace company ID in Companies |
Before running live
Confirm company identity mode
The company should be set to Hybrid if Neo needs to trigger Azure AD Connect sync.
Confirm AD Connect access
The service account should be able to trigger sync on the AD Connect server.