Documentation
The world's first
autonomous IT engineer
Dex investigates, plans, and resolves IT issues before they ever become tickets — available to every employee, right inside Microsoft Teams.
90%+
Requests resolved autonomously
Minutes
Not hours, not days
Governed
Superintelligent, strictly policy-controlled
What is Dex?
Dex is an autonomous AI IT engineer that lives in Microsoft Teams. Employees describe any IT issue or service request in plain language, and Dex instantly understands the request, investigates the root cause, and resolves it — all within minutes, before a ticket is ever opened.
Superintelligent, yet strictly governed. Dex uses a deep multi-step reasoning agent to investigate and resolve complex issues. But every action it takes is bound by your organization's policies and permissions — it can only do what your rules allow.
How It Works
Dex follows a structured reasoning loop for every request. Here's what happens when an employee reaches out.
Employee sends a message in Teams
The user describes their issue or service request in plain language — no forms, no categories, no ticket system.
Dex investigates autonomously
Dex gathers context through read-only checks: querying user details, pulling sign-in logs, checking device health, reading configurations across connected systems.
Dex identifies the root cause and builds a plan
Based on investigation results, Dex determines the optimal sequence of actions needed to resolve the issue.
Policy check & approval (if required)
Every mutating action is checked against your organization’s policy engine. If the policy requires approval, Dex pauses and routes the request to the designated approver group. Actions that are pre-approved by policy execute immediately.
Dex resolves the issue
Approved actions are executed directly in your environment — resetting passwords, cleaning up disk space, granting access, fixing configurations, and more.
Employee sees results
A complete summary of what was found and fixed, with evidence and current system status. The issue is resolved — no ticket was ever created.
Capabilities
Dex handles a wide range of IT scenarios — from simple service requests to deep, multi-step troubleshooting.
Troubleshooting & Diagnostics
Investigate login failures, slow PC performance, memory issues, sync problems. Dex identifies root causes and applies fixes autonomously.
Access & Service Requests
SharePoint site access, Teams membership, group membership, email forwarding, calendar sharing — all handled through natural conversation.
Password & Identity
Self-service password resets, temporary access passes for MFA bootstrap, unblocking risky sign-ins — with appropriate policy controls.
Device Management
Remote diagnostics and repair on Windows devices via the Device Agent — process cleanup, disk recovery, scheduled task removal, and even visual remote control.
Security Response
Contain compromised accounts by revoking sessions, disabling access, and pulling evidence from audit logs. Respond to security incidents in minutes.
Ticket Integration
Create, update, and resolve tickets in ServiceNow, Jira, SysAid, and other ITSM platforms — or resolve issues before a ticket ever needs to exist.
Policy Engine
Dex is powerful — but every action it takes must be covered by an explicit policy. No policy means no action. This is how your organization stays in control.
Three layers of governance
User-scoped execution. The Resolver Agent operates with a “Current User Only” boundary. Employees can only trigger actions that affect their own account and resources, unless a policy explicitly allows broader scope.
Global policy engine. Every operation Dex performs must match an active policy. Each policy defines which users are eligible, what actions are allowed, and whether approval is required — and from whom.
Hardcoded safety rails. Some things are non-negotiable. The platform has built-in rules that will never bypass MFA, never grant admin roles directly, and never execute destructive operations without explicit policy coverage. The execution layer simply refuses, regardless of the prompt.
employee → "Reset my password"
│
├─ ✓ Policy password_reset exists
├─ ✓ Constraint: self_only = true
├─ ✓ Approval: not required
└─ → Execute immediatelyAnatomy of a policy
Every policy in Dex defines what can happen, who it applies to, and what guardrails are in place. Here's a real example:
Action scope — defines what operation this policy governs (email forwarding to internal recipients).
Constraints — users can only set up forwarding for their own mailbox (self_only), and only to internal recipients (internal_only).
Approval required — this action needs approval from the IT approver group before Dex will execute it.
No policy = no action. If a user asks Dex to forward emails externally, the execution layer will refuse because no policy covers that operation.
Policy types
| Type | What it governs | Examples |
|---|---|---|
| Action policies | Specific operations Dex can perform | Password reset, email forwarding, unblock sign-in, ticket creation |
| Resource policies | Access to specific resources within apps | SharePoint sites, Teams workspaces, security groups, enterprise apps |
| Service policies | Broader service categories | M365 licensing, Intune device management, Exchange operations |
Approval routing is flexible. Policies can require approval from specific groups (IT admins, Global Admins), resource owners (e.g., a SharePoint site owner), or be configured for auto-grant for low-risk operations like reading tickets or resetting your own password.
Security & Data Privacy
Dex is built for enterprise-grade security from the ground up.
Dex uses delegated permissions from the authenticated user session. It can only perform actions the user is authorized to perform. Every action is tied to a specific identity and appears in your audit trail.
Every mutating action is checked against the policy engine. No action executes without an explicit policy match. Read-only investigation happens autonomously; changes always require policy coverage — and often explicit approval.
If a task requires a permission scope that hasn’t been granted, Dex pauses and asks for explicit consent before proceeding. Permissions are never assumed.
All actions are logged in standard Microsoft 365 audit logs and in Dex’s own activity log. Full compliance and governance trail — the same as any manual admin action.
Zero data retention. Dex never stores your Microsoft 365 data. It reads only what's needed to complete a request, performs approved actions, and discards temporary data. You can revoke Dex's access at any time from your Microsoft 365 admin center.
Integrations
Dex connects to any SaaS product through its App Store. It ships with built-in integrations for the most common enterprise tools, and each app comes with its own connection configuration, skills, and policy templates.
Built-in apps
Microsoft Teams (User Channel)
Slack (User Channel)
Microsoft Entra ID
Okta
Google Workspace
SharePointMicrosoft TeamsSlack
Exchange Online
Zoom Workplace
Atlassian (Jira & Confluence)
ServiceNow
Freshdesk
Freshservice
Zendesk
SysAid
HaloPSA
Microsoft Intune
Action1
Level
N-able N-sight
Acronis Cyber Protect
Salesforce
Microsoft 365 Licenses
Windows Device AgentEach app integration includes three components: a connection (API credentials and authentication setup), skills (the operations Dex can perform with that app), and policy templates (pre-configured rules discovered from your environment). When connecting a new app, Dex may ask for API keys or OAuth credentials, which are stored in an encrypted secure key store.
Device Agent
Dex includes a special Device Agent that runs directly on employees' Windows machines, enabling deep diagnostics and repair that go far beyond API-level management.
PowerShell diagnostics
Run diagnostic scripts to investigate CPU/memory usage, rogue processes, disk space issues, scheduled task analysis, and system health checks — all remotely.
Autonomous repair
Stop rogue processes, remove malicious scheduled tasks, clean up disk space, fix configurations — Dex resolves device issues without requiring the user to do anything.
Computer Use (remote control)
For complex issues, Dex can visually interact with the device desktop as if a human admin were sitting at the machine — clicking, navigating, and applying fixes.
Intune deployment
The Device Agent is deployed by default through Intune, making rollout seamless across your managed Windows fleet — no manual installation needed.
Onboarding
Setting up Dex is a guided, largely autonomous process. The onboarding wizard walks you through seven steps — and Dex's autonomous agents handle most of the heavy lifting.
Step 1
M365 Discovery
Dex scans your Microsoft 365 tenant — tenant info, licensing, users, groups, Exchange, SharePoint, OneDrive, Teams, enterprise apps, security groups, and roles.
Step 2
Review & Approve
Review discovered resources across Entra ID, SharePoint, Teams, and other M365 services. Toggle which resources should be managed by Dex.
Step 3
Additional Apps
Connect external apps like ServiceNow, Jira, or Salesforce. Dex guides you through entering connection credentials (stored in an encrypted key store).
Step 4
Autonomous Setup
Dex automatically configures infrastructure: app registration, connection setup, security groups, access rules, bot channel registration, Teams app deployment, and Device Agent deployment.
Step 5
Playground Testing
Test Dex as an end user in a safe playground environment. Try resetting a password, requesting access, or asking any IT question to verify everything works.
Step 6
Invite Colleagues
Invite individual users by name or email. Selected users are added to the Dex Users group and receive the Teams app plus a welcome message from Dex.
Step 7
Invite Groups
Roll Dex out to entire groups — All Employees, Engineering, specific security groups — for broad or phased deployment across your organization.
How Discovery works
Each app in Dex has an autonomous discovery agent. When you connect an app, the discovery agent scans your environment and automatically generates the policies needed — for resources (e.g., each SharePoint site), actions (e.g., password reset), and services.
After discovery, you can review and customize every policy. You can give instructions to the discovery agent directly (e.g., “Add a policy for discount approval on Salesforce opportunities”) or edit policies manually through the UI. Each policy includes API templates that ensure the operation can only execute after the policy has been evaluated and, if required, approved.
No actions without policies. Even after discovery and setup, Dex will only execute operations that have an active, matching policy. If a user asks for something not covered by policy, Dex will inform them that the action isn't available.
Users & Policies
The Users & Policies screen is where you manage access, policies, and reference data. It has three tabs: Users & Roles, Policies, and Reference Data.
Users & Roles
Define who can access or manage your Dex environment by assigning roles to individual users or Entra ID groups.
| Role | Description |
|---|---|
| Dex User | Can interact with Dex as an end user in Microsoft Teams — submit IT requests, get resolutions. |
| CoAdmin User | Can use CoAdmin capabilities for direct M365 admin operations and troubleshooting. |
| Dex Admin | Can manage Dex settings, policies, integrations, and user access. Sees the full admin dashboard. |
| Dex Owner | Full control including billing, ownership transfer, and destructive operations. Typically the person who set up Dex. |
You can assign roles to entire Entra ID groups (e.g., “All Employees” as Dex Users) or to individual users. Use the + Add User/Group button to add new entries. Each user or group can hold multiple roles simultaneously.
Approver Groups
Approver groups define who can approve policy-gated actions. Each group maps to an Entra ID security group and shows the number of members and how many policies route approvals to it.
| Column | What it shows |
|---|---|
| Group Name | Display name of the approver group (e.g., Global Administrators, IT Approvers, Support). |
| Entra ID | The linked Entra ID security group identifier. |
| Members | Number of users in the group. |
| Policies | Number of policies that route approvals to this group. Click to view them. |
Use + Create Group to add new approver groups. When a policy requires approval, Dex routes the request to the approver group specified in that policy.
Policies
The Policies tab lists every policy in your Dex environment. Policies are auto-generated during discovery and can be searched, filtered, toggled on/off, and edited.
| Column | What it shows |
|---|---|
| Target Name | The resource or action the policy governs (e.g., "SharePoint: Communication site"). |
| Target Type | Resource, Action, or Service — the policy category. |
| Policy Rule | A summary of the policy definition including name, description, and key constraints. |
| Application | Which connected app this policy belongs to (e.g., SharePoint, Exchange, Intune). |
| Status | ON or OFF toggle. Only active policies are enforced by the execution layer. |
| Last Update | When the policy was last modified or re-discovered. |
Click any policy to open its full YAML-like definition in an editor. Each policy specifies the resource or action scope, constraints, access rules (auto-grant or require approval), the approver group, and eligibility criteria. Changes are saved immediately.
Example — Resource policy
name: 'SharePoint: Communication site' description: SharePoint site resource: type: m365.sharepoint_site site_url: https://tenant.sharepoint.com access_rules: default: require_approval approver_group: global_admins
Use Run Discovery to re-scan your connected apps and auto-generate new policies for any resources or actions that aren't covered yet.
Search and filter. Use the search bar to quickly find policies by name, application, or type. For example, searching “SharePoint” shows all SharePoint resource policies.
Reference Data
Reference data provides organizational context that policies can use for scoping and eligibility. This tab has two sections:
Departments
Lists all departments discovered from your Entra ID directory (Engineering, Finance, Marketing, Sales, HR, etc.). Each department maps to an Entra ID attribute and can have policy overrides.
Departments can be toggled ON/OFF to control whether they're available for policy scoping. When ON, policies can target users by department for eligibility rules.
Device Agent
Shows all connected Device Agent endpoints, including their Device ID, hostname, operating system, connection status (Online/Offline), and linked Entra Device ID.
This gives you visibility into which devices have the Device Agent installed and are available for remote diagnostics and repair.
Reference data is automatically populated during onboarding discovery. You can customize department mappings and policy overrides to match your organization's structure.
App Store
The App Store is where you connect apps to expand what Dex can resolve autonomously. Each app is a self-contained integration with its own connection, skills, and tools.
Available apps
Dex ships with built-in apps for common enterprise tools. Each app card shows its name, status (Active or inactive), a description, and its components.
Internal Docs
Upload internal documents so Dex can answer questions using your company knowledge.
Documents
Dex Essentials
Core tools for the resolver agent including question handling, skill loading, and documentation search.
Tools
M365 Base
Microsoft 365 base functionality including Graph API access, permission consent, and file operations.
Tools
Entra ID
Azure Active Directory / Entra ID identity management, user administration, and group management.
Skills, Actions
SharePoint
SharePoint site access management and administration.
Skills, Actions
Microsoft Teams
Microsoft Teams team and channel management.
Skills, Actions
Windows Device
Windows device management tools including diagnostics, PowerShell execution, and remote desktop control.
Tools, Skills
Google Workspace
Google Workspace administration including user management, group management, and device management.
Actions
Atlassian (Jira & Confluence)
Atlassian integration for Jira issue management, project tracking, and Confluence documentation via REST APIs.
Skills, Actions
What's inside an app
Each connected app can include one or more of these components:
| Component | Description |
|---|---|
| Tools | Low-level API operations the agent can call (e.g., Graph API calls, PowerShell commands). These power the agent’s execution layer. |
| Skills | Higher-level capabilities that combine multiple tools into meaningful workflows (e.g., "Computer Use Skill", "Device Performance Troubleshooting"). |
| Actions | Policy-governed operations that may require approval before executing (e.g., granting SharePoint access, resetting a password). |
| Documents | Internal knowledge files (Docs, PDFs, CSVs) that Dex can reference when answering questions. |
AI-assisted app setup
The App Store includes a built-in chatbot assistant that helps you configure new app connections. When you add a new app, the assistant walks you through the setup:
Start discovery
The assistant begins discovery for the new app, loading its definition and identifying required configuration.
Guided credential input
The assistant asks for connection details step-by-step (e.g., API tokens, OAuth credentials). Sensitive values are entered securely and never stored in the chat.
Connection test & policy generation
Once configured, the assistant tests the connection and auto-generates policies for the new app’s resources and actions.
Skills can be toggled individually. Each app's skills have their own ON/OFF switches, so you can selectively enable capabilities like “Computer Use Skill” or “Device Performance Troubleshooting” without disabling the entire app.
Activity Log
Track every task handled by Dex across your organization. The Activity Log records all actions from the Resolver agent, CoAdmin agent, and Onboarding agent in a single searchable view.
Task list
The main table shows every task with the following columns:
| Column | What it shows |
|---|---|
| Date | Timestamp of when the task was created. |
| Title | The user’s original request or a summary of the task (e.g., "Show me all the teams I have access to"). |
| Category | Task category if classified, or "No Category" for uncategorized requests. |
| Status | Current state: Resolved, Awaiting user, In Progress, or Unresolved. |
| User name | The employee who initiated the request. |
| Source | Which agent handled the task: Dex Resolver, CoAdmin, or Onboarding. |
Use the search bar to filter by title, user name, or date. The filter icon lets you narrow by status, source, or category. Results are paginated and can be exported.
Task Overview
Click any task to open its full Task Overview panel. This panel has three tabs that give you complete visibility into what happened:
Task Journey
The full conversation between the employee and Dex, including the original request, investigation findings, follow-up questions, approval requests, and final resolution. Shows exactly what the user experienced.
Steps
A breakdown of every step the agent took, including API calls (GET/PATCH requests), tool invocations, approval submissions, and execution results. Each step shows its duration and can be expanded to reveal the full tool call payload and response.
Quality
Quality metrics including Dex time (how long the agent took) vs. Human work time (estimated manual effort), plus task details like status, category, user, source agent, and description.
Understanding the Steps tab
The Steps tab provides full transparency into Dex's reasoning and execution. Each step is expandable and shows:
- The tool or API call that was executed (e.g., submit_approval_request, execute_salesforce_api_call)
- The full request payload including target ID, policy rule, approver group, and parameters
- The response including status, result data, notification counts, and next steps
- Duration of each step in seconds for performance visibility
The Activity Log provides a complete audit trail across all three Dex agents. Use it to review what Dex resolved, verify policy enforcement, investigate specific tasks, and measure the time savings Dex delivers compared to manual IT work.
CoAdmin for IT Admins
CoAdmin is Dex's direct admin interface — purpose-built for IT administrators who need to execute complex Microsoft 365 workflows. Investigate issues, run bulk operations, optimize licenses, and respond to security incidents, all through natural language.
View CoAdmin documentation