MSP Documentation
How to configure Microsoft 365
Create a Microsoft 365 app registration that Dex can use to manage a customer tenant. Takes about 5–10 minutes and requires Global Administrator on the customer's tenant.
Overview
This guide walks you through creating a Microsoft 365 app registration that Dex can use to manage a customer tenant. At the end you will have three values to paste into the Add tenant dialog:
- Directory (tenant) ID
- Application (client) ID
- Client secret value
The process takes about 5–10 minutes and must be performed by someone with Global Administrator (or Privileged Role Administrator + Cloud Application Administrator) on the customer's Microsoft 365 tenant.
App-only integration
Dex uses an application (app-only) integration — not a delegated user login. This means Dex can act on the tenant even when no user is signed in, which is required for autonomous remediation and scheduled discovery.
Before You Start
You will need:
- A user account with Global Administrator rights in the customer's Microsoft 365 tenant.
- Access to the Microsoft Entra admin center (or the Azure portal).
- About 10 minutes.
Create the app registration
- Sign in to https://entra.microsoft.com as a Global Administrator of the customer tenant.
- In the left menu, go to Identity → Applications → App registrations.
- Click + New registration.
- Fill in:
- Name:
Dex(or any name — only shown to admins inside Entra). - Supported account types: Accounts in this organizational directory only (Single tenant).
- Redirect URI: leave blank.
- Name:
- Click Register.
You are now on the app's Overview page. Keep this tab open — you will copy two values from it shortly.
Copy the Tenant ID and Client ID
On the app's Overview page, copy these two values:
| Field in Entra | Paste into Dex as |
|---|---|
| Directory (tenant) ID | Tenant ID (first field) |
| Application (client) ID | Client ID (second field) |
Create a client secret
- In the left menu of the app, click Certificates & secrets.
- Under the Client secrets tab, click + New client secret.
- Fill in:
- Description:
Dex integration - Expires: choose the longest option your security policy allows (24 months recommended). You will need to rotate the secret before it expires.
- Description:
- Click Add.
- Immediately copy the Value column (not the Secret ID). This is shown only once — if you navigate away you will need to create a new secret.
Paste this value into the Client secret field (third field) in the Dex Add tenant dialog.
Important
Copy the Value, not the Secret ID. The Value is a long string that starts with characters like 6CR8Q~…. The Secret ID is a GUID and will not work.
Grant API permissions
This is the most important step. Dex needs a specific set of Microsoft Graph application permissions. If any are missing, the Add tenant validation will fail and tell you exactly which roles still need consent.
4a. Add the permissions
- In the left menu of the app, click API permissions.
- Click + Add a permission.
- Choose Microsoft Graph.
- Choose Application permissions (not Delegated).
- Search for and add each permission listed below. You can add them in batches — search, tick the checkboxes, and click Add permissions, then repeat.
4b. Grant admin consent
After all permissions are added:
- Back on the API permissions page, click Grant admin consent for <tenant name>.
- Confirm. The Status column should turn into a green check (Granted for <tenant>) for every row.
Required Microsoft Graph application permissions
All permissions below are Application type, on the Microsoft Graph API. Dex's validator checks for every one of these — if any are missing, you will get a MISSING_PERMISSIONS error listing exactly which roles still need consent.
Core identity & directory
| Permission | Why Dex needs it |
|---|---|
User.ReadWrite.All | Create, update, disable, and delete users; reset passwords; manage licenses. |
Directory.ReadWrite.All | Read and write directory objects (users, groups, devices) for org-wide operations. |
Group.ReadWrite.All | Create and manage Microsoft 365 groups, security groups, and distribution lists. |
GroupMember.ReadWrite.All | Add and remove members from groups. |
UserAuthenticationMethod.ReadWrite.All | Manage MFA methods, register/reset authentication methods. |
Audit & security
| Permission | Why Dex needs it |
|---|---|
AuditLog.Read.All | Read sign-in and audit logs for incident investigation. |
Application.Read.All | Read app registrations and service principals during discovery. |
RoleManagement.Read.Directory | Read directory role assignments to evaluate privilege. |
BitlockerKey.Read.All | Retrieve BitLocker recovery keys for device recovery workflows. |
Intune / device management
| Permission | Why Dex needs it |
|---|---|
DeviceManagementApps.ReadWrite.All | Manage Intune app deployments. |
DeviceManagementConfiguration.Read.All | Read Intune configuration and compliance policies. |
DeviceManagementManagedDevices.PrivilegedOperations.All | Wipe, retire, remote lock, and reset managed devices. |
DeviceManagementManagedDevices.ReadWrite.All | Read and update managed device records. |
Exchange / mail
| Permission | Why Dex needs it |
|---|---|
Mail.Send | Send notification and remediation emails from user mailboxes. |
Mail.ReadWrite | Read and modify mailbox contents during investigation and cleanup. |
Calendars.ReadWrite | Manage calendar events during onboarding/offboarding. |
MailboxSettings.ReadWrite | Configure mailbox settings (forwarding, OOO, delegates). |
SharePoint / files
| Permission | Why Dex needs it |
|---|---|
Sites.Read.All | Read SharePoint site metadata for discovery. |
Sites.ReadWrite.All | Manage SharePoint sites and lists. |
Sites.FullControl.All | Required for site provisioning and permission management. |
Files.Read.All | Read OneDrive / SharePoint files for investigation. |
Files.ReadWrite.All | Manage files during offboarding and content cleanup. |
Reports & organization
| Permission | Why Dex needs it |
|---|---|
Organization.Read.All | Read tenant info (display name, verified domains, licenses). |
Reports.Read.All | Pull usage and activity reports for posture analysis. |
ReportSettings.ReadWrite.All | Enable de-anonymized reports so user-level usage data is available. |
Teams
| Permission | Why Dex needs it |
|---|---|
TeamsAppInstallation.ReadWriteForUser.All | Install the Dex Teams app for end users. |
AppCatalog.ReadWrite.All | Upload and update the Dex Teams app in the tenant app catalog. |
Add the tenant in Dex
- Return to the Dex Add tenant dialog.
- Enter an Organization name (this is the label that will show in your MSP dashboard — it does not need to match the M365 tenant name).
- Select Microsoft 365.
- Paste the three values you collected:
- Tenant ID → from the app's Overview page
- Client ID → from the app's Overview page
- Client Secret → the Value you copied in Step 3
- Click Add Tenant.
Dex will:
Acquire an app-only token to verify the credentials are valid.
Call /organization on Microsoft Graph to confirm the tenant matches.
Look up the service principal and list its granted app roles.
Compare granted roles against the required list above and report any missing ones.
If everything succeeds, the tenant appears in your MSP dashboard and Dex automatically starts a discovery scan.
Troubleshooting
INVALID_CREDENTIALS
- Double-check you pasted the Tenant ID (not the tenant domain like
contoso.onmicrosoft.com). - Confirm the Client Secret is the Value, not the Secret ID.
- Confirm the secret has not expired. Go to Certificates & secrets in Entra and check the Expires column.
MISSING_PERMISSIONS
- The error response includes the exact list of missing permissions. Go back to API permissions in the app registration, add the missing ones, and click Grant admin consent again. Then retry Add Tenant.
SERVICE_PRINCIPAL_NOT_FOUND
- The app registration exists but no service principal (Enterprise Application) has been created in the tenant yet. This usually means admin consent has never been granted. Click Grant admin consent for <tenant> under API permissions — that step creates the service principal as a side effect.
TENANT_ALREADY_BOUND
- This M365 tenant is already linked to another Dex organization. Contact your Dex administrator.
Rotating the secret later
Client secrets expire. To rotate without downtime:
- In the app's Certificates & secrets page, create a new client secret.
- In the Dex MSP dashboard, open the tenant and update its credentials with the new secret Value.
- Once Dex confirms the new secret works, delete the old secret in Entra.
Summary checklist
- Registered a new app in Entra → App registrations (Single tenant).
- Copied Directory (tenant) ID and Application (client) ID.
- Created a Client secret and copied its Value.
- Added all required Microsoft Graph application permissions listed above.
- Clicked Grant admin consent for the tenant — every row shows a green check.
- Pasted the three values into Dex Add tenant and clicked Add Tenant.