Skip to Content
Msp PortalTenantsConnect Tenant

Connect Tenant

Onboard a new Microsoft 365 tenant into OpsPilot365. This wizard guides you through the consent process and initial synchronization.

Note: Prerequisites:

  • You need Global Administrator credentials for the target tenant
  • The tenant must have at least one active Microsoft 365 subscription
  • Multi-factor authentication must be completed during consent

Connection Process

Step 1: Select Customer

Choose an existing customer from your customer list or create a new customer record. The tenant will be associated with this customer for billing and reporting purposes. If integrated with a PSA (ConnectWise, Autotask, HaloPSA), customers sync automatically.

Step 2: Enter Tenant Domain

Enter the primary domain or tenant ID of the Microsoft 365 tenant. Examples:

  • contoso.onmicrosoft.com
  • contoso.com (if verified as primary domain)
  • xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx (tenant GUID)

Click “Authorize” to open the Microsoft consent dialog. A Global Administrator of the target tenant must sign in and grant permissions. The consent includes:

Requested Permissions:

  • User.Read.All — Read all user profiles
  • Group.Read.All — Read all groups
  • Directory.Read.All — Read directory data
  • DeviceManagementManagedDevices.Read.All — Read Intune devices
  • SecurityEvents.Read.All — Read security data
  • Mail.Read — Read mailbox settings (delegated)
  • Reports.Read.All — Read usage reports

Write permissions are requested separately when needed for specific operations.

Step 4: Initial Sync

After consent is granted, OpsPilot365 performs an initial synchronization:

  • Tenant organization details
  • User and group inventory
  • License subscriptions and assignments
  • Secure Score baseline
  • Device inventory (if Intune is configured)
  • Mailbox inventory (Exchange Online)

Initial sync typically takes 2-5 minutes depending on tenant size.

Step 5: Confirmation

Once sync completes, you’ll see a summary of discovered resources. You can optionally configure tenant-specific settings like tags, notification preferences, or connect additional services.

GDAP vs DAP

OpsPilot365 supports both Granular Delegated Admin Privileges (GDAP) and legacy Delegated Admin Privileges (DAP):

Time-limited, role-based access. You select specific admin roles needed. Microsoft requires GDAP for new partner relationships. Supports zero standing access.

DAP (Legacy)

Full Global Administrator access. Being deprecated by Microsoft. Existing DAP relationships continue to work but cannot be created new.

Troubleshooting

The user declined consent or doesn’t have permission to consent. Ensure a Global Administrator is signing in, or have one pre-approve the enterprise application.

Redirect URI mismatch. Contact support — this indicates a configuration issue with the OpsPilot365 app registration.

Sync Timeout

Large tenants (10,000+ users) may timeout on initial sync. The sync continues in the background. Refresh the page after a few minutes to see updated status.

Tenant Already Connected

Each tenant can only be connected once. If the tenant shows as already connected but you don’t see it, check if it’s associated with a different customer or contact support to transfer ownership.

API Reference

  • POST /api/msp-portal/tenants/connect — Initiate tenant connection (returns auth URL)
  • POST /api/msp-portal/tenants/callback — Handle OAuth callback after consent
  • GET /api/msp-portal/tenants/:tenantId/sync-status — Check initial sync progress
Last updated on
All TenantsHealth Matrix