Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.cotool.ai/llms.txt

Use this file to discover all available pages before exploring further.

The Microsoft Graph Admin integration gives Cotool agents read-only, organization-wide visibility into Microsoft Entra ID and Microsoft 365 activity. It is designed for security investigations, access reviews, user offboarding, and incident response workflows where an agent needs to answer questions like:
  • What groups, directory roles, and enterprise applications does this user have access to?
  • Which applications have delegated OAuth grants that can act as this user?
  • What sign-in, directory audit, or provisioning activity happened in the tenant?
  • Which users or groups match a specific investigation lead?

Integration model

Microsoft Graph does not use Google Workspace-style domain-wide delegation (DWD). The Microsoft equivalent for this integration is tenant-wide admin consent to a Microsoft Entra application, followed by application-only Microsoft Graph access.
After an administrator grants consent, Cotool uses the OAuth 2.0 client credentials flow to request Microsoft Graph tokens for the customer’s tenant. The admin integration does not require Cotool to handle an end-user Microsoft password, and it does not depend on an individual user’s mailbox or session token.
At a high level:
  1. A Cotool admin starts setup from Settings > Integrations and selects Microsoft Graph (Admin).
  2. Cotool asks for the Microsoft tenant domain, such as contoso.com or contoso.onmicrosoft.com.
  3. Cotool redirects the administrator to Microsoft’s admin consent endpoint for that tenant: 
    https://login.microsoftonline.com/{tenant}/adminconsent
  4. The Microsoft administrator reviews the permissions configured on Cotool’s Entra application and grants tenant-wide consent.
  5. Microsoft redirects back to Cotool with the consent result.
  6. Cotool stores the tenant identifier for the organization and uses app-only Graph tokens scoped to that tenant when agents run Microsoft Graph Admin tools.
Cotool uses two Microsoft identity platform flows:
StageMicrosoft flowPurpose
Initial setupTenant-wide admin consentGrants the Cotool application permission to read approved Microsoft Graph resources for the tenant.
Tool executionOAuth 2.0 client credentialsRetrieves a short-lived app-only access token for Microsoft Graph.
During execution, the token request uses: 
grant_type=client_credentials
scope=https://graph.microsoft.com/.default
The .default scope tells Microsoft to issue a token containing the application permissions that were already configured on the Cotool app registration and consented by the tenant administrator. Cotool does not dynamically request additional Microsoft Graph permissions at runtime. Because this is app-only access, Graph calls are not limited to the Microsoft account of the administrator who completed setup. They are limited by the Graph application permissions consented in the customer’s tenant.

Required Microsoft Graph permissions

The admin integration uses Microsoft Graph application permissions. In Microsoft terminology, these are app roles granted to the Cotool enterprise application; they are not delegated user scopes. These permissions require Microsoft administrator consent.
PermissionTypeUsed for
AuditLog.Read.AllApplicationRead Entra directory audit logs, sign-in logs, and provisioning events from /auditLogs/* endpoints.
Directory.Read.AllApplicationRead users, groups, directory roles, direct and transitive memberships, app role assignments, and broad Entra ID directory metadata needed to explain access paths.
Application.Read.AllApplicationRead service principal and enterprise application metadata used to enrich app assignment and consent findings with application names, app IDs, roles, and scopes.
RoleManagement.Read.DirectoryApplicationRead Entra role management data, including role definitions and active or eligible Privileged Identity Management (PIM) role schedules.
Some Microsoft Graph endpoints list narrower least-privilege alternatives. Cotool relies on the permissions above so agents can answer cross-tenant access and audit questions consistently without write access.

What agents can read

The integration exposes read-only tools to agents. These tools do not create, update, or delete users, groups, roles, app assignments, grants, or logs.
ToolWhat it does
msft_graph_admin_getUserResolves a user by object ID, user principal name, email address, or display name.
msft_graph_admin_listUsersLists and searches organization users.
msft_graph_admin_listGroupsLists and searches organization groups.
msft_graph_admin_listUserGroupMembershipsReads direct and transitive Entra group memberships for a user.
msft_graph_admin_listUserDirectoryRolesReads direct and group-inherited Entra directory roles for a user.
msft_graph_admin_listUserAppRoleAssignmentsReads enterprise application assignments for a user and enriches them with service principal details.
msft_graph_admin_listUserOAuth2PermissionGrantsReads delegated OAuth2 grants associated with a user and enriches them with app/API scope metadata.
msft_graph_admin_listUserPimRoleSchedulesReads active and eligible PIM role schedules for a user.
msft_graph_admin_searchOrgAuditLogsSearches organization-wide directory audit, sign-in, and provisioning logs.
Common questions agents can answer include:
  • “What groups and nested groups give this user access?”
  • “Which Entra roles does this user have directly or through a group?”
  • “Which enterprise applications can this user access?”
  • “Which apps have delegated consent to act as this user?”
  • “Show sign-ins, directory changes, or provisioning events for this user over the last 30 days.”

Microsoft Graph endpoints used

CapabilityMicrosoft Graph data used
Resolve and list users/users and /users/{id} with selected identity fields.
List groups/groups with optional search, OData filters, and group-type filters.
Enumerate group membership/users/{id}/memberOf/graph.group and /users/{id}/transitiveMemberOf/graph.group.
Enumerate directory roles/users/{id}/memberOf/graph.directoryRole and /users/{id}/transitiveMemberOf/graph.directoryRole.
Review enterprise app assignments/users/{id}/appRoleAssignments, enriched with /servicePrincipals/{id} metadata.
Review delegated OAuth grants/users/{id}/oauth2PermissionGrants, enriched with service principal and OAuth permission scope metadata.
Review PIM access/roleManagement/directory/roleAssignmentScheduleInstances, /roleManagement/directory/roleEligibilityScheduleInstances, and role definition details.
Search tenant activity/auditLogs/directoryAudits, /auditLogs/signIns, and /auditLogs/provisioning.

Data access and storage

Cotool stores the connected tenant identifier and integration credential metadata for the customer’s organization. For the admin integration, Cotool does not store an end-user Microsoft access token or refresh token. Graph data is fetched when agents call the integration tools and is used to produce the agent response, reports, and normal Cotool audit/history records for the workspace.

Security and revocation

Administrators can revoke access from Microsoft Entra ID by removing tenant-wide admin consent or deleting the Cotool enterprise application/service principal from the tenant. After revocation, Microsoft stops issuing app-only Graph tokens for Cotool, and Microsoft Graph Admin tools in Cotool will fail authentication. The integration can also be disconnected from Cotool. Recommended controls for customers:
  • Review the requested Microsoft Graph application permissions during admin consent.
  • Limit who in Cotool can configure integrations and run agents with sensitive tools.
  • Monitor Cotool agent activity and workspace audit logs for investigations that use Microsoft Graph Admin data.
  • Periodically review enterprise applications and admin consent grants in Microsoft Entra ID.

Operational notes

  • Sign-in log availability depends on the customer’s Microsoft Entra licensing and log retention settings.
  • Microsoft Graph can return partial results or endpoint-specific errors if a tenant policy, license, or permission prevents access to a specific log or object type.
  • The admin integration is separate from Cotool’s user-delegated Microsoft Graph integration, which is used for user-scoped Teams, OneDrive, mail, and delegated workflows.

Common prospect questions

Is this Google Workspace DWD?

No. Google Workspace uses domain-wide delegation for service accounts. Microsoft uses tenant-wide admin consent to an Entra application plus application permissions. The security outcome is similar: after administrator approval, Cotool can query tenant-wide data for approved permissions without requiring each end user to sign in.

Does Cotool need a Global Administrator account password?

No. The Microsoft administrator authenticates directly with Microsoft during the consent flow. Cotool receives the consent result and later uses app-only Microsoft Graph tokens issued by Microsoft.

Are the tools read-only?

Yes. The current Microsoft Graph Admin tools are read-only. They resolve identities, list users and groups, enumerate access paths, inspect role and app assignments, inspect delegated grants, inspect PIM schedules, and search audit logs.

Why are broad directory permissions required?

Access investigations need to correlate users, groups, directory roles, service principals, app role assignments, delegated grants, and audit logs. Microsoft Graph splits those records across directory, application, role management, and audit-log APIs, so several application permissions are required to build a complete answer.