Microsoft 365

Overview

The Microsoft 365 integration enables you to automate user lifecycle management, license provisioning, and group membership through Bumblebee workflows. Streamline employee onboarding, manage access to enterprise applications, and maintain organizational structures in Azure Active Directory.

Prerequisites & Setup

Before setting up the Microsoft 365 integration, you need:

• An Azure Active Directory tenant
• An Azure AD application with appropriate Microsoft Graph API permissions
• Application (client) credentials (client ID and client secret)
• Generate Admin Consent in each client tenant for this new Azure AD application

Register an Application in Azure AD

1. Sign in to the Azure Portal
2. Navigate to Azure Active Directory > App registrations
3. Click New registration
4. Configure the application:
   • Name: "Bumblebee Integration"
   • Supported account types: Select based on your multi-tenant needs
5. Click Register
6. Note the Application (client) ID and Directory (tenant) ID

Configure API Permissions

1. In your app registration, go to API permissions
2. Click Add a permission > Microsoft Graph > Application permissions
3. Add the following permissions:
   • User.ReadWrite.All - Read and write all users' full profiles
   • UserAuthenticationMethod.ReadWrite.All - Read and write all users' authentication methods (required for MFA reset)
   • User-PasswordProfile.ReadWrite.All - Read and write users' password profiles (required for password resets)
   • GroupMember.ReadWrite.All - Read and write all groups
   • Directory.ReadWrite.All - Read and write directory data
   • Application.ReadWrite.All - Read and write applications
   • AppRoleAssignment.ReadWrite.All - Manage app role assignments
   • SecurityAlert.Read.All - Read security alerts for threat detection
   • AuditLogsQuery.Read.All - Query unified audit log for compliance monitoring
   • Files.Read.All - Read OneDrive usage information and file metadata
   • Organization.Read.All - Read organizations
4. Click Grant admin consent for your client organization

Create a Client Secret

1. Go to Certificates & secrets
2. Click New client secret
3. Add a description: "Bumblebee Integration"
4. Select an expiration period
5. Click Add
6. Copy the Value immediately (shown only once - save it securely)

Configure in Bumblebee

1. Go to the Integrations page in Bumblebee
2. Select Microsoft 365
3. Enter your credentials:
   • Tenant ID
   • Client ID
   • Client Secret
4. Click Test Connection
5. Save the configuration

Available Tools

Users

• get_user_by_email - Find a user by email address. Returns user details including object ID needed for other operations. Required: tenant_id (str), email (str)
• list_users - List users with optional filtering. Required: tenant_id (str). Optional: filter (str, OData filter expression), top (int, max results)
• create_user - Create a new user account. Idempotent - returns existing user if already exists. Required: tenant_id (str), user_name (str), user_email (str). Optional: password, given_name, surname, job_title, department, office_location, mobile_phone, street_address, city, state, postal_code, country, usage_location, company_name, employee_id
• update_user - Update user properties. Required: tenant_id (str), user_id (str). Optional: display_name, given_name, surname, job_title, department, office_location, mobile_phone, street_address, city, state, postal_code, country, usage_location, company_name, employee_id, account_enabled (bool)
• delete_user - Delete a user account. User can be restored within 30 days. Required: tenant_id (str), user_id (str)
• reset_user_password - Reset a Microsoft 365 user's password. Essential for account re-assignment scenarios where a new employee needs to take over an existing account. Password can be explicitly set or system-generated. Required: tenant_id (str), user_id (str). Optional: new_password (str, must meet Azure AD complexity requirements), force_change_on_next_sign_in (bool, default: True)
• reset_user_mfa - Reset MFA (Multi-Factor Authentication) for a Microsoft 365 user. Deletes all registered authentication methods (phone, authenticator app, FIDO2 keys, etc.), forcing re-registration on next sign-in. Essential for account re-assignment scenarios. Required: tenant_id (str), user_id (str). Note: Requires UserAuthenticationMethod.ReadWrite.All permission.

Manager

• get_user_manager - Get the manager of a user. Required: tenant_id (str), user_id (str)
• assign_manager_to_user - Set the manager relationship for a user. Required: tenant_id (str), user_id (str), manager_id (str)

Groups

• get_group_by_name - Find a group by display name. Returns group ID needed for membership operations. Required: tenant_id (str), group_name (str)
• list_users_in_group - List all members of a group. Required: tenant_id (str), group_id (str)
• add_user_to_group - Add a user to a group. Idempotent - succeeds if user already a member. Required: tenant_id (str), user_id (str), group_id (str)

Licenses

• list_subscribed_skus - List all available licenses (SKUs) in the tenant. Returns SKU IDs needed for license assignment. Required: tenant_id (str)
• list_assigned_licenses_for_user - List all licenses assigned to a user. Required: tenant_id (str), user_id (str)
• assign_license_to_user - Assign a license to a user. User must have usageLocation set. Required: tenant_id (str), user_id (str), sku_id (str)

Enterprise Applications

• get_service_principal_by_name - Find an enterprise application by display name. Returns app roles available for assignment. Required: tenant_id (str), app_name (str)
• list_app_role_assignments_for_user - List all enterprise applications and roles assigned to a user. Required: tenant_id (str), user_id (str)
• assign_app_to_user - Grant a user access to an enterprise application. Idempotent - succeeds if already assigned. Required: tenant_id (str), user_id (str), service_principal_id (str), app_role_id (str)