DaemonLayer Logo
Microsoft 365

Give technicians full Microsoft 365 context before they open a ticket

DaemonLayer checks user data, permissions, and service health automatically, and can safely perform actions like password resets when allowed.

See it in action
step
Get Ticket Information
step
Get M365 User
agent
Triage Ticket
Search PSA Tickets
Get M365 Service Health
Check M365 Group Membership
step
Create Ticket in PSA

Microsoft 365 Capabilities

Microsoft 365 is used during triage to validate facts, gather context, and, where allowed, execute controlled actions. Technicians start with answers, not questions.

Password Reset

Automate password resets - with control

Verify user identity and reset passwords automatically, or require approval before execution. Eliminate repetitive tickets without sacrificing security.

Password-related tickets are typically the largest volume category.

DaemonLayer Automated Resolution
EN
Emma Northbridge
Nordic Systems
Identity Verified Passed
MFA Confirmed Passed
Low Sign In Risk Passed
Action Taken
Password reset via Microsoft 365 Graph API
New temporary password sent to alternate email
Resolved in 12s | No technician required
Onboarding & Offboarding

Automate Microsoft 365 user onboarding and offboarding

A single ticket — "Anneleen starts Monday" or "Tom's last day is Friday" — is enough. DaemonLayer builds the username, infers the right groups, assigns a licence, and emails the temp password straight to the requester. On the way out, it disables the account, revokes sessions, converts the mailbox to shared, and strips delegate access tenant-wide. Nothing is ever hard-deleted.

  • Role-assignable groups are always stripped before creation — even with HITL approval
  • Admin-role holders are never automatically offboarded — routed to the service desk instead
  • ~20 min saved per onboarding, ~25 min per offboarding — billable at a fixed rate
How Microsoft 365 onboarding and offboarding automation works
DaemonLayer Lifecycle Automation
Onboarding — Anneleen Verkerk
UPN generated · [email protected]
Groups inferred from peer titles · privileged groups stripped
Temp password emailed to requester
Offboarding — Tom Baker
Account disabled · sessions revoked
Mailbox converted to shared · licence removed (12 GB)
Delegate access stripped tenant-wide · soft-deleted
Nothing permanently deleted | Admin accounts never automated
User & Group Verification

Identify access issues before investigation starts

Automatically verify group memberships, license assignments, and permissions when tickets arrive. Identify instantly whether "I can't access this file" is a membership issue, a licensing problem, or something else entirely.

Microsoft 365: User Profile
JR
James Ritter
Active · Last sign-in: 2 hours ago
Licenses
Microsoft 365 Business Premium
Microsoft Teams Phone
Group Memberships
All Company
Finance Team
SharePoint-Finance-ReadWrite
Missing group: SharePoint-Finance-ReadWrite
This likely explains the file access issue.
Service Health

Stop troubleshooting Microsoft's outages

Service health is checked during triage and attached to the ticket. If Microsoft is the issue, you know immediately, before any time is wasted.

M365 Service Health
Updated 2 min ago
Exchange Online Operational
Microsoft Teams Degraded
SharePoint Online Operational
OneDrive for Business Operational
Microsoft Entra ID Operational
DaemonLayer matched this incident
3 open tickets reference Teams issues
#260312.0004, #260312.0007, #260312.0009
Automatically linked to this incident
Automated actions

The tickets that fill your afternoon — handled before you open them

Routine M365 requests — mailbox access, group changes, out-of-office, profile updates — are resolved automatically the moment they arrive. Your team gets the ticket already closed, with a full audit note attached.

  • Reads the ticket in plain language — no special phrasing required
  • Checks existing state before making any change
  • Routes to a technician when anything is ambiguous or high-risk
Resolved automatically
All clients
Can't log in — password stopped working ✓ Resolved
#4821Tom ErikssonNordic Systems18s
SSPR link sent · reset confirmed via Microsoft portal
Add Jane to the info@ shared mailbox ✓ Resolved
#4822Jane WilsonBrightpath Ltd31s
Existing permissions checked · full access granted
Please add me to the Marketing team in Teams ✓ Resolved
#4823Alex MüllerContoso GmbH24s
UPN resolved · added to "Marketing" M365 group
Set up my out of office, I'm on holiday 12–19 May ✓ Resolved
#4824Sarah LindqvistNordic Systems22s
Auto-reply scheduled 12 May → 19 May
Let Sara send on behalf of support@ In progress
#4825David ParkApex Finance
Control & Safety

You decide what DaemonLayer is allowed to do.

Every Microsoft 365 action runs within the boundaries you define. Start with full visibility and expand automation on your own terms.

Read-only mode
Full visibility into users, groups, and service health. Zero actions taken.
Granular action controls
Enable specific workflows like password resets independently of each other.
Approval gates
Require human sign-off before any action executes, per workflow.
Complete audit trail
Every action logged with timestamp, user context, and outcome.

No hidden automation. No loss of control.

Microsoft 365: Permissions Nordic Systems
Connection Mode

Write access enabled. Actions are approval-gated per workflow.

Workflow Permissions
Password Reset Approval required
Resets via Microsoft Graph API
Modify Group Membership Approval required
Add or remove users from M365 groups
All actions logged and exportable

Frequently Asked Questions

Common questions about this integration

How does DaemonLayer access Microsoft 365 data?

DaemonLayer uses Microsoft Graph API with OAuth 2.0 and Azure AD app registration. You control exactly which M365 services and data DaemonLayer can access through granular permission scopes. All connections are encrypted and comply with Microsoft security best practices.

Can DaemonLayer really reset passwords autonomously?

Yes. When properly configured, DaemonLayer can autonomously reset user passwords through Microsoft Graph API after verifying user identity through your configured authentication methods. This eliminates one of the most common L1 ticket types while maintaining security.

Can DaemonLayer automate Microsoft 365 user onboarding?

Yes. From a plain-English new-hire ticket in your PSA, DaemonLayer creates the Microsoft 365 account using the client's own naming convention, checks for duplicates, infers group membership from the existing directory, assigns a licence, and creates the matching PSA contact. Role-assignable (privileged) groups are always stripped before the account is created — that gate runs in code and cannot be approved past.

Is automated offboarding safe? Does it delete the account?

Nothing is ever permanently deleted. Offboarding disables the account, revokes active sessions, converts the mailbox to a shared mailbox, removes licences and group memberships, strips delegate access across the whole tenant, and soft-deletes the account — restorable for 30 days. Accounts holding a privileged directory role such as Global Admin are never automated at all; they route straight to the service desk.

What mailbox permissions does DaemonLayer need?

For email automation, DaemonLayer needs read access to your designated support mailbox (typically [email protected]). We can optionally request send permissions if you want DaemonLayer to respond to emails. You can revoke these permissions at any time.

Does DaemonLayer store our Microsoft 365 data?

DaemonLayer only caches minimal metadata needed for ticket resolution (e.g., recent sign-in logs for a specific user being investigated). We don't store email content, passwords, or sensitive M365 data. All data queries are made in real-time when needed.

How does service health monitoring work?

DaemonLayer monitors Microsoft 365 Service Health API for incidents affecting your tenant. When Microsoft reports an outage or degradation, DaemonLayer proactively updates related tickets, informs end users, and prevents duplicate support requests.

Automate your first ticket in under 30 minutes

Connect your PSA, and DaemonLayer starts triaging, resolving, and routing, no scripting, no setup calls. Cancel anytime.

Prefer a walkthrough? Book a demo →