About Microsoft Graph
Microsoft Graph connects Serval to Microsoft 365 and Entra ID through the Microsoft Graph API, giving your workflows and ingestion access to Entra ID users and groups, enterprise applications, Microsoft Intune device management, license and subscription management, mail and calendar, and SharePoint/OneDrive content for the Serval knowledge base. Anything in the Microsoft Graph API surface can be reached through Serval’s proxied request layer, subject to the permissions you grant. Authentication: Sign in with Microsoft (OAuth 2.0 with delegated permissions - recommended), or a Custom Application (OAuth 2.0 client credentials with application permissions) for advanced setups. Data sync: Background sync of Entra ID users, Entra Security Groups (full sync every 16 hours, delta every 4), Entra Microsoft 365 Groups (full sync every 8 hours, delta every 4), and enterprise applications with their app role assignments - plus continuous indexing of SharePoint and OneDrive content as a knowledge source.What the Microsoft Graph integration enables
| Capability | Description |
|---|---|
| Entra ID user directory sync | Ingests all Entra ID (Azure AD) users on a recurring schedule so they are available throughout Serval. |
| Entra group sync and membership provisioning | Syncs Entra Security Groups (access control - full sync every 16 hours, delta every 4) and Entra Microsoft 365 Groups (collaboration - full sync every 8 hours, delta every 4) as separate resource types, each with a Member entitlement. Serval can add or remove users from either group type for access requests and provisioning workflows. |
| Enterprise application sync | Ingests Entra enterprise applications and their app role assignments, mapping who has access to which app. |
| Microsoft Intune device management | Read Intune managed devices, configuration policies, apps, RBAC, and service settings. With the read/write preset, manage Intune and perform privileged device actions such as wipe and retire. |
| SharePoint and OneDrive knowledge base | Indexes SharePoint sites and OneDrive document libraries as a Serval knowledge source for AI answers. |
| License and subscription management | Read directory and subscription data, and read or update license assignments from workflows. |
| Mail and calendar automation | Read, write, and send mail and manage calendars from workflows. |
| Groups, Teams, and guest access actions | Create teams, manage groups, and invite or manage external guests in Microsoft Teams teams and channels from workflows. |
| Full Microsoft Graph API access | Any Microsoft Graph API endpoint can be called from workflows through Serval’s authenticated proxied requests, subject to the permissions granted to the connection. |
Looking for Microsoft Teams help desk and channel automation, or Exchange Online management? Those are separate integrations with their own pages: Microsoft Teams and Exchange Online.
Get your credentials
- Sign in with Microsoft (recommended)
- Custom Application
There is nothing to create in Azure for this method. You connect using a Microsoft work or school account through Serval’s official multi-tenant Entra application - personal Microsoft accounts are not supported.
Pick the right account
Use a work or school account that is allowed to consent to applications in your organization.
Connect in Serval
- Sign in with Microsoft (recommended)
- Custom Application
Choose Sign in with Microsoft
In the Microsoft Graph connect modal, choose to connect with your Microsoft work or school account.
Select permission presets
Every connection requests a base set of read permissions (your profile and basic details of other users, directory data, groups and group memberships, Teams team and channel details, channel messages, SharePoint and OneDrive content, plus offline access so Serval can refresh tokens automatically). On top of that, check the presets you need:
Need something not in a preset? Use the All permissions search to add individual permissions from the full catalog.
| Preset | What it enables |
|---|---|
| OneDrive and SharePoint (checked by default) | Gather knowledge from OneDrive and SharePoint (Files.Read, Files.Read.All) |
| Manage Licenses and Subscriptions | Directory.Read.All, LicenseAssignment.Read.All, LicenseAssignment.ReadWrite.All, Subscription.Read.All |
| Mail and Calendar | Mail.Read, Mail.ReadWrite, Mail.Send, Calendars.Read, Calendars.ReadWrite |
| Groups and Collaboration | Group.Read.All, Group.ReadWrite.All, Team.Create, Team.ReadBasic.All |
| Teams Guest Access | User.Invite.All, User.Read.All, Team.ReadBasic.All, TeamMember.ReadWrite.All, ChannelMember.ReadWrite.All, Channel.ReadBasic.All, GroupMember.ReadWrite.All |
| Microsoft Intune (Read-only) | DeviceManagementManagedDevices.Read.All, DeviceManagementConfiguration.Read.All, DeviceManagementApps.Read.All, DeviceManagementServiceConfig.Read.All, DeviceManagementRBAC.Read.All |
| Microsoft Intune (Read/write) | The read/write equivalents of the above, plus DeviceManagementManagedDevices.PrivilegedOperations.All for privileged actions like wipe and retire |
Sign in and consent
Sign in with your work or school account. Serval always asks Microsoft to re-confirm permissions, so you’ll see the full list on Microsoft’s “Permissions requested” screen. For org-wide use, check Consent on behalf of your organization, then accept.
Verifying the connection
Serval runs five health checks against your Microsoft Graph connection. Test Microsoft Graph Connection - Verifies Serval can authenticate by deliberately requesting a Graph resource that doesn’t exist: a “resource not found” reply proves the token is valid. This check tests only authentication, never permissions.- Success: “Microsoft Graph authentication token is valid and working”
- Failure: “Could not get a valid authentication token for Microsoft Graph. Please check your Client ID, Client Secret, and Tenant ID configuration.”
- Success: “Successfully listed [number] users from Microsoft Azure AD”
- Failure: “Unable to list users from Microsoft Azure AD.” followed by a status-specific hint - for a permissions (403) failure: “The Microsoft Graph app may not have the required permissions. Check the app’s permission configuration in Azure AD.”
- Success: “Successfully listed [number] groups from Microsoft Azure AD”
- Failure: “Unable to list groups from Microsoft Azure AD.” followed by the same status-specific hints as the users check.
DeviceManagementManagedDevices.Read.All permission.
- Success: “Successfully listed [number] managed devices from Microsoft Intune”
- Failure: “Unable to list managed devices from Microsoft Intune. This health check requires the DeviceManagementManagedDevices.Read.All permission.”
- Success: “SharePoint Online is licensed and the root site is accessible”
- Failure (no license): “This Microsoft 365 tenant does not have a SharePoint Online license. SharePoint knowledge base ingestion requires an active SPO license. Please assign a SharePoint Online license to the tenant, or remove the SharePoint knowledge source to stop sync failures.”
- Failure (permissions): “The Microsoft Graph app does not have permission to access SharePoint sites. Ensure the Sites.Read.All or Sites.ReadWrite.All permission is granted.”
Gotchas and troubleshooting
Connection fails with a consent error (AADSTS65001 or unauthorized_client)
Connection fails with a consent error (AADSTS65001 or unauthorized_client)
Client secret rejected or expired
Client secret rejected or expired
The form field is literally labeled Client secret value - paste the secret’s Value, not the Secret ID. The value is only visible in Azure immediately after creation. Expired secrets are surfaced explicitly (AADSTS700082):
The client secret for application ‘<client ID>’ has expired. Please generate a new client secret in the Azure Portal and update it in Serval.Other authentication failures you may see (invalid_client, then the generic fallback):
Client authentication failed for application ‘<client ID>’. Please verify the Client ID and Client Secret are correct.
Failed to authenticate with Microsoft Graph for tenant ‘<instance name>’. Please verify your Client ID, Client Secret, and Tenant ID in the Azure Portal.Fix: create a new client secret in Certificates & secrets, copy its Value immediately, and update it in Serval.
Custom Application ignores the permission presets
Custom Application ignores the permission presets
The scope presets in the connect modal only apply to the Sign in with Microsoft (delegated) flow. A Custom Application uses application permissions: its effective access is exactly the application permissions granted on the app registration. To get the equivalent of a preset, add the matching permissions under API permissions → Microsoft Graph → Application permissions and grant admin consent.
Sign in with Microsoft rejects a personal Microsoft account
Sign in with Microsoft rejects a personal Microsoft account
The OAuth flow uses Microsoft’s multi-tenant “organizations” sign-in endpoint, which accepts work or school accounts only - the connect modal explicitly says “Connect using your Microsoft work or school account.” Personal Microsoft accounts cannot be used. (Details: Microsoft identity platform endpoints.)
The Intune health check fails even though the connection is green
The Intune health check fails even though the connection is green
The List Intune Managed Devices check fails without the
DeviceManagementManagedDevices.Read.All permission. Check the Microsoft Intune (Read-only) preset during OAuth connect, or grant the DeviceManagement* application permissions on a custom app. The Read/write preset additionally enables privileged device actions (wipe, retire) via DeviceManagementManagedDevices.PrivilegedOperations.All.SharePoint knowledge sync keeps failing
SharePoint knowledge sync keeps failing
Security Groups and Microsoft 365 Groups appear as two separate resources
Security Groups and Microsoft 365 Groups appear as two separate resources
This is intentional. Serval ingests Entra Security Groups (access control; members can include users, devices, service principals, and nested groups; full sync every 16 hours) and Entra Microsoft 365 Groups (collaboration; user members only; full sync every 8 hours, since collaboration groups change more often) as distinct resource types with different sync schedules and approval semantics. Don’t expect them to be merged.
Need more permissions after connecting
Need more permissions after connecting
For Sign in with Microsoft: just reconnect. Serval pre-selects your currently granted permissions as checked presets plus individual extras, and Microsoft re-confirms the full set on every connect - so check the new preset, re-consent, done. For a Custom Application: add the application permissions on the app registration and re-grant admin consent; no change is needed in Serval.
Teams help desk or Exchange Online features seem missing
Teams help desk or Exchange Online features seem missing
They live elsewhere. Microsoft Teams help desk and channel automation is the dedicated Microsoft Teams integration, and Exchange Online (PowerShell) management is the Exchange Online integration - each has its own docs page.
Need help? Contact support@serval.com for assistance with your Microsoft Graph integration.