Connect Microsoft 365

OpsMerge connects to client Microsoft 365 tenants through CIPP — a widely-used, open-source M365 management layer that you run yourself. OpsMerge talks to your CIPP instance, which in turn talks to each client tenant via a single multi-tenant Azure app registration.

You'll need an existing CIPP deployment before this article applies. If you don't have one, the CIPP project has a deployment guide — typically a 30-minute Azure Static Web App setup.

Why through CIPP

We don't run our own M365 OAuth dance. There are two reasons:

1. CIPP already does the complicated multi-tenant onboarding work better than we would, including the Secure App Model and the "tenant onboarding wizard" for new clients.
2. Most MSPs we talked to during the OpsMerge build were already using CIPP. Replicating it would have meant either reinventing the wheel or asking MSPs to consent to a second multi-tenant app.

OpsMerge therefore acts as a CIPP client, calling its API for data and (selectively) actions.

Step 1 — Configure the CIPP connection

You do this once per OpsMerge tenant, regardless of how many client M365 tenants you have.

First, in CIPP, create an API client for OpsMerge: Settings → CIPP API → Actions → Add CIPP-API Client. Name it something like OpsMerge, set the role to readonly, and submit. This registers an Azure app registration in your CIPP tenant and gives you the credentials below.

Then, in OpsMerge:

1. Settings → Integrations → CIPP Sync.
2. Fill in all four fields:
   • CIPP URL — your CIPP instance's API URL, e.g. https://yourname.azurewebsites.net. Found under Function Authentication at the top of the CIPP API page. Must start with https://.
   • Tenant ID — the Azure AD tenant ID of your CIPP instance, also shown under Function Authentication.
   • Client ID — the Client ID of the API client you just created (a UUID), copied from the CIPP-API Clients table.
   • Client Secret — generate this by clicking the three dots on your API client's row and choosing Reset Secret. Copy it immediately; CIPP only shows it once.
3. Click Connect. OpsMerge requests an Azure AD token using these credentials and stores them (the secret is encrypted at rest).

One CIPP, many OpsMerge tenants?

If you're an MSP-of-MSPs (you sell OpsMerge sub-tenancies to other MSPs), each sub-MSP needs their own CIPP instance and configures it here independently. CIPP isn't designed to be partitioned by a third party.

Step 2 — Map CIPP tenants to OpsMerge clients

CIPP knows about M365 tenants by tenant ID. OpsMerge knows about clients by your records. The mapping is one-to-one.

1. Open a client in OpsMerge (the one you want to link).
2. Click the M365 tab.
3. Click Link CIPP tenant.
4. Pick the matching tenant from the dropdown. OpsMerge pulls the list from CIPP's listTenants response.
5. Save.

OpsMerge immediately starts an initial sync. You'll see:

• Users — every M365 user, mapped against existing OpsMerge contacts where possible.
• Mailboxes — size, type (regular, shared, resource), and licence info.
• Devices — Intune-managed devices appear under the client's assets (annotated as M365-managed).
• Domains — the client's primary and accepted domains.
• Licences — current subscription state.

Initial sync usually completes in 30–90 seconds for a tenant under 200 users. Larger tenants take proportionally longer.

Step 3 — Verify

On the client's M365 tab you should now see:

• A green Connected indicator.
• The tenant's primary domain.
• Counts for users, mailboxes, devices, and licences.
• Last-sync timestamp.

If anything is zero where you expected non-zero, see the troubleshooting section below.

What ongoing sync does

After the initial sync, OpsMerge polls CIPP on a schedule:

• Hourly when there's no recent activity on the client.
• Every 10 minutes if the client has open tickets, recently-installed agents, or any signs of active engagement.
• On demand via the Sync now button in the M365 tab.

There are no webhooks — Microsoft 365's change-notification surface via CIPP isn't reliable enough for what we use it for, so we poll.

Sync writes nothing back by default

The default config is read-only — OpsMerge consumes data from CIPP and never writes back. To enable actions (suspend user, reset password, etc.) you need to turn on Allow CIPP writes in Settings → Integrations → CIPP Sync. Off by default to keep the default safe.

Common issues

"No tenants visible" after a successful connection. Your CIPP API client has the wrong role or no tenant access. In CIPP, check the client under Settings → CIPP API has the readonly role and can see your tenants. If in doubt, reset the secret and reconnect in OpsMerge.

Tenant list shows the tenant but linking fails with "tenant not found". Stale CIPP cache. In CIPP, hit Settings → Refresh tenant list, then retry from OpsMerge.

User import created duplicate contacts. OpsMerge dedupes by email. If a CIPP-imported user has a different primary email than your manually-entered contact, you'll get duplicates. Merge from the contact list. Once merged, OpsMerge remembers the mapping for future syncs.

Devices appear under the client as separate assets but also as RMM agents. Expected. An Intune-managed device that also has the OpsMerge agent installed shows up twice in the underlying data — but the asset deduplication layer should hide one in normal views. If both still appear, file a bug — that's a regression.

CIPP base URL is behind Cloudflare Access / IP allowlist. OpsMerge's outbound IP needs to be allowed. The current outbound IP is the EU-app cell address — contact support for the current value if you need it for an allowlist.

Disconnecting

To unlink a client from CIPP:

1. Client → M365 tab → Disconnect.
2. Confirm.

OpsMerge stops syncing. Existing imported data stays in place but is marked as "no longer syncing". You can re-link to the same or a different tenant at any time.

Next

• Install the agent on Windows — even with M365 connected, you still want the OpsMerge agent on managed endpoints for RMM features beyond what Intune surfaces.
• Email gateway — route inbound mail to tickets, ideally from a domain that's also in CIPP.