Microsoft Cloud Integration Bundle
Rewst's previous setup for Microsoft was separate integrations for each Microsoft app. If you are an older Rewst customer and have not yet migrated from our individual integration to bundle configuration, please see the below section for how to Migrate to the Microsoft Cloud Integration Bundle.
What is the Microsoft Cloud Integration Bundle?
The Microsoft Cloud Bundle is Rewst’s solution for integrating your most common Microsoft tools. It’s a little different from our other integrations in that we group multiple integrations together, by brand, to allow for easier and more custom integration options during setup.
Why use the Microsoft Cloud Integration Bundle?
Customize permissions tailored to your organization’s needs.
Centralize the management of all Microsoft integrations through the Rewst platform.
Protect your data with enhanced security measures.
Keep your integrations current with continuous updates and enhancements.
What integrations are in the Microsoft Cloud Integration Bundle?
You'll be prompted to check off any or all of the following integrations to be included in your setup process. The Microsoft Cloud Integration Bundle contains integrations for:

Microsoft Graph: A unified API that provides a single endpoint for accessing and managing data and intelligence across Microsoft 365, Windows, and Enterprise Mobility and Security. 👉 You should check this box to install the integration to allow Rewst to make API calls. This is necessary for the bundle to work.
Microsoft Exchange Online: The cloud-hosted version of the traditional Microsoft Exchange Server, offering similar functionalities but without the need for on-premises server infrastructure. 👉 You should check this box to install the integration to allow you to send Exchange Online PowerShell commands.
Microsoft Cloud Solution Provider (CSP): This allows for the resale of Microsoft cloud services like Azure, Microsoft 365, and Dynamics 365 to businesses, often with added value services. It's a subscription-based model where MSPs can bill customers. 👉 You should check this box if you use the Microsoft Partner Center and want to run Rewst actions against your customer tenants.
Microsoft Azure: A cloud computing platform, Azure offers a range of cloud infrastructure services, including computing, analytics, storage, networking, and AI. Note that Microsoft formerly called a different tool Azure, and renamed that tool Microsoft Entra. 👉 You should check this box to install the integration if you are already an Azure user and have an existing Azure key vault set up with Microsoft.
What is GDAP and why is it important to the setup process?
In 2024, Microsoft moved away from regular user-based access, where users logged into Microsoft Entra with an individually permissioned account. Instead, they now operate via delegated admin permissions, where permissions are assigned from the top level down, for more secure access management. This is known as Granulated Delegated Admin Permissions, or GDAP.
As part of the bundle setup process, you’ll be asked to create a dedicated user to act as your Microsoft service account. The way this is done and the roles you adopt are important, as GDAP dictates that this will now have a direct effect on how Rewst interacts with Microsoft.
For example, let’s say that 12 roles map to 177 permissions.
Rewst will try to make an API call.
The enterprise app will look for permissions.
The enterprise app will ask if it is making the call at customer level, and if there are roles at the customer level.
To ensure that your GDAP is properly set to allow Rewst automation, you’ll need to unpack our Configure New GDAP Relationship Crate during a step later on in this document as part of the Microsoft Cloud Bundle setup process. Read more about Crates here if you’re new to them as a concept in Rewst.
Migrate legacy Microsoft integrations to the new Microsoft Cloud Integration Bundle
Navigate to Configuration > Integrations in the left side menu of your Rewst platform.
Search for the
Microsoft Cloud Bundle
.Click on the integration tile.
Select the Microsoft services you wish to integrate.
Enter the necessary details to establish a connection.
Modify permissions as needed for enhanced control.
Complete the setup by authorizing the selected integrations.
Post-transition configuration
After migrating, you'll configure each integration according to your needs, including setting up OAuth configurations and mapping CSP customers to Rewst organizations.
Use CSP Delegated Admin permissions: Manage permissions for Cloud Solution Provider integrations, ensuring they align with delegated admin roles.
Microsoft Graph OAuth configuration: Set up OAuth configurations for Microsoft Graph to ensure seamless integration and data access.
CSP Customer to Rewst organization mapping: Map CSP customers to Rewst organizations for streamlined management and reporting.
Microsoft Exchange Online OAuth configuration: Configure OAuth for Exchange Online, enabling advanced email and calendar integration functionalities.
Set up the Microsoft Cloud Integration Bundle
Step 1: Create a Microsoft service account in Microsoft Entra
Create a user in Microsoft Entra to use as your Rewst service account.
Navigate to Overview > +Add > User > Create new user in Microsoft Entra.
Name the user
Rewst
.Check the box derive from user principal name.
Enter a display name of
Rewst Service Account
.Auto generate a password.
Document all the user's information within your documentation platform. Be sure to note the user principal name.
Click the Properties tab. Leave all the options on this screen as default.
Click Assignments > Add Role.
Search for
Global Administrator
in the role selection. Select the role.Click Select. Verify that the role is now listed in the main pane.
Click Review and Create, then Create.
Turn on MFA requirement for the user
Log in to the Microsoft 365 Admin Center.
Navigate to Users > Active Users > Multifactor Authentication.
Locate and select your Rewst service account user in the list that appears.
Click Enable under the Quick Steps menu.
Select the Rewst service account user again.
Click Enforce under the Quick Steps menu.
Click Enforce multi-factor.
Only Microsoft authentication is permissible. Providers like Duo are incompatible. For more information, see Microsoft's page on Supported MFA options.
Modify conditional access policy in Microsoft Azure: Set up your MSP's policies
Navigate to the Conditional Access Policies blade in Azure.
Remove the Rewst service account from any existing policies which may have been inherited at the time of its creation. If there are no existing policies, move on to the next step.
Create a New Policy.
Include Rewst User: Add the Rewst user to the policy
Enforce MFA: Mandate Azure Multi-factor Authentication for each login and application if you have not done so already
Policy Name: Save this policy under the name
Rewst Conditional Access Policy
Modify conditional access policy in Microsoft Azure: Set up your Client's policies
Granular access is influenced by your clients' conditional access policies. To ensure seamless access to your clients using your Rewst integration user, follow these steps
Navigate to your client's Conditional Access Policies blade in Azure.
For each policy listed, add an exclusion to Users and Groups with these settings:
Guest or external users
Service Provider Users
Tenant ID: Enter your tenant ID. If unknown, find it at What Is My Tenant ID.
Step 2: Register the enterprise app and authorize the Rewst integration
Choose how to register the app.
Most users should select the Rewst-created enterprise app. It simplifies setup, includes the required permissions, and is secure. Unless you’re absolutely sure you need your own, choose the default option.
If you are absolutely certain that you must bring your own app rather than using the Rewst-created one, choose this registration option. Owned app registration instructions can be found here: https://docs.rewst.help/documentation/configuration/integrations/integration-guides/microsoft-cloud-integration-bundle/owned-app-registration
Click Next.
Set permissions for Microsoft Graph.
You can pick and choose from a set of pre-selected Graph permissions, or edit based on your org’s security preferences.
These permissions are carefully chosen to support Crates without authentication issues.
If you modify permissions from the stock ones suggested by Rewst, it’s your responsibility to verify that your custom permissions don’t interfere with Rewst’s functionality.
For more detail, consult Microsoft Graph’s official permissions documentation.
Grant additional access for other Microsoft integrations
Exchange, CSP, and Azure, if needed, are simpler and allow you to toggle access as desired.
Microsoft Graph includes ~177 APIs, and gives you broad access to users, groups, and licensing from one endpoint.
Click Next.
Review your configuration decisions in the Authorize Integrations screen. Click Back f you wish to make updates. Click Authorize when satisfied with your choices.
After authorizing, you’ll see:
What authorized successfully
Which user was used
The tenant ID
A corresponding Enterprise App created in Entra
Step 3: Set up GDAP relationships
Step 4: Link customers and validate GDAP access
Return to your Rewst platform.
Use the drop-down organization selector to choose your relevant child organization for your customer.
Complete the authorization process as prompted on the screen.
Check off all boxes in the Select Integrations screen.
Choose Rewst Microsoft Cloud Connector.
Click Next.
Choose your tenant permissions. Click the Microsoft Graph Permissions accordion menu to expand and view the total permission list. Unless you have specific, verified reasons for unchecking any of these boxes, we recommend leaving our stock settings checked.
Click Next.
Double check your choices and click Authorize.
Once Rewst has received the successful authorization callback from Microsoft, a background process will be initiated to authorize each of the integrations you installed for the bundle. Once that is complete, the permissions that you previously selected will be assigned to the Enterprise App installed in your tenant for the Rewst MS Cloud Connector.
This process may take a few moments to complete. Don't navigate away from this page until the process is finished.
Repeat these delegated admin permission consent steps for each customer organization you where wish to set up the Microsoft Cloud integration bundle.
Check on the integration's page for each of your organizations to ensure that the consent process was successful.
A green shield to the right of the integration name means the GDAP relationship is working and API access is valid.
A blue shield or error means setup failed, and permissions are missing or incorrectly configured.
Troubleshoot the Microsoft Cloud Integration Bundle
Common installation errors
Authorization issues
If you encounter problems during the authorization step, ensure that you are using the correct account, and that all permissions are properly set.
Permission configuration errors
Double-check the permissions if there are issues with accessing certain functionalities. Ensure that the appropriate permissions are enabled and correctly configured.
Additional errors
Last updated
Was this helpful?