From m365
Manages Microsoft 365 (Entra ID) users: lists, searches, creates, disables accounts; checks status, MFA enrollment, licenses, groups, manager hierarchy via Graph API.
npx claudepluginhub wyre-technology/msp-claude-plugins --plugin m365This skill uses the workspace's default tool permissions.
Users in Microsoft 365 (Entra ID) are the central identity object for your tenant. Every licensed service — Exchange, Teams, OneDrive, SharePoint — flows through the user object. For MSPs, user management spans onboarding new staff, offboarding leavers, license optimization, and security posture checks across customer tenants.
Compares coding agents like Claude Code and Aider on custom YAML-defined codebase tasks using git worktrees, measuring pass rate, cost, time, and consistency.
Designs and optimizes AI agent action spaces, tool definitions, observation formats, error recovery, and context for higher task completion rates.
Designs, implements, and audits WCAG 2.2 AA accessible UIs for Web (ARIA/HTML5), iOS (SwiftUI traits), and Android (Compose semantics). Audits code for compliance gaps.
Users in Microsoft 365 (Entra ID) are the central identity object for your tenant. Every licensed service — Exchange, Teams, OneDrive, SharePoint — flows through the user object. For MSPs, user management spans onboarding new staff, offboarding leavers, license optimization, and security posture checks across customer tenants.
| Property | Description | MSP Relevance |
|---|---|---|
id | Entra object GUID | Use in API calls |
userPrincipalName | Login email (UPN) | Primary identifier |
displayName | Full name | Display in tickets |
accountEnabled | Active/disabled | Offboarding, lockout |
assignedLicenses | License SKU GUIDs | License audits |
strongAuthenticationMethods | MFA methods | Security posture |
signInActivity.lastSignInDateTime | Last login | Inactive user detection |
jobTitle / department | Org structure | Access grouping |
manager | Reporting manager | Approval workflows |
usageLocation | 2-letter country | Required before license assignment |
| State | accountEnabled | Meaning |
|---|---|---|
| Active | true | Normal working account |
| Disabled | false | Blocked sign-in; retains data |
| Deleted (soft) | N/A | 30-day recoverable window |
| Deleted (hard) | N/A | Permanent — data gone |
M365 licenses are assigned as SKU objects. Users need a usageLocation set before any license can be assigned.
| SKU Part Number | Friendly Name |
|---|---|
O365_BUSINESS_PREMIUM | Microsoft 365 Business Premium |
SPE_E3 | Microsoft 365 E3 |
SPE_E5 | Microsoft 365 E5 |
ENTERPRISEPACK | Office 365 E3 |
EMS | Enterprise Mobility + Security E3 |
AAD_PREMIUM | Entra ID P1 |
AAD_PREMIUM_P2 | Entra ID P2 |
GET /v1.0/users?$select=id,displayName,userPrincipalName,accountEnabled,assignedLicenses,signInActivity&$top=100
Note:
signInActivityrequires Entra ID P1 or P2.
GET /v1.0/users/{id or userPrincipalName}?$select=id,displayName,userPrincipalName,accountEnabled,jobTitle,department,assignedLicenses,usageLocation
GET /v1.0/users?$filter=startswith(displayName,'John')&$select=id,displayName,userPrincipalName,accountEnabled
PATCH /v1.0/users/{id}
Content-Type: application/json
{
"accountEnabled": false
}
POST /v1.0/users
Content-Type: application/json
{
"accountEnabled": true,
"displayName": "Jane Smith",
"mailNickname": "jsmith",
"userPrincipalName": "jsmith@contoso.com",
"usageLocation": "US",
"passwordProfile": {
"forceChangePasswordNextSignIn": true,
"password": "TempP@ss123!"
}
}
POST /v1.0/users/{id}/assignLicense
Content-Type: application/json
{
"addLicenses": [
{ "skuId": "<sku-guid>", "disabledPlans": [] }
],
"removeLicenses": []
}
GET /v1.0/users/{id}/memberOf?$select=id,displayName,groupTypes
POST /v1.0/users/{id}/revokeSignInSessions
The Softeria MCP server wraps Graph API calls. To check MFA status:
GET /v1.0/users/{id}/authentication/methods
Response includes registered methods:
#microsoft.graph.microsoftAuthenticatorAuthenticationMethod — Authenticator app#microsoft.graph.phoneAuthenticationMethod — SMS/phone#microsoft.graph.fido2AuthenticationMethod — Hardware key#microsoft.graph.windowsHelloForBusinessAuthenticationMethod — WHfB#microsoft.graph.passwordAuthenticationMethod — Password only (no MFA!)Users with only passwordAuthenticationMethod have NO MFA enrolled.
forceChangePasswordNextSignIn: true)usageLocationaccountEnabled: false)Users with no sign-in for 90+ days are candidates for license reclamation:
GET /v1.0/users?$filter=accountEnabled eq true&$select=id,displayName,userPrincipalName,signInActivity&$top=999
Filter results where signInActivity.lastSignInDateTime is older than 90 days, or null (never logged in).
| Error | Cause | Resolution |
|---|---|---|
Request_ResourceNotFound | User GUID/UPN doesn't exist | Verify UPN spelling |
Authorization_RequestDenied | Missing Graph permission | Check app registration scopes |
LicenseAssignmentError | No usageLocation set | Set location first |
Directory_QuotaExceeded | Tenant user limit reached | Contact Microsoft |
InvalidPasswordComplexity | Password too weak | Use 12+ char with symbols |
| Task | Microsoft Graph Permission |
|---|---|
| Read users | User.Read.All |
| Create/update users | User.ReadWrite.All |
| Assign licenses | Directory.ReadWrite.All |
| Check auth methods | UserAuthenticationMethod.Read.All |
| Revoke sessions | Directory.ReadWrite.All |