What you’ll need
- Microsoft 365 Global Administrator role (or Privileged Role Admin who can grant tenant-wide consent).
- Two minutes.
Set it up
Open the Microsoft 365 integration in Layer
In Layer, go to Integrations, find Microsoft 365, and click Connect.
Sign in with your Global Admin account
You’ll be redirected to Microsoft’s sign-in. Use the Global Admin account for the tenant you want to connect.
Grant tenant-wide admin consent
Microsoft will show the requested scopes. Tick Consent on behalf of your organization and click Accept.Scopes requested:
User.Read.All— list usersGroup.Read.All— list groups and membershipDirectory.Read.All— read directory metadataAuditLog.Read.All— read sign-in and audit logsApplication.Read.All— list registered apps and service principals
What gets synced
| Object | Fields | Refresh cadence |
|---|---|---|
| Users | UPN, display name, account enabled, last sign-in | Every 6 hours |
| Groups | name, type, member UPNs | Every 6 hours |
| Devices | name, OS, compliance state, owner | Every 6 hours |
| App registrations | name, scopes granted, sign-ins last 30 days | Daily |
Token refresh
Microsoft delegated access tokens expire approximately one hour after they are issued. Layer automatically refreshes tokens in the background each time a sync runs, so your connection stays active without any manual re-authorization. If a refresh fails — for example, because an admin revoked consent in the Azure portal — the connection status changes to needs re-auth and you can reconnect with one click.Troubleshooting
Microsoft says only an admin can consent
Microsoft says only an admin can consent
Only Global Admins can grant tenant-wide consent. Sign in with a Global Admin account, or have one approve the consent request from the Azure portal.
Connection shows needs re-auth
Connection shows needs re-auth
This means Layer could not refresh the access token automatically. The most common cause is revoked consent or a changed conditional-access policy. Go to Integrations → Microsoft 365 and click Reconnect to re-authorize.
I want to disconnect
I want to disconnect
Go to Integrations → Microsoft 365 → Disconnect in Layer. To fully revoke, also remove the Axiom app from Enterprise Applications in the Azure portal.