Connect Microsoft 365
Wisteria’s AI ambient watcher reads documents from your team’s OneDrive and SharePoint to propose training courses automatically. Connection takes about three minutes for a Global Administrator on your Microsoft 365 tenant.
What gets accessed
Wisteria requests the following Microsoft Graph permissions, applied at the tenant level (no per-employee setup required):
| Permission | Why we need it |
|---|---|
Files.Read.All | Read documents across OneDrive + SharePoint to evaluate which are training-relevant |
Sites.Read.All | Discover SharePoint sites containing team content |
User.Read.All | List domain users for the AI evaluator to understand who content is for |
Group.Read.All | Resolve group membership for department-aware course suggestions |
All permissions are read-only. Wisteria never modifies, uploads, or deletes files in your tenant.
Who can do this
You need to be a Global Administrator in your Microsoft 365 tenant. Other admin roles (Application Administrator, Cloud Application Administrator) cannot grant the consent required.
If you’re not sure who your Global Admin is, ask in admin.microsoft.com → Users → filter by Role = Global Administrator.
Setup steps
1. Open the magic link
A colleague who set up your Wisteria workspace will have sent you a one-time setup link by email. Open it.
If you don’t have the link, ask your colleague to send a fresh one from Settings → Integrations → Microsoft 365 → Set up via Global Admin inside Wisteria.
2. Click “Connect Microsoft 365”
The landing page shows a single Connect button. Clicking it redirects you to Microsoft’s admin consent screen.
3. Sign in as Global Administrator
Microsoft hosts the consent page itself — your credentials never touch Wisteria’s servers. You’ll sign in with your Microsoft 365 Global Admin account.
4. Review and approve
Microsoft shows the exact permissions Wisteria is requesting. Review them, then click Accept.
5. Done
Microsoft redirects you back to Wisteria. The landing page confirms the setup succeeded and your colleague gets an email letting them know.
The AI ambient watcher will start surfacing training-ready content within an hour.
What if it fails?
”Need admin approval”
You’re signed in as a regular user, not a Global Administrator. Sign out, sign back in with the Global Admin account, retry.
”Application requires permissions which can’t be granted at user level”
Same root cause as above — switch to the Global Admin account.
”AADSTS50020: User not found in tenant”
The account you signed in with belongs to a different Microsoft 365 tenant than the one you’re trying to connect. Sign out, sign back in with an account in the right tenant.
Other Microsoft error codes
Microsoft surfaces a structured error code (e.g. AADSTS65001) on the consent page. Copy it into a Google search — Microsoft’s docs explain each code precisely. The most common ones map to admin-role mismatches.
Disconnecting
The connection can be revoked at any time from two places:
- Inside Wisteria — your super_admin goes to Settings → Integrations → Microsoft 365 and clicks Disconnect. The local row is removed; the AI watcher stops scanning. This is the soft option.
- Inside Microsoft Entra —
admin.microsoft.com→ Enterprise applications → Wisteria → Remove. This revokes the underlying admin consent. Use this if you want the consent gone at Microsoft’s end too.
Wisteria’s behaviour after disconnect: the ambient watcher stops finding new content. Existing courses in Wisteria are untouched.
Security notes
- Wisteria stores your tenant ID locally. No tokens or credentials are stored — Wisteria mints fresh tokens on each Graph API call via the admin consent grant.
- All API calls happen server-side from Wisteria’s infrastructure.
- The connection can be audited from Microsoft Entra’s sign-in logs (search for the Wisteria service principal).
Coming back to verify
If the client secret on Wisteria’s side is rotated, or admin consent is revoked and re-granted at Microsoft, the super_admin can re-verify the connection from Settings → Integrations → Microsoft 365 → Re-verify inside Wisteria. No new admin consent is needed.