Perfcopilot
Get started

Microsoft 365

The Microsoft 365 integration (via Microsoft Graph) handles directory sync — pulling your employee list, manager relationships, and start dates from Azure Active Directory / Entra ID into PerfCopilot. This is distinct from the per-employee email integration: this one is org-wide and powers the manager-invite flow.

Two separate integrations. If you want both directory sync (this article) and per-employee Outlook email signals, you need both configured. Directory sync is org-wide; email signals are per-employee OAuth. See Email (Gmail / Outlook) for the email side.

What we pull

From Microsoft Graph's /users and /users/{id}/manager endpoints:

  • Employee display name, job title, department, and email address
  • Manager relationship (the manager navigation property)
  • Account-enabled status — used to mark employees as inactive when they leave
  • createdDateTime — used as the hire/start date when BambooHR or another HRIS isn't connected

Directory sync does not pull calendar events, mail, files, or Teams messages. Scope is User.Read.All and Directory.Read.All.

Connecting

Microsoft 365 is an org-wide install requiring admin consent.

  1. Go to /admin?tab=integrations, find the Microsoft 365 card under "Org-wide".
  2. Click Connect. You're redirected to Microsoft's admin consent screen.
  3. Sign in as a Global Administrator or User Administrator for your Azure AD tenant. Non-admin accounts cannot grant the required scopes.
  4. Grant the User.Read.All and Directory.Read.All application permissions.
  5. After consent, PerfCopilot imports your employee list immediately. Existing PerfCopilot employees are matched by email address; new ones are created.

Manager-invite flow. Once connected, the PerfCopilot admin panel can trigger manager-invite emails to everyone in a manager's reporting chain — it reads the chain from the Graph manager property rather than requiring manual entry.

What hits a review

Directory data doesn't directly appear in review prompts. It's used to:

  • Populate the employee list and org chart in the dashboard
  • Determine manager relationships for review routing
  • Fill start_date when no HRIS is connected (affects tenure-based context in the AI prompt's [EMPLOYEE] block)

Troubleshooting

"Directory sync returns no employees"

  1. Non-admin account used during consent. The consent screen may appear to succeed even if the consenting user lacks the right role, but the token won't have User.Read.All. Re-connect using a Global Administrator account.
  2. Guest accounts not synced. Microsoft Graph only returns member accounts by default. Guest accounts (those with #EXT# in their UPN) are excluded. This is intentional — guests typically don't need performance reviews.
  3. Large tenant taking too long. Tenants with thousands of users may take a few minutes for the initial sync. The integration card shows a "syncing" state; refresh after a minute.

"Manager relationships are wrong / missing"

  1. Managers not set in Azure AD. The manager property is optional in Azure AD. If your IT team hasn't populated it, all employees will show without a manager. Set managers in Azure AD or map them manually in PerfCopilot.
  2. Circular manager chain. A rare misconfiguration where A manages B and B manages A will break traversal. Azure AD usually prevents this; if you see odd behavior, check with your IT admin.

"Employees show wrong start dates"

The createdDateTime field in Azure AD reflects when the Azure AD account was created, not when the employee joined the company. If your AD accounts are provisioned weeks before employees start (or migrated from a previous system), the date will be off. Connect BambooHR or your HRIS to get authoritative start dates.

Privacy notes

  • Directory sync reads only the fields listed above — no calendars, mail, files, or Teams content.
  • Employee email addresses and manager relationships are stored and visible to PerfCopilot admins.
  • PerfCopilot uses app-only (daemon) permissions, not delegated user permissions. No individual user needs to consent; only an admin grants access once.