AIRM Knowledge Base

Overview

AIRM (AI Identity Risk Monitor) monitors AI agents and non-human identities in your Microsoft 365 environment. It detects risk, scores identities, fires alerts, and gives you the tools to respond.

First Steps

1. Connect Your Tenant

Navigate to Tenants in the sidebar and click Add Tenant. A Microsoft 365 Global Administrator must approve the consent screen — this grants AIRM read access to service principals, audit logs, and directory data.

2. Run the Baseline Scan

Once connected, AIRM triggers a baseline scan automatically. The first scan inventories everything it finds but fires no alerts. You will receive a baseline summary email when it completes.

3. Review the Dashboard

After the baseline scan, the dashboard shows:

• Tenant Health Score — Overall, Risk, and Governance components
• AI Agent Risk Overview — total agents, critical findings, alert count
• Non-Human Identity Risk — Non-Human Identity count, unowned identities
• Top 5 Attack Path Risks — highest risk identities by attack potential

4. Configure Alerts

Navigate to Alerting and set your alert delivery email, notification frequency, and thresholds. Default settings send a daily digest for High and Critical findings only.

5. Connect Your Integrations

Navigate to Integrations and configure your PSA or notification channels. AIRM has native connectors for ConnectWise Manage, HaloPSA, and Autotask, plus generic webhooks for Slack, Teams, PagerDuty, and others.

Key Concepts

Term	Definition
Service Principal	Any non-human identity in Microsoft 365 — OAuth apps, automation accounts, enterprise applications, and managed identities.
AI Agent	A service principal AIRM has classified as an AI-powered tool based on its permissions, publisher, and behaviour signals.
Non-Human Identity	A service principal that is not an AI agent and not a Microsoft first-party app. Includes legacy integrations, service accounts, and automation tools.
Behaviour Risk Band	AIRM's score for observed activity — Critical, High, Medium, or Low. Reflects how suspicious the identity's behaviour is.
Blast Radius Band	A separate band rating the potential damage if the identity were compromised, based on permissions held — not observed behaviour.
Baseline	The initial inventory on first scan. Alerts only fire for changes from the baseline going forward.

Scan Schedule

Scans run automatically every Monday at 2am. You can trigger a manual scan at any time from the Tenants page. The audit log poller runs every 30 minutes and detects new AI agents within 30 minutes of admin consent.

Overview

This guide walks you through setting up AIRM for your first client tenant. Complete each step in order — the steps build on each other.

Step 1 — Connect Your First Client Tenant

Navigate to Tenants in the sidebar and click Add Tenant. The client's Microsoft 365 Global Administrator must complete the consent screen. This grants AIRM read access to the tenant's service principals, audit logs, and directory data. No write permissions are granted at this stage.

Once consent is approved, AIRM begins the baseline scan automatically. This first scan takes 2-5 minutes depending on tenant size.

What to tell your client: "I need you to approve a Microsoft consent screen. It will ask for permission to read your application registrations and audit logs. This is how AIRM monitors your environment."

Step 2 — Understand the Baseline Scan

The first scan is a baseline — AIRM inventories everything it finds but fires no alerts. You will receive a baseline summary email when it completes. The baseline summary includes total service principals found, number classified as AI agents, critical and high risk findings, identities with anomaly signals, and known risk applications detected.

Step 3 — Review the Dashboard

After the baseline scan, navigate to the Dashboard. The AI Agents and Non-Human Identity list pages show two band columns for each identity: Behaviour Risk Band (how suspicious the activity is) and Blast Radius Band (how much damage a compromise could cause). Pay special attention to identities with low behaviour risk but high blast radius — these are sleeping threats.

Step 4 — Configure Alert Delivery

Navigate to Alerting and enter the alert delivery email address. Set notification frequency — Daily digest is recommended to avoid email overload. Set thresholds — High and Critical agents only is the default and appropriate for most tenants.

Step 5 — Connect Your PSA

Navigate to Integrations and select your PSA platform. AIRM has native integrations for ConnectWise Manage, HaloPSA, and Autotask — no middleware required. After entering credentials, click Create Test Ticket to verify the integration works before relying on it for live alerts.

Step 6 — Generate the First Report

Navigate to Compliance & Reporting and download the Executive Summary — the free flagship report available to all users including trial accounts. With a paid subscription, you can also generate AI Agent Risk Reports, Non-Human Identity Risk Reports, and per-framework Compliance Reports. Use the Report Branding panel to add your MSP logo and company name to all PDF reports.

What Happens Next

AIRM scans automatically every Monday at 2am. The 30-minute audit log poller runs continuously — new AI agents appear within 30 minutes of admin consent in the client's tenant.

Overview

This guide walks you through connecting your Microsoft 365 environment to AIRM and understanding your first security findings.

Step 1 — Connect Your Microsoft 365 Tenant

Navigate to Tenants in the sidebar and click Add Tenant. You will need to be a Microsoft 365 Global Administrator to complete this step. AIRM will show a Microsoft consent screen listing the permissions it needs. Review them and click Accept.

AIRM does not request any write permissions at this stage. It reads and monitors — it cannot make changes.

Step 2 — Your First Scan

After connecting, AIRM runs its first scan automatically. This takes 2-5 minutes and is completely silent — no alerts will fire during this initial scan. The first scan establishes a baseline — going forward, alerts only fire for changes from this baseline. You will receive a summary email when it completes.

Step 3 — Explore the Dashboard

Navigate to the Dashboard to see your results. Each identity shows two separate risk indicators: Behaviour Risk Band (how suspicious the app's activity is) and Blast Radius Band (how much damage could be done if compromised).

Step 4 — Configure Alerts

Navigate to Alerting and enter your email address. AIRM will notify you when new risks are detected. The default setting is a daily email digest — one email per day summarising new findings.

Step 5 — Download Your Security Report

Navigate to Compliance & Reporting and download the Executive Summary report — a free, premium security posture report written in clear non-technical language. Includes a plain-English explanation of what was found, what it means for your organisation, and what to do about it.

Prerequisites

• AIRM account with an available tenant slot
• Client's Microsoft 365 Global Administrator available to approve the consent screen
• The client's Azure tenant ID (optional but helpful)
• Client's Microsoft 365 licence tier (E3, E5, or Business)

The Consent Flow

1. In AIRM, navigate to Tenants and click Add Tenant
2. Enter the client's organisation name and click Connect
3. AIRM redirects to Microsoft's OAuth consent screen
4. The client's Global Administrator logs in with their Microsoft credentials
5. Microsoft shows the permissions AIRM is requesting
6. The administrator clicks Accept
7. Microsoft redirects back to AIRM with an authorisation code
8. AIRM exchanges the code for an access token and refresh token
9. AIRM stores the tokens securely and begins the baseline scan

Permissions Requested

Permission	Type	Purpose
Directory.Read.All	Application	Read service principals and app registrations
AuditLog.Read.All	Application	Read audit logs for behavioural analysis
Organization.Read.All	Application	Read tenant and licence information
Policy.Read.All	Application	Read conditional access policies
PrivilegedAccess.Read.AzureAD	Application	Read privileged identity data

All permissions are read-only. AIRM cannot modify, create, or delete any resources in the client's tenant.

Troubleshooting Failed Connections

AADSTS65001 — User or administrator has not consented

The consent screen was cancelled or the administrator does not have sufficient permissions. Ensure the person approving is a Global Administrator, not just an Application Administrator.

AADSTS50034 — User account does not exist

The administrator is attempting to log in with credentials from the wrong tenant. Ensure they are logging in with their client's Microsoft account.

AADSTS700016 — Application not found

The AIRM application registration is not visible to this tenant. Contact Sabiki Security support with your tenant IDs.

Tenant connects but shows 0 service principals

The Global Administrator who approved consent may not have sufficient permissions to read all directory objects. Try reconnecting with a different Global Administrator account.

The 30-Minute Audit Log Poller

After the baseline scan, AIRM starts polling the Office 365 Management Activity API every 30 minutes for new audit events. This is how AIRM detects new AI agents within 30 minutes of consent. If you see [O365] Failed to start errors in server logs, trigger a manual scan to reinitialise the subscriptions.

What You Need

• Microsoft 365 Global Administrator access
• An AIRM account

Only a Global Administrator can complete the connection. If you are not a Global Administrator, ask your IT administrator to complete this step.

What AIRM Reads

• Application registrations — apps and integrations connected to your environment
• Audit logs — a record of what those applications have been doing
• Directory information — basic information about your organisation

AIRM cannot make changes to your Microsoft 365 environment. It reads and monitors only.

The Connection Process

1. Navigate to Tenants and click Add Tenant
2. Click Connect Microsoft 365
3. You will be redirected to a Microsoft sign-in page
4. Sign in with your Global Administrator credentials
5. Review the permissions AIRM is requesting and click Accept
6. You will be redirected back to AIRM
7. AIRM will begin scanning your environment automatically (2-5 minutes)

If Something Goes Wrong

The consent screen says my account does not have permission — You need Global Administrator access. Contact your IT administrator.

I accepted but AIRM shows no data — The initial scan may still be running. Wait 5 minutes and refresh the page.

Disconnecting AIRM

Go to your Microsoft 365 Admin Centre, navigate to Enterprise Applications, find the AIRM application, and delete it. This removes all permissions AIRM had and stops monitoring immediately.

Overview

The Tenant Health Score is a number from 0 to 100 measuring both the current security risk in the tenant and how well that risk is being managed.

Final Score = (Risk Component × 50%) + (Governance Component × 50%)

Risk Component (0–100)

Reflects the current security risk present in the tenant. Starts at 100 and deducts points for active risk findings.

Finding	Deduction	Cap
Each critical risk identity	-15	-45 max
Each high risk identity	-8	-24 max
Each active anomaly signal type	-5	-20 max
Each known rogue application	-20	-20 max
Critical agent unreviewed >24 hours	-10	-20 max

Governance Component (0–100)

Action	Points	Maximum
AI agents reviewed or approved	Proportional	40
Non-Human Identities with owner assigned	Proportional	20
Alerts reviewed or dismissed	Proportional	20
All critical agents reviewed within 24h (bonus)	+5	5
No active anomaly signals (bonus)	+5	5
Critical agent unreviewed >7 days (penalty)	-10 each	—

Score Bands

Score	Band
90–100	Well Managed
75–89	Good Standing
50–74	Needs Attention
25–49	At Risk
0–24	Critical Exposure

Dual Band System — Behaviour Risk Band and Blast Radius Band

AIRM uses two separate band metrics for every identity, shown on both list pages and the identity detail header:

Behaviour Risk Band — derived from the composite score (Static + Behavioural + Anomaly). Answers: "How suspicious is this app's activity?"

Blast Radius Band — derived from the blast radius score (permissions granted). Answers: "How much damage could an attacker do with this app's credentials?"

Both use the same thresholds: 0–24 = Low, 25–49 = Medium, 50–74 = High, 75–100 = Critical.

Why two bands? A common and important pattern is LOW Behaviour Risk with CRITICAL Blast Radius — a quiet app with dangerous permissions. Traditional tools miss this because the app "isn't doing anything wrong." AIRM surfaces it because the permissions alone represent a severe risk if the credential is compromised.

Overview

Response Actions allow you to take action on service principals directly from the AIRM identity detail page. All actions are human-initiated and logged in the Action History audit trail. Access Response Actions from the dropdown button in the identity detail page header.

Available Actions

Classification

Mark as AI Agent — overrides AIRM's automatic classifier. Mark as Non-Human Identity — overrides the classifier in the other direction. Manual reclassification is logged and does not affect the underlying risk score.

Approval

Approve — marks the identity as reviewed and approved. Improves the Governance score. Requires a note. Flag for Review — marks for further investigation. Remove Approval — returns to unreviewed status.

Access Control (Requires Response Actions enabled)

Disable Identity — calls the Microsoft Graph API to set accountEnabled: false. The identity immediately stops being able to authenticate. Any application using this identity will stop working. AIRM requires a written reason and confirmation checkbox. This is a break-glass action.

Re-enable Identity — reverses a disable action.

Enabling Response Actions

Response Actions that modify Entra ID require additional Microsoft Graph permissions. Go to Settings → Tenant tab → Response Actions and click Enable Response Actions. A Microsoft admin consent screen will appear requesting Application.ReadWrite.All and AppRoleAssignment.ReadWrite.All.

Action History

Every action taken on an identity is logged in the Action History section at the bottom of the Risk Summary tab, including the action type, reason provided, who performed it, and when.

Your Tenant Health Score

The Health Score is a single number from 0 to 100 representing the overall security state of your Microsoft 365 environment. It is made up of two equally-weighted components: Risk Score (what is currently in your environment) and Governance Score (how actively your environment is being managed).

Score	What It Means
90–100 Well Managed	Low risk, actively governed. Ideal state.
75–89 Good Standing	Minor findings present, well managed.
50–74 Needs Attention	Active findings that should be reviewed.
25–49 At Risk	Significant risk present. Action required.
0–24 Critical Exposure	Serious risk present. Urgent action needed.

Understanding Alerts

P1 and P2 alerts require prompt attention — typically same day. P3 and P4 alerts are lower urgency and can be addressed during your regular security review cycle. P5 alerts are informational — no action required but worth awareness.

Your Reports

• Executive Summary (included for all users) — premium security posture report in plain English for board-level stakeholders.
• AI Agent Risk Report — weekly operational summary with risk scores and anomaly flags
• Non-Human Identity Risk Report — complete risk profile with blast radius bands and credential details
• Compliance Framework Report — detailed per-framework report with control findings
• Agent Inventory Export — CSV export of all identities

What Should I Do When I See A Warning?

If your Health Score drops suddenly, it typically means a new application was connected, an existing application started behaving differently, or a security finding was detected. Your security team will be notified automatically. If you connected a new application recently, let your security team know so they can review and approve it in AIRM.

Alert Types

Alert Type	Trigger	Suppressible
New Agent Detected	New identity appears post-baseline	Yes
Anomaly Escalation	Identity develops new anomaly signals	No
Credential Expiry Warning	Credential within 14 days of expiry	Yes
Non-Human Identity Risk Escalation	Risk band worsens	Yes
SP Credential Manipulation	One identity adds credentials to another	Never
Group Member Manipulation	Identity adds members to groups	Never
Rogue App Detected	Known malicious OAuth app found	Never

Alert Lifecycle

Alerts move through: Active → Acknowledged → Dismissed or Snoozed → Resolved (auto-closed by AIRM when condition clears).

Baseline Grace Period

The first scan establishes a baseline silently — no alerts fire for existing service principals. This prevents a flood of alerts about things that existed before AIRM was connected. After the baseline, alerts only fire for genuinely new findings and new anomaly behaviours. Critical signals (credential manipulation, rogue apps) always fire immediately.

Alert Deduplication

One alert per condition. If an anomaly flag persists across multiple scans, the existing alert is updated — not duplicated. A new alert only fires when a condition resolves and then reappears.

Auto-Resolution

After every scan, AIRM checks all active alerts. If the condition that triggered an alert has cleared, the alert automatically moves to Resolved.

Managing Alerts

Bulk actions — select multiple alerts and acknowledge, dismiss, or snooze in one operation. Snooze — hide an alert for 1 hour to 2 weeks. Suppression rules — prevent specific publishers or app name patterns from generating new agent alerts. Email digest — default is Daily digest. Critical anomaly escalations always send immediately regardless of digest setting.

Tier	Label	Response Time
P1	Act Now	Same hour, any time of day or night
P2	Act Today	Within business hours
P3	Act This Week	Within 5 business days
P4	Review When Able	Next review cycle
P5	Informational	Batch process

P1 — Act Now

These represent active threat indicators. Configure P1 alerts to fire to on-call channels.

• SP Credential Manipulation — always P1, no exceptions
• Group Member Manipulation — always P1, no exceptions
• Known Rogue App that has authenticated
• Access Sequence Anomaly on high-privilege identity
• Dormant Revival on high-privilege identity (inactive >90 days)
• Coordinated Anomaly — 3 or more identities with new anomaly flags in one scan
• Rapid Privilege Escalation — new identity granted admin permissions within 24 hours

P2 — Act Today

• Known Rogue App present but not yet authenticated
• Critical behaviour risk band identity unreviewed for more than 24 hours
• Low behaviour risk but Critical blast radius band — a quiet app with devastating permissions
• Baseline Critical finding unactioned after 7 days

P3 — Act This Week

• High risk identity without anomaly flags
• Credential expiry within 14 days
• Baseline High finding unactioned after 7 days

The 3am Test

Before assigning P1 to any condition, AIRM applies this test: Would a reasonable person want to be woken up at 3am on a Saturday for this? If yes — P1. If no — P2 or lower.

AIRM detects 11 anomaly patterns by analysing how service principals behave over time compared to their established baseline. Each anomaly contributes points to the Anomaly Risk component of the overall risk score.

Signal 1 — Off-Hours Access

What it detects: Activity outside normal operating hours. What triggers it: Consistent after-hours activity over multiple days — a single late-night event does not trigger this. Investigate: Is this part of a scheduled job? If no business reason exists, investigate whether credentials have been compromised.

Signal 2 — Velocity Spike

What it detects: A sudden significant increase in API calls compared to historical baseline. What triggers it: Activity volume more than 3x the rolling average over a 24-hour window. Investigate: A velocity spike combined with bulk file access is a strong indicator of data exfiltration.

Signal 3 — Scope Drift

What it detects: An identity previously accessing only certain resource types begins accessing new ones. Investigate: Has the application been updated? Scope drift without a known update is a significant warning sign.

Signal 4 — Dormant Revival

What it detects: A service principal inactive for 90+ days that suddenly becomes active. What triggers it: Zero activity for 90+ days followed by any authenticated API call. Investigate: Dormant revival without a business explanation is strongly associated with credential theft. Auto-escalates to P1 on high-privilege identities.

Signal 5 — Unusual Geo Access

What it detects: Authentication from geographic locations inconsistent with historical access pattern. Most significant when combined with velocity spikes or scope drift.

Signal 6 — Sensitivity Label Access

What it detects: A service principal accessing files tagged with Microsoft Information Protection sensitivity labels. Available on E5 tenants only.

Signal 7 — Mail Volume Spike

What it detects: Email send volume more than 5x the historical baseline in a 24-hour period. A strong indicator of spam or phishing campaigns through a compromised identity.

Signal 8 — External Share Anomaly

What it detects: A service principal sharing content externally at a rate significantly above its baseline. In combination with scope drift or velocity spike may indicate data exfiltration.

Signal 9 — Access Sequence Anomaly

What it detects: A pattern of API calls consistent with reconnaissance — systematic probing in the sequence: Directory, Mail, Files, Calendar. Auto-escalates to P1 on high-privilege identities.

Signal 10 — SP Credential Manipulation

What it detects: This service principal has added credentials to a different service principal. Always P1. Immediate investigation required. An attacker who has compromised one identity adds credentials to a higher-privileged one. Identify which identity had credentials added and revoke them immediately.

Signal 11 — Group Member Manipulation

What it detects: This service principal has added a user or object to a Microsoft 365 group. Auto-escalates to P1 if the target group is privileged. Identify which group was modified, what permissions it has, and remove unauthorised members immediately.

Classification Types

AI Agent

A service principal AIRM has determined is an AI-powered tool. AIRM identifies AI agents using known AI application catalogue matching, publisher verification, permission pattern analysis, and behavioural signals.

Non-Human Identity

A service principal that is not an AI agent and not a Microsoft first-party application. Includes legacy integrations, automation accounts, third-party SaaS connectors, custom applications, and unclassified identities.

Microsoft First-Party

Applications published and owned by Microsoft Corporation. These are known-safe and well-documented. AIRM identifies them by matching against Microsoft's published application catalogue of 4,000+ apps.

Managed Identity

Service principals backed by Azure Managed Identities — where Microsoft manages the credentials automatically. These are inherently more secure than secret-based identities.

Confidence Levels

Confidence	Meaning
Definitive	Matched by application ID against known AI app catalogue
High	Strong permission and publisher signals
Possible	Behavioural signals only — warrants review
Manual	Manually reclassified by an operator

When Classification Is Wrong

Open the identity detail page, click Response Actions and select Mark as AI Agent or Mark as Non-Human Identity. Enter a reason. Manual classifications take precedence over the automatic classifier and do not affect the risk score.

Credential Types

Type	Exposure Risk	Rotation Required	Usable Outside Azure
Client Secret	High	Yes	Yes
Certificate	Medium	Yes	Yes
Managed Identity	None	No	No

How Credentials Go Wrong

Leakage — secret committed to GitHub, logged in a log file, included in a backup. An attacker who obtains the secret can authenticate as that identity from anywhere, at any time, until revoked.

Aged credentials — a secret unchanged for 2 years has had 2 years of exposure window.

Orphaned credentials — active credentials on an identity with no assigned owner. Nobody is responsible for rotating or revoking them.

SP Credential Manipulation — one identity adding credentials to another. AIRM detects this as anomaly signal 10 and escalates to P1 immediately.

Rotation Best Practice

• High-privilege identities: rotate every 30 days
• Standard identities: rotate every 90 days
• Certificates: rotate every 6 months
• Orphaned credentials: revoke immediately

What AIRM Detects

• Credential age on orphaned identities (Medium risk signal)
• Credentials expiring within 14 days (alert fired)
• SP Credential Manipulation — one identity adding credentials to another (P1 alert)
• Excessive credential count — multiple active secrets on one identity

Tier 1 — Direct Mappings

NIST AI Risk Management Framework (AI RMF)

Developed by the US National Institute of Standards and Technology specifically for AI systems. The most directly relevant framework for AI agent governance. AIRM maps to GOVERN (1.1, 1.2, 1.6, 1.7), MAP (1.1, 2.1, 5.1), MEASURE (2.1, 2.3, 2.5), MANAGE (1.3, 2.2, 3.1).

EU Artificial Intelligence Act

In force from February 2025. Applies to providers and deployers of AI systems in the EU market. AIRM maps AI agent findings to Articles 6 (high-risk classification), 9 (risk management), 13 (transparency and logging), 14 (human oversight), and 28 (deployer obligations). AI frameworks show AI agents only.

ISO/IEC 42001 — AI Management System

The international standard for establishing and maintaining an AI management system. AIRM maps findings to Clauses 4 (organisational context), 6.1 (risk assessment), 8.1 (operational control), 8.4 (impact assessment), and 9.1 (monitoring). AI frameworks show AI agents only.

MAS Technology Risk Management (TRM)

Legally binding for financial institutions in Singapore. AIRM maps to TRM 9.1 (Access Controls), TRM 9.2 (Privileged Access), TRM 10 (Third-Party Risk).

UK Cyber Assessment Framework (CAF)

AIRM maps to B2a (Identity and Access Control), B2b (Identity Verification), D1 (Response and Recovery).

Tier 2 — Advisory Mappings

DORA — Digital Operational Resilience Act

EU regulation on digital operational resilience for the financial sector, effective January 2025. AIRM maps findings to Articles 5, 8, 9, 10, and 28.

ASD Essential Eight

Australia's eight mitigation strategies. AIRM findings are relevant to Restrict Administrative Privileges and Application Control strategies.

ISO 27001, BSI IT-Grundschutz, UK Cyber Essentials, India CERT-In

Broader security frameworks where AIRM findings are advisorily relevant to access control, asset management, and monitoring controls.

Generating Compliance Reports

Navigate to Compliance & Reporting. The Compliance Framework Report dropdown groups frameworks by tier — orange dot indicates frameworks with active findings. All paid PDF reports can be branded with your MSP logo and company name via the Report Branding panel.

Report	Availability	Description
Executive Summary	Free (all users)	Premium security posture report in plain English
AI Agent Risk Report	Paid	Weekly operational summary
Non-Human Identity Risk Report	Paid	Complete identity risk profile
Compliance Framework Report	Paid	Per-framework with control findings
Agent Inventory Export	Paid	Full CSV export

Native PSA Connectors

ConnectWise Manage, HaloPSA, and Autotask have native integrations — AIRM creates tickets directly in the PSA without middleware.

ConnectWise Manage Setup

1. Go to System → Members → API Members — create an API member named "AIRM"
2. Assign a security role with Service Desk → Service Ticket → Add: All
3. Click API Keys → + to generate a public and private key pair
4. Get your Client ID from developer.connectwise.com
5. Enter credentials in AIRM → Integrations → ConnectWise
6. Run a test ticket to confirm

Required: Instance URL, Company ID, Public Key, Private Key, Client ID, Service Board name

HaloPSA Setup

1. Go to Configuration → Teams & Agents → Agents — create an API-only agent
2. Go to Configuration → Integrations → HaloPSA API → View Applications
3. Create new application — select "Client ID and Secret (Services)"
4. In Permissions tab: enable edit:tickets, read:tickets, read:customers
5. Copy Client ID and Client Secret (shown once only)
6. Enter credentials in AIRM → Integrations → HaloPSA

Required: Instance URL, Tenant (cloud only), Client ID, Client Secret, Ticket Type ID

Autotask Setup

1. Go to Admin → Resources/Users → New API User
2. Set security level to API User (API-only)
3. Save and copy the API Integration Code, Username, and Secret
4. Use the Auto-detect Zone button in AIRM to find your correct API zone
5. Enter credentials in AIRM → Integrations → Autotask

Required: API Zone, API Integration Code, Username, Secret, Queue ID

Generic Webhook Integrations

Slack, Microsoft Teams, PagerDuty, OpsGenie, Splunk, Sentinel, and any platform accepting HTTP POST all use the generic webhook flow.

{
  "event": "alert.created",
  "timestamp": "2026-03-30T02:15:00Z",
  "tenant": { "name": "Acme Corp", "health_score": 63 },
  "alert": {
    "priority_tier": "P1",
    "priority_label": "Act Now",
    "alert_type": "sp_credential_manipulation",
    "sp_name": "SharePoint Online Web Client"
  }
}

Signature verification: If you configure a secret key, AIRM signs every payload using HMAC-SHA256. The signature is in the X-AIRM-Signature header: sha256={hex_digest}.

Event Filters

Platform	Recommended Filter
PagerDuty / OpsGenie	P1 only
Slack security channel	P1 + P2
ConnectWise / HaloPSA	P1 + P2 + P3
Splunk / Sentinel	All tiers

Rogue app detections always fire to all enabled integrations regardless of filter settings.

Managing Multiple Tenants

The Tenants page is your MSP control centre. From here you can see all connected client tenants with health scores, trigger manual scans, view last scan times, add new tenants, and remove tenants.

Scan Schedule

Automated scans run every Monday at 2am server time. Manual scans can be triggered at any time from the Tenants page (2-10 minutes depending on tenant size). The 30-minute audit log poller runs continuously for all connected tenants.

Data Retention

Data Type	Retention Period
Audit events	90 days
Behavioural snapshots	12 months
Scan run records	12 months
Alert records	12 months
Identity risk history	12 months

Removing a Client Tenant

Navigate to Tenants → click the tenant → Settings → Tenant tab → Remove Tenant. This deletes all AIRM data immediately and stops scanning. It does NOT revoke the Microsoft consent — the client must do this in their Microsoft 365 Admin Centre.

When Microsoft Tokens Expire

AIRM uses refresh tokens that last up to 90 days. If expired, the tenant shows as disconnected. To reconnect: navigate to Tenants, click the disconnected tenant, and click Reconnect. The client's Global Administrator must re-approve the consent screen.

Server Health Indicators

Healthy: [DB] MongoDB connected, [Cron] Auto-scan scheduled, [Poller] Scheduled — polling every 30 minutes

Problems: [O365] Failed to start Audit, [Scan] Scan failed for tenant, [Email] Failed to send

Scan Schedule

AIRM scans your environment automatically every Monday at 2am. You can trigger a manual scan at any time from the Tenants page. Between scans, AIRM monitors in real time and can detect new applications within 30 minutes.

Your Data in AIRM

AIRM stores application registrations and risk scores, audit log summaries (not the content of emails or files), behavioural patterns derived from audit logs, alert history, and health score history. AIRM does not store the content of your emails, documents, or files — only metadata about which applications accessed them. Data is automatically deleted after 12 months.

Disconnecting AIRM

1. Go to Tenants in AIRM, click on your tenant, click Remove Tenant
2. Log into Microsoft 365 Admin Centre → Enterprise Applications → find AIRM → delete it

Privacy and Data Security

All data is encrypted in transit and at rest. AIRM does not share your data with third parties. For questions about data handling, contact support@sabikisupport.com.

Roles Overview

Viewer — Can browse all data, view risk scores, compliance mappings, and download reports — but cannot take any actions or modify any settings. Ideal for executives, clients, or auditors.

Analyst — Full Viewer access plus the ability to acknowledge and manage alerts, execute response actions, and create suppression rules. Ideal for MSP technicians and internal security team members.

Admin — Full access to everything. Can manage tenant connections, invite and remove users, configure integrations, enable response actions, and change account settings. The first user to create an account is always Admin.

Permissions Matrix

Feature	Viewer	Analyst	Admin
View AI Agents and Non-Human Identities	✓	✓	✓
View risk scores and blast radius	✓	✓	✓
View compliance page and frameworks	✓	✓	✓
Download reports (all types)	✓	✓	✓
View alerts	✓	✓	✓
Acknowledge / snooze / dismiss alerts	✗	✓	✓
Create and manage suppression rules	✗	✓	✓
Execute response actions on identities	✗	✓	✓
Mark identities as reviewed / classify	✗	✓	✓
Manage tenant connections	✗	✗	✓
Invite and remove users	✗	✗	✓
Configure PSA integrations	✗	✗	✓
Manage webhooks	✗	✗	✓
Enable / disable response actions	✗	✗	✓
Change account type (MSP vs Direct)	✗	✗	✓

Inviting Users

Go to Tenants → Invite User. When selecting a role, a description of what that role can do will appear automatically. Click "View full permissions matrix" to see the complete breakdown before confirming.

Two-Factor Authentication

All users are strongly encouraged to enable 2FA, especially Admins. Go to Settings → Profile → Security and click Enable Two-Factor Authentication. Scan the QR code with your authenticator app, enter a verification code to confirm, and save your 8 recovery codes. Your MFA status is shown in the top-right user dropdown.

The Onboarding Conversation

"We have just completed our first scan of your Microsoft 365 environment. Your current Tenant Health Score is [X]. AIRM has found [Y] AI agents and [Z] non-human identities that have not been reviewed or governed. The good news is that most of this is fixable through our management process. Let me walk you through what we found."

The low initial score is your proof of value opportunity — not a problem.

The 30-Day Score Progression

Day	Score	Band	Key Driver
Day 1	~32	At Risk	Nothing reviewed
Day 7	~51	Needs Attention	Critical agents reviewed
Day 14	~64	Needs Attention	High agents + ownership
Day 21	~74	Needs Attention	Medium agents covered
Day 30	~81	Good Standing	Full review complete

Dual Band Insight — The MSP Differentiator

"We found 3 apps in your tenant that appear completely quiet — no suspicious behaviour at all. But their permissions would give an attacker access to every email and file in your organisation if compromised. Traditional monitoring tools miss these entirely because they only look at behaviour. AIRM surfaces them because the permissions alone represent a critical risk."

Score Improvement Playbook

Week	Actions	Expected Governance Gain
Week 1	Review Critical agents, acknowledge all alerts	+20–30 points
Week 2	Assign owners to high-risk identities, review High agents	+15–20 points
Week 3	Work through Medium agents, assign remaining owners	+10–15 points
Week 4	All agents reviewed, all identities owned	Final: 75–90

The MSP Tenants Overview

The Tenants page shows all connected client tenants as cards with Overall Health Score, Risk Component, Governance Component, risk pill counts (Critical/High/Medium/Low), last scan time, and a Scan Now button.

Switching Between Client Tenants

Click on any tenant card to view that client's dashboard. The entire AIRM interface updates to show data for the selected tenant. The header shows the currently active tenant name at all times. To return to the MSP overview, click Tenants in the sidebar.

Health Score Comparison

1. Sort tenants by Overall Health Score (lowest first)
2. Clients with At Risk or Critical Exposure scores need immediate attention
3. Clients with Well Managed scores can be reviewed on a monthly cadence
4. Focus your team's effort on P1 and P2 alerts across all tenants first

Per-Tenant Alert Configuration

Each client tenant has its own alert configuration. Navigate to Alerting while viewing a specific tenant to configure alert delivery email, digest frequency, thresholds, and suppression rules. Consider setting the alert email to your team's shared security mailbox so all team members see alerts for all clients.

When You Might Have Multiple Tenants

• Your organisation has subsidiaries with their own Microsoft 365 tenants
• You operate in multiple regions with separate tenant environments
• Your organisation has acquired another company with its own tenant
• You have a dedicated tenant for development or test environments

Connecting Additional Tenants

Navigate to Tenants and click Add Tenant for each additional environment. Each tenant requires its own Global Administrator to approve consent. A Global Administrator of Tenant A cannot approve consent for Tenant B.

Viewing Multiple Tenants

The Tenants page shows all connected tenants as cards. Each tenant is monitored independently — findings, alerts, and health scores are separate per tenant.

Licence Implications

Each connected tenant counts toward your plan's tenant allowance. Contact support@sabikisupport.com to discuss options for multi-tenant monitoring.

Scan Not Completing

Microsoft Graph API authentication error: The tenant's access token has expired. Go to Tenants, click the affected tenant, and click Reconnect.

Scan times out on large tenant: Tenants with 500+ service principals may take longer than expected. Wait 15 minutes before assuming the scan has failed.

MongoDB write error: Check Atlas connection string and network access rules. The AIRM server IP must be in the Atlas IP allowlist.

No Audit Events Collecting

Check server logs for [Poller] entries. You should see: [Poller] N events — running behavioural aggregation for N SPs

Office 365 audit log subscription not active: Trigger a manual scan — this reinitialises the subscriptions.

Licence tier not supported: Confirm the tenant's licence tier is E3, E5, or Business.

PSA Integration Not Creating Tickets

1. Go to Integrations — check the Last Status column
2. If it shows Failed, click the integration to see the error message
3. Use Create Test Ticket to test the connection with live credentials

Authentication error (401): Credentials have changed or expired. Re-enter and test. Permission denied (403): API user does not have ticket creation permissions. Board/queue not found (400/422): Service board or queue name is incorrect.

Alert Emails Not Arriving

1. Check spam/junk folder
2. Verify email address in Alerting
3. Check digest mode setting — daily digest only sends once per day

Note: Critical anomaly escalations always bypass digest mode.

Health Score Not Updating

The health score recalculates after each scan. Trigger a manual scan from the Tenants page to see the updated score immediately.

Support Escalation

If the above steps do not resolve the issue, contact support@sabikisupport.com and include: which tenant is affected, when the problem started, and any error messages visible in the UI.