Xito Documentation
Complete reference for MCP tools, resources, data model, configuration, and deployment of Xito — AI-powered user lifecycle automation for Office 365.
Overview
Xito is an AI-powered service that autonomously syncs EmployWise HRMS with Azure AD / Microsoft 365. It uses an agentic pipeline of 8 sequential AI tools that perceive, reason, decide, and act on your identity data.
The application exposes its capabilities as MCP (Model Context Protocol) tools and resources, enabling any AI assistant — Copilot, ChatGPT, Claude, Cursor — to query your identity data and trigger lifecycle actions.
ad_users (from Azure AD) and hr_ms_employees (from EmployWise) — and compares them to detect drift, then applies corrections to Azure AD.Architecture
Xito follows a snapshot → compare → act → log cycle:
┌─────────────────┐ ┌──────────────────┐
│ EmployWise │────────▶│ │
│ HRMS API │ │ Xito │
└─────────────────┘ │ AI Agents │
│ │──────▶ Audit Logs
┌─────────────────┐ │ (8 Tools) │──────▶ Teams Alerts
│ Microsoft │◀───────▶│ │
│ Graph API │ └──────────────────┘
└─────────────────┘
│
▼
┌─────────────────┐
│ Azure AD │
│ Microsoft 365 │
└─────────────────┘Configuration
Environment Variables
| Variable | Required | Description | Default |
|---|---|---|---|
ms_graph_tenant_id | Yes | Azure AD tenant (directory) ID | — |
ms_graph_client_id | Yes | App registration client ID | — |
ms_graph_client_secret | Yes | App registration client secret | — |
EMPLOYWISE_API_KEY | Yes | EmployWise API key | — |
EMPLOYWISE_API_URL | Yes | EmployWise employee export endpoint | — |
AD_DISABLE_AFTER_EXIT_DAYS | No | Grace period (days) after exit date before leaver cleanup | 7 |
TEAMS_WEBHOOK_URL | No | Microsoft Teams incoming webhook URL for failure alerts | — |
Customer Filters
Per-tenant filtering is configured in the Xito configuration panel:
{
"customer-filters": {
"YOUR-TENANT-ID-GUID": {
"include_domains": ["yourcompany.com"],
"exclude_employment_statuses": ["Alumni"],
"exclude_emp_codes": ["51530"]
}
}
}| Filter | Type | Behavior |
|---|---|---|
include_domains | array | Only import employees whose email domain is in this list |
exclude_employment_statuses | array | Skip employees with these employment statuses |
exclude_emp_codes | array | Skip specific employee codes |
Quick Start
# 1. Deploy Xito to your environment
xito:install
# 2. Configure credentials
xito:configure --setup
# Provide Azure AD and EmployWise credentials
# 3. Initialize the data store
xito:init
# 4. Run the full AI pipeline
xito:run_pipeline
# 5. Or trigger individual AI agents
xito:sync_ad_users
xito:sync_hrms
xito:update_fieldsMCP Tools
Xito exposes 8 tools via the Model Context Protocol. Each tool can be invoked by any MCP-compatible client (Cursor, Claude Desktop, Copilot Studio, or custom agents).
sync_ad_users
AvailableFetches all users from Azure AD via Microsoft Graph API and stores them in the local AD snapshot, creating or updating each record as needed.
MCP Invocation
xito:sync_ad_usersGraph API Call
| Method | Endpoint |
|---|---|
| GET | /v1.0/users?$select=id,displayName,givenName,surname,mail,userPrincipalName,accountEnabled,department,jobTitle,mobilePhone,officeLocation,city,employeeId,employeeHireDate,employeeLeaveDateTime&$expand=manager($select=displayName,userPrincipalName,mail)&$top=500 |
Fields Captured
| Graph Field | Local Column | Description |
|---|---|---|
id | user_id | Azure AD object ID (primary key) |
employeeId | emp_code | Employee code from HR |
accountEnabled | account_enabled | Whether account is active |
givenName | first_name | First name |
surname | last_name | Last name |
displayName | display_name | Full display name |
userPrincipalName | email | UPN / email |
department | department | Department |
jobTitle | designation | Job title |
officeLocation | base_location | Office location |
mobilePhone | mobile_number | Mobile number |
manager.displayName | reporting_manager | Manager name |
manager.userPrincipalName | reporting_manager_email | Manager email |
employeeHireDate | date_of_joining | Hire date |
employeeLeaveDateTime | date_of_exit | Leave/exit date |
sync_hrms_employees
AvailableFetches all employees from EmployWise API, applies customer-specific filters, stores in the HRMS snapshot, and auto-links to AD accounts by email match.
MCP Invocation
xito:sync_hrmsAPI Call
| Method | Endpoint |
|---|---|
| GET | {EMPLOYWISE_API_URL}?api_key={key}&data_type=0 |
Fields Captured
| EmployWise Field | Local Column | Description |
|---|---|---|
emp_code | emp_code | Employee code (primary key) |
fname | first_name | First name |
lname | last_name | Last name |
user_name | display_name | Display name |
email | email | Email address |
bu | department | Business unit |
design | designation | Designation |
location | base_location | Base location |
mobile_no | mobile_number | Mobile number |
sup_name | reporting_manager | Supervisor name |
supervisor_email | reporting_manager_email | Supervisor email |
status | employment_status | Employment status |
doj | date_of_joining | Date of joining |
last_working_date | date_of_exit | Last working date |
Post-Sync: AD Linking
After import, the agent identifies unlinked HRMS employees, matches them to AD users by email, and populates the link automatically.
update_user_fields
AvailableCompares 10 fields between HRMS and AD for every linked employee. Only updates fields that actually differ — one operation per user.
MCP Invocation
xito:update_fieldsGraph API Call
| Method | Endpoint | Payload |
|---|---|---|
| PATCH | /v1.0/users/{userId} | Only changed fields |
Field Mapping (10 Fields)
| Graph API Field | HRMS Source | AD Source |
|---|---|---|
employeeId | emp_code | emp_code |
givenName | first_name | first_name |
surname | last_name | last_name |
displayName | display_name | display_name |
department | department | department |
jobTitle | designation | designation |
officeLocation | base_location | base_location |
mobilePhone | mobile_number | mobile_number |
employeeHireDate | date_of_joining | date_of_joining |
employeeLeaveDateTime | date_of_exit | date_of_exit |
update_managers
AvailableCompares reporting manager emails between HRMS and AD. Sets, changes, or removes the manager reference in Azure AD.
MCP Invocation
xito:update_managersGraph API Calls
| Scenario | Method | Endpoint |
|---|---|---|
| Get current manager | GET | /v1.0/users/{userId}/manager?$select=userPrincipalName |
| Set / change manager | PUT | /v1.0/users/{userId}/manager/$ref |
| Remove manager | DELETE | /v1.0/users/{userId}/manager/$ref |
Decision Logic
| HRMS Manager | AD Manager | Action |
|---|---|---|
boss@co.com | (none) | PUT — set manager |
newboss@co.com | oldboss@co.com | PUT — change manager |
| (empty) | boss@co.com | DELETE — remove manager |
boss@co.com | boss@co.com | Skip — no change |
disable_leaver_accounts
AvailableFinds HRMS employees whose exit date falls within the configured grace window and disables their Azure AD account.
MCP Invocation
xito:disable_accountsLeaver Detection Logic
cutoff = today - grace_period_days
criteria: exit_date within grace window AND linked to AD accountGraph API Call
| Method | Endpoint | Payload |
|---|---|---|
| PATCH | /v1.0/users/{userId} | {"accountEnabled": false} |
cancel_licenses
AvailableRetrieves all M365 license SKUs for each leaver and removes them, freeing up license seats.
MCP Invocation
xito:cancel_licensesGraph API Calls
| Step | Method | Endpoint |
|---|---|---|
| Get licenses | GET | /v1.0/users/{userId}/licenseDetails |
| Remove license | POST | /v1.0/users/{userId}/assignLicense |
Remove License Payload
{
"addLicenses": [],
"removeLicenses": ["<skuId>"]
}remove_from_groups
AvailableRemoves leavers from all manually-assigned Azure AD groups. Dynamic groups are automatically detected and skipped.
MCP Invocation
xito:remove_groupsGraph API Calls
| Step | Method | Endpoint |
|---|---|---|
| Get memberships | GET | /v1.0/users/{userId}/memberOf/microsoft.graph.group?$select=id,displayName,membershipRuleProcessingState |
| Remove from group | DELETE | /v1.0/groups/{groupId}/members/{userId}/$ref |
run_full_pipeline
AvailableOrchestrates all 8 AI agents in sequence. If one agent fails, the pipeline continues to the next (resilient by design).
MCP Invocation
xito:run_pipelineExecution Order
| Order | Tool | Phase |
|---|---|---|
| 1 | sync_ad_users | Sync |
| 2 | sync_hrms_employees | Sync |
| 3 | update_user_fields | Update |
| 4 | update_managers | Update |
| 5 | disable_leaver_accounts | Cleanup |
| 6 | cancel_licenses | Cleanup |
| 7 | remove_from_groups | Cleanup |
| 8 | sync_ad_users | Refresh |
MCP Resources
Resources are read-only data endpoints that MCP clients can query to inspect the current state of Xito's data.
xito://ad_users
Coming SoonExposes the local Azure AD user snapshot. Query by email, department, account status, or date range.
xito://hr_ms_employees
Coming SoonExposes the local HRMS employee snapshot. Filter by emp_code, department, employment status, or exit date.
xito://execution_logs
Coming SoonExposes command execution logs — one record per pipeline run with start/end times, status, and summary.
xito://command_logs
Coming SoonExposes per-user operation logs with full JSON payloads — every field change, license cancellation, and group removal.
Data Model
Xito uses 4 data stores. Two for data snapshots and two for audit logging.
hr_ms_employees
ad_users
command_execution_logs
command_logs
Operation Types in command_logs
| Operation | Generated By | Description |
|---|---|---|
UPDATE_USER_FIELDS | update_user_fields | AD attribute patched from HRMS data |
UPDATE_USER_MANAGER | update_managers | Manager set, changed, or removed |
DISABLE_USER | disable_leaver_accounts | AD account disabled |
CANCEL_LICENSE | cancel_licenses | M365 license SKU removed |
REMOVE_FROM_GROUP | remove_from_groups | User removed from AD group |
Microsoft Graph API Endpoints
Complete list of every Microsoft Graph endpoint Xito calls:
Authentication
| Method | Endpoint | Purpose |
|---|---|---|
| POST | https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token | Obtain OAuth2 access token |
User Operations
| Method | Endpoint | Used By |
|---|---|---|
| GET | /v1.0/users?$select=...&$expand=manager&$top=500 | sync_ad_users |
| PATCH | /v1.0/users/{userId} | update_user_fields, disable_leaver_accounts |
Manager Operations
| Method | Endpoint | Used By |
|---|---|---|
| GET | /v1.0/users/{userId}/manager?$select=userPrincipalName | update_managers |
| PUT | /v1.0/users/{userId}/manager/$ref | update_managers |
| DELETE | /v1.0/users/{userId}/manager/$ref | update_managers |
License Operations
| Method | Endpoint | Used By |
|---|---|---|
| GET | /v1.0/users/{userId}/licenseDetails | cancel_licenses |
| POST | /v1.0/users/{userId}/assignLicense | cancel_licenses |
Group Operations
| Method | Endpoint | Used By |
|---|---|---|
| GET | /v1.0/users/{userId}/memberOf/microsoft.graph.group?$select=... | remove_from_groups |
| DELETE | /v1.0/groups/{groupId}/members/{userId}/$ref | remove_from_groups |
Required Permissions
The following Microsoft Graph Application permissions are required on the Azure AD app registration:
| Permission | Type | Used For |
|---|---|---|
User.ReadWrite.All | Application | Read users, update profiles, disable accounts |
Directory.ReadWrite.All | Application | Manage manager relationships |
Group.ReadWrite.All | Application | Read group memberships, remove members |
Organization.Read.All | Application | Read license assignment details |
Authentication
Xito uses the OAuth2 Client Credentials flow — no user interaction required.
POST https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded
client_id={ms_graph_client_id}
&scope=https://graph.microsoft.com/.default
&client_secret={ms_graph_client_secret}
&grant_type=client_credentialsThe returned access_token is used as a Bearer token for all subsequent Graph API calls. Tokens are short-lived and never persisted to disk or database.
Error Handling
| Level | Behavior |
|---|---|
| Pipeline | run_pipeline isolates each agent. One failure doesn't block the rest — the pipeline continues. |
| Agent | Each AI agent processes users in batches. Per-user errors are caught and logged; processing continues. |
| API | HTTP errors and response parsing errors are caught and surfaced in the operation audit logs. |
| Notification | On agent-level failure, a formatted alert is sent to the Teams webhook with agent name, error, and timestamp. |
Status Values
| Status | Meaning |
|---|---|
running | AI agent is currently executing |
success | Completed with zero errors |
partial_success | Completed but some per-user operations failed |
failed | Agent-level failure |
skipped | Agent skipped due to invalid configuration |
Teams Notifications
When an AI agent fails, Xito sends a formatted message to the configured Microsoft Teams incoming webhook:
┌───────────────────────────────────────┐
│ Agent │ disable_accounts │
│ Status │ Failed │
│ Message │ HTTP Error: 403 │
│ Executed at │ Feb 7, 2026 │
└───────────────────────────────────────┘Configure the Teams webhook URL in the Xito settings to enable alerts. If not configured, notifications are silently skipped.
Scheduling
Configure Xito to run the AI pipeline on a regular interval using the built-in scheduler:
# Enable automated pipeline every 30 minutes
xito:schedule --interval=30m
# Or trigger manually at any time
xito:run_pipelineYou can also trigger individual AI agents for troubleshooting:
xito:sync_ad_users # Just sync AD
xito:sync_hrms # Just sync HRMS
xito:update_fields # Just update fields
xito:disable_accounts # Just disable leavers