What is Meridian Cloud

Meridian Cloud is a unified IT management portal built by TwelveSides Technologies. It connects your existing tools and brings their data together into a single, consistent interface.

Platform Overview

Instead of switching between the Teams Admin Center, Intune portal, Entra ID, Veeam console, and your PSA tool throughout the day, your team works from one place. Meridian Cloud connects to your existing tools — Microsoft 365, Intune, Teams, backup platforms, security products, and ticketing systems — and presents their data through purpose-built modules.

Meridian Cloud is not a replacement for your existing tools. It is a unified layer that reads data from them, correlates it, and presents it in a way that gives you faster insight without context-switching. When you need to take action, Meridian links you directly to the relevant admin portal, or in some cases (like Teams Phone management) lets you take action directly within the platform.

Who Is It For

Direct IT Teams

In-house IT departments or IT managers who manage their own Microsoft 365 environment. You sign in with your Microsoft 365 account, grant Meridian permission to read your environment, connect any additional tools you use, and get a full picture of your infrastructure from a single dashboard. Whether you are a one-person IT team or a department of fifty, Meridian Cloud gives you the unified visibility you need without building custom dashboards or switching between a dozen admin portals.

Managed Service Providers

IT service providers who manage multiple customer tenants. The MSP view gives you a tenant switcher that lets you move between customers without logging out, and lets you manage integrations and settings on behalf of customers. The multi-tenant dashboard provides a bird's-eye view of all your managed customers with health indicators showing backup status, open security incidents, compliance scores, and agent health.

What Does It Connect To

Modules

Data from your integrations is surfaced through purpose-built modules. Each module focuses on a specific area of IT management and presents data from all relevant integrations in a unified view.

How Data Gets In

Cloud data (Microsoft 365 and third-party SaaS) is synced on a schedule by Meridian's background sync service. After you connect an integration, the first sync runs immediately. Subsequent syncs run automatically — typically every 15 minutes to 4 hours depending on the data type and integration.

On-premises data (Active Directory, Certificate Authority) is pushed by the Meridian DC Agent. The agent runs as a Windows Service on your Domain Controllers and forwards Security Event Log data and CA health information to Meridian in near real time. No inbound firewall rules or VPN are required — the agent connects outbound over HTTPS.

What Meridian Does Not Do

• Meridian never modifies your Microsoft 365 configuration without you initiating an action — except for Teams voice management actions (creating call queues, assigning numbers) which are explicitly triggered by an administrator.
• Meridian does not read email, calendar, files, or chat messages — only metadata and configuration data.
• Meridian does not store your credentials — API keys and secrets are stored in Azure Key Vault and are never retrievable after entry.

Architecture Overview

Meridian Cloud runs on Microsoft Azure with a split-region topology. The data tier (SQL Server, Key Vault, Storage) runs in UK West, while the application tier (API, Functions, Frontend) runs in UK South. All data is encrypted at rest using AES-256 and in transit using TLS 1.2 or later.

The platform consists of a .NET API backend, Azure Functions for background sync processing, a PowerShell Function App for Teams management operations, and a React single-page application frontend. Authentication uses Microsoft Entra ID with PKCE for users and certificate-based client credentials for background sync.

Quick Start Guide

Get from zero to a working Meridian Cloud dashboard in under 30 minutes. This guide walks you through signing up, connecting Microsoft 365, and exploring your first data.

Before You Begin

You will need the following to complete this quick start:

• A Microsoft 365 account with a valid subscription (any tier: Business Basic, Business Premium, E3, E5, etc.)
• A Global Administrator account in your Microsoft tenant (for granting consent)
• A modern web browser (Edge, Chrome, Firefox, or Safari)

Step 1: Sign Up

1. Navigate to https://portal.meridiancloud.tech/signup
2. Select your account type: Direct Customer (managing your own environment) or MSP (managing multiple customer tenants)
3. Enter your organisation name and primary contact details
4. Click Sign in with Microsoft and authenticate with your Microsoft 365 account
5. At the Microsoft consent prompt, click Accept to allow Meridian to read your basic profile (User.Read)

Step 2: Grant Microsoft 365 Consent

After signing in, you will see the onboarding wizard. The first step is to grant Meridian permission to read your Microsoft 365 environment.

1. Click Grant Microsoft Access on the onboarding screen
2. Microsoft's admin consent page opens in a new window listing all requested permissions
3. Review the permissions — they are all read-only. Meridian cannot modify your environment.
4. Click Accept (you must be signed in as a Global Administrator)
5. You are redirected back to Meridian. The initial sync begins automatically.

Step 3: Explore Your Dashboard

Once the initial sync completes, you land on your home dashboard. Here is what you will see:

• Total users — the number of user accounts in your Entra ID tenant
• MFA coverage — the percentage of users with at least one MFA method registered
• Device compliance — if Intune is in use, the percentage of devices meeting compliance policies
• Open tickets — if a PSA is connected, your current open ticket count
• Secure Score — your Microsoft Secure Score
• Recent alerts — any alerts raised in the last 24 hours

Step 4: Connect Additional Integrations

Navigate to Settings → Integrations to see all available integrations. Connected integrations show a green status indicator. To connect a new integration:

1. Click the integration tile (e.g., Veeam, ConnectWise, Tenable)
2. Enter the required credentials (API keys, URLs, etc.)
3. Click Save. The first sync runs immediately.

Step 5: Invite Your Team

Go to Settings → Users → Invite User. Enter a colleague's Microsoft 365 email address and assign them a role. They will receive an invitation email and can sign in immediately.

Next Steps

• Enable additional modules by selecting the features you need
• Explore the Identity module to see your users and MFA coverage
• Browse the integration catalogue to connect your backup, security, and ticketing tools
• Set up user roles to control who sees what in your organisation

System Requirements

Meridian Cloud is a web-based application accessible from any modern browser. Here are the requirements for the best experience.

Supported Browsers

Network Requirements

Meridian Cloud is accessed over HTTPS. The following domains must be accessible from your network:

DC Agent Requirements

If you plan to use the Meridian DC Agent for on-premises Active Directory monitoring:

Display Requirements

Meridian Cloud is fully responsive and works on screens from 320px wide (mobile phones) to ultra-wide desktop monitors. For the best experience with the sidebar, table of contents, and data tables visible simultaneously, a minimum resolution of 1280x720 is recommended.

Microsoft 365 Requirements

Meridian Cloud works with any Microsoft 365 subscription. Some features require specific licences:

Glossary

Key terms used throughout the Meridian Cloud documentation and portal.

Terms

Microsoft 365 Connection

Understand how Meridian Cloud connects to your Microsoft 365 environment, the Sync App architecture, and what data is accessed.

How the Connection Works

Meridian uses two separate Microsoft Entra ID application registrations to interact with your Microsoft 365 environment:

Meridian Portal is the application your users sign in through. It uses the Authorization Code flow with PKCE (delegated permissions) and only requests User.Read — enough to display the signed-in user's name and profile photo. No admin consent is required; each user approves this individually at their first sign-in.

Meridian Sync is the background service that reads your tenant's data on a schedule. It authenticates using a certificate held in TwelveSides' Azure Key Vault — not a username and password. Because it reads data beyond the signed-in user's profile, a Global Administrator must grant admin consent once on behalf of the entire organisation.

Certificate Authentication

The Sync App uses certificate-based authentication (client credentials flow). This is the most secure method for service-to-service authentication in Microsoft Entra ID because:

• No password or client secret is used — eliminating the risk of credential exposure
• The private key never leaves TwelveSides' Azure Key Vault
• Certificates are automatically rotated before expiry via an Event Grid trigger
• Your tenant holds no private keys — only the public key registered on the app

What Data is Accessed

All permissions are read-only application permissions. Meridian cannot modify, create, or delete any data in your Microsoft 365 environment through these permissions.

What is NOT Accessed

Sync Schedule

The first sync after consent runs immediately. You can trigger a manual sync from Settings → Integrations → Microsoft Graph → Sync Now.

Onboarding Flow

A step-by-step walkthrough of the complete Meridian Cloud onboarding process, from sign-up through first data sync.

Who Can Complete Onboarding

The onboarding process requires someone who holds one of the following roles in your Microsoft Entra ID tenant:

• Global Administrator
• Privileged Role Administrator
• Cloud Application Administrator (if your organisation has granted this role consent permissions)

Step 1: Create Your Account

Navigate to https://portal.meridiancloud.tech/signup and select Direct Customer. Enter your organisation details and sign in with your Microsoft 365 account. If your organisation has already been created in Meridian (for example, by your MSP), sign in directly at https://portal.meridiancloud.tech.

Step 2: Start the Consent Flow

After signing in, you will see the onboarding wizard if Microsoft consent has not yet been granted. Click Grant Microsoft Access. This opens Microsoft's standard admin consent page in a new browser window.

Step 3: Review and Accept Permissions

The Microsoft consent page lists every permission Meridian is requesting, with a description of each. Review them carefully — they are all read-only application permissions. Meridian cannot modify your environment through these permissions.

Click Accept to grant consent. You will be redirected back to Meridian.

Step 4: Initial Sync

After consent is granted, Meridian immediately begins synchronising your environment. The onboarding screen shows real-time progress:

• Users and groups — syncing user accounts and group memberships
• MFA methods — reading authentication method registrations
• Devices — importing Intune-managed device inventory
• Policies — reading Conditional Access and compliance policies
• Licences — importing licence subscription data

The initial sync typically completes within 5 to 30 minutes depending on the size of your environment. Large enterprises with over 10,000 users may take longer.

Step 5: Dashboard Ready

Once the sync completes, the onboarding wizard redirects you to your home dashboard. You can now explore your Identity, Endpoint, and other modules populated with real data from your Microsoft 365 environment.

Verifying Consent in Your Tenant

To verify that Meridian's consent is active:

1. Sign in to the Azure portal (portal.azure.com) as a Global Administrator
2. Go to Microsoft Entra ID → Enterprise Applications
3. Search for Meridian Sync
4. Click on the application and go to Permissions
5. You should see the permissions with Admin consent granted status

Revoking Consent

To revoke Meridian's access to your Microsoft 365 environment, go to Microsoft Entra ID → Enterprise Applications in the Azure portal, find Meridian Sync, and click Delete. After revocation, Meridian's background sync stops immediately. Existing data remains viewable until your account is cancelled. To restore access, re-run the consent flow from Settings → Integrations → Microsoft Graph → Reconnect.

Module Enablement

Meridian Cloud uses a guided flow to enable modules. You choose the module, select the features you need, grant incremental consent for any additional permissions, and the module activates.

How It Works

Rather than enabling all modules at once, Meridian uses a progressive approach to module enablement. This ensures you only grant the permissions you need and only see the features that are relevant to your organisation.

The enablement flow has four stages:

1. Choose a module — select which module you want to enable from the Modules page
2. Select features — within that module, choose which features you want to activate (you can add more later)
3. Grant incremental consent — if the selected features require additional Graph API permissions beyond what you have already consented to, you will be prompted to grant those additional permissions
4. Module enabled — the module activates and data begins syncing for the selected features

Incremental Consent

Meridian supports incremental consent, meaning you can add permissions over time without revoking and re-granting the entire consent. For example:

• When you first onboard, you grant the base set of 9 required permissions
• When you enable the Secure module, you are prompted to grant SecurityEvents.Read.All and SecurityIncident.Read.All
• When you enable Risky Sign-Ins in the Identity module, you are prompted to grant IdentityRiskEvent.Read.All and IdentityRiskyUser.Read.All

Each incremental consent only adds the new permissions. Previously granted permissions remain in place.

Managing Enabled Modules

Navigate to Settings → Modules to see which modules are currently enabled, which features are active within each module, and which permissions have been granted. From this page you can enable additional features within an already-active module, or disable modules you no longer need.

Disabling a Module

Disabling a module stops data syncing for that module. Existing data is retained per your data retention policy. The module's sidebar navigation items are hidden from all users. To re-enable, simply go through the enablement flow again. You will not be asked to re-consent for permissions that are already granted.

Graph API Permissions Reference

Complete reference of all 37 Microsoft Graph API permissions used by Meridian Cloud, what each does, and which module requires it.

Two App Registrations

Meridian uses two Entra ID app registrations. Both are registered by TwelveSides Technologies as multi-tenant applications. You do not create them — you only grant consent.

Portal App Permissions (Delegated)

Required Application Permissions (Sync App)

Optional Application Permissions

Permissions NOT Requested

The following permissions are explicitly not requested and Meridian has no access to:

User Roles & Access Control

Meridian Cloud uses role-based access control (RBAC). Every user is assigned one role per tenant. Roles are cumulative — higher roles include all permissions of lower roles.

Role Overview

Identity Module Permissions

Voice Module Permissions

Settings & Admin Permissions

Inviting Users

Only TenantAdmin can invite new users. Go to Settings → Users → Invite User, enter the user's Microsoft 365 email address, select their role, and click Send Invitation. The user receives an email and must sign in with the Microsoft account matching that email.

Changing & Removing Roles

To change a role, go to Settings → Users, find the user, and click the role dropdown. Changes take effect immediately with no re-login required. To remove a user, click the menu next to their name and select Remove. Their audit log entries are preserved.

Identity Module

Comprehensive view of your Microsoft 365 identity environment and on-premises Active Directory. Users, MFA, Conditional Access, licences, risky sign-ins, AD changes, and certificate authority data.

Dashboard

Navigation: Identity → Dashboard

The Identity dashboard shows key identity metrics at a glance: total users in Entra ID, MFA registration percentage (users without MFA are highlighted as a risk), guest account count, consumed versus total licence seats across your top SKUs, and recent identity-related alerts from the last 24 hours.

Users

Navigation: Identity → Users

Displays all Entra ID user accounts synced from Microsoft Graph. The table includes display name, UPN, department, MFA status (Registered / Not registered), account enabled state, user type (Member / Guest), last sign-in date, and assigned licences.

Use the search bar to find users by name or UPN. Filter by MFA status, account type, or enabled state. Click any user to open a detail panel showing full profile information, all assigned licences, registered MFA methods, recent sign-in history, and group memberships.

Conditional Access

Navigation: Identity → Conditional Access

Lists all Conditional Access policies in your Entra ID tenant. Policies are shown with their state (Enabled, Report-only, or Disabled), conditions summary, grant controls, creation date, and last modification date. Click any policy to see its full condition and grant control configuration.

Licences

Navigation: Identity → Licences

Shows all Microsoft 365 licence subscriptions: product name, SKU/part number, total seats, assigned count, and available seats. Licences with fewer than 10% remaining seats are highlighted so you can purchase more before running out.

Risky Sign-Ins

Navigation: Identity → Risky Sign-Ins

Requires Entra ID P2 (included in M365 E5) and the IdentityRiskEvent.Read.All permission. Lists sign-in events flagged by Microsoft Entra ID Protection. Metric cards show total risky sign-ins, high/medium risk counts, at-risk account count, and confirmed compromised accounts.

Risk levels: High (password spray, impossible travel, malware-linked IP), Medium (atypical travel, unfamiliar sign-in properties), Low (minor anomaly). Risk states include At Risk, Confirmed Safe, Confirmed Compromised, Dismissed, and Remediated.

AD Changes

Navigation: Identity → AD Changes (requires DC Agent)

Displays Active Directory changes captured from your DC Security Event Logs. Categories include Account Management (user accounts created, deleted, modified, locked, unlocked), Group Changes (users added/removed from security groups), and Policy Changes (audit policy changes, AD object CRUD).

Each row shows the event time, human-readable description, source DC, the account that performed the action, the target account, and additional details. Filter by category, source DC, target account, or date range.

On-Prem Sign-Ins

Navigation: Identity → On-Prem Sign-Ins (requires DC Agent)

Authentication events from your Domain Controllers: successful logons, failed attempts, lockouts, and privileged logons. Metric cards show total logons, failed attempts, lockouts, privileged logons, and Kerberos failures. Failed logon rows are highlighted in red with the failure reason displayed.

Certificates & CA Health

Navigation: Identity → Certificates / CA Health / Cert Templates (requires DC Agent with CA module)

The Certificates page shows a full inventory of all certificates issued by your enterprise CA, filterable by disposition (Issued, Revoked, Pending, Denied), template, and expiry window. Expired certificates show in red, those expiring within 7 days in orange, within 30 days in yellow.

The CA Health page monitors each Certificate Authority: online/offline status, CA certificate expiry, CRL next update, and OCSP status. Critical alerts appear when CRL is expiring within 7 days or CA certificate within 30 days.

The Cert Templates page lists all Active Directory certificate templates with their display name, internal name, schema version, validity period, auto-enrolment status, and manager approval requirement.

Endpoint Module

Visibility into your managed device fleet through Microsoft Intune, with optional vulnerability data from Tenable.io. Devices, compliance, vulnerabilities, BitLocker recovery, and scripts.

Dashboard

Navigation: Endpoint → Dashboard

High-level device fleet health: total enrolled devices, compliant percentage, non-compliant count, unknown compliance count, compliance trend over 30 days, OS distribution (Windows / macOS / iOS / Android), and a list of recently non-compliant devices.

Devices

Navigation: Endpoint → Devices

Full inventory of Intune-enrolled devices with columns for device name, primary user, operating system, OS version, compliance state, last check-in, enrolment date, model, and encryption status (BitLocker / FileVault). Search by device name or username. Filter by compliance state or OS.

Click any device for the full detail panel: hardware information (model, manufacturer, serial number), applied compliance policies with individual results, configuration profiles, installed applications (if reported), and check-in history.

Compliance

Navigation: Endpoint → Compliance

Lists all Intune compliance policies as cards showing policy name, target platform, total devices in scope, and a compliance percentage bar. Click a policy to drill down into specific compliance settings (e.g., minimum OS version, BitLocker required, password required) and see which devices fail which settings.

Vulnerabilities

Navigation: Endpoint → Vulnerabilities (requires Tenable.io)

Surfaces CVE findings from Tenable.io scans. Metric cards show total findings, critical (CVSS 9.0-10.0), high (7.0-8.9), medium (4.0-6.9), and low/informational. The table includes CVE identifier, Tenable plugin, severity, CVSS score, affected asset, and first/last seen dates. Filter by severity, affected asset, and date range.

BitLocker Recovery

Navigation: Endpoint → BitLocker

When a user's device triggers a BitLocker recovery screen, helpdesk staff can look up the recovery key directly within Meridian. Search by device name to retrieve the recovery key stored in Entra ID. This saves time compared to navigating to the Entra ID portal separately and is available to the Helpdesk role and above.

Scripts

Navigation: Endpoint → Scripts

View Intune device management scripts deployed in your environment. See script name, target platform, assignment status, and execution results across devices. This page provides visibility into PowerShell and shell scripts pushed through Intune, helping you track which remediation or configuration scripts have been deployed and their success rate.

Agent Management

Navigation: Endpoint → Agents (minimum role: Engineer)

Lists monitoring and management agents deployed across your environment. Shows agent version, last check-in, status, and host. This is separate from the Meridian DC Agent (which appears under Settings → Integrations).

Voice Module

Complete management and visibility for Microsoft Teams Phone. Users, phone numbers, call queues, auto attendants, policies, call quality, SBC management, and Teams devices.

Dashboard

Navigation: Voice → Dashboard

Real-time summary: licensed voice users, assigned and available phone numbers, active call queues, call volume over 7 days, average call duration, queue wait times, abandon rates, and recent alert activity.

Users

Navigation: Voice → Users

All Teams users with voice configuration: display name, UPN, phone number, voice routing policy, dial plan, enterprise voice status, hosted voicemail. Click a user for full voice config: policies, call forwarding, simultaneous ring settings, group call pickup, and call history.

To assign a phone number: click a user, click Assign Number, select an available number, and confirm. The assignment is written to Teams immediately via the Teams Admin API.

Phone Numbers

Navigation: Voice → Phone Numbers

Full inventory of all acquired numbers. States: Assigned to user, Assigned to service (queue/AA), or Unassigned. Columns: E.164 number, type (Geographic / Toll-free / Direct routing), assignment, city, capability (User / Voice app).

Call Queues

Navigation: Voice → Call Queues

All configured call queues showing name, resource account number, agent count, routing method (Attendant / Serial / Round robin / Longest idle), overflow action, and agent availability. Click for full config: general settings, agent pool, routing, overflow/timeout behaviour, hold music.

To create: click New Call Queue, configure using the visual builder, and click Save. Changes apply to Teams immediately.

Auto Attendants

Navigation: Voice → Auto Attendants

All IVR menus: name, resource account, greeting, menu options, business hours routing, after-hours routing, holiday schedules. Create new auto attendants with the visual flow builder to design greetings, menu key mappings, and routing rules.

Policies

Navigation: Voice → Policies

All Teams voice policies: voice routing policies, calling policies, dial plans, online voice routing policies, and IP phone policies. Click any policy to see its configuration and assigned users.

Call Quality & Reports

Navigation: Voice → Reports

Call analytics showing volume over time (by day, week, month), average duration, calls by type (internal, PSTN inbound, PSTN outbound), queue statistics (wait time, abandon rate, handled calls per queue), and top callers. Call records sync from the Graph callRecords API with a 1-2 hour delay.

SBC Configuration

Navigation: Voice → Configuration

For Direct Routing environments: view PSTN gateway and SBC configuration, voice routing tables, emergency location assignments, and tenant dial plan settings. This gives you a single view of your routing infrastructure alongside user and queue data.

Teams Devices

Navigation: Voice → Devices

Teams-certified devices: IP phones, Teams Rooms, Teams displays, collaboration bars. Shows device name, type, signed-in user, online/offline status, firmware version, and last activity timestamp.

Secure Module

Security incidents, active threats, Microsoft Secure Score, improvement actions, and authentication analytics from across your integrated security tools.

Dashboard

Navigation: Secure → Dashboard

Real-time security posture: open incidents, active threats, current Secure Score, risky sign-ins in the last 24 hours, threat trend over 7 days, and top affected assets.

Incidents

Navigation: Secure → Incidents (requires Sentinel or Defender XDR)

Security incidents from your SIEM and XDR platforms. Severities: High (red, immediate attention), Medium (orange), Low (yellow), Informational (blue). Each incident shows title, severity, status (New / Active / Resolved), source platform, assigned analyst, alert count, and timestamps.

Click an incident for full description, recommended actions, underlying alerts, affected entities (users, devices, IPs), event timeline, and a direct link to the source platform for deeper investigation.

Threats

Navigation: Secure → Threats (requires Defender, SentinelOne, or CrowdStrike)

Active endpoint threat detections across managed devices. Shows threat name, severity, category (Malware / Ransomware / PUA / Exploit / Suspicious activity), affected device and user, status (Active / Remediated / In progress), first detected date, and source product.

Secure Score

Navigation: Secure → Secure Score

Your Microsoft Secure Score: current score vs maximum achievable, score trend over 90 days, and category breakdown (Identity, Devices, Apps, Infrastructure).

Improvement Actions

Below the score overview, a prioritised list of actions you can take to increase your score. Each action shows what needs to be done, which category it falls under, how many points it is worth, its current status, and estimated implementation difficulty. Click any action for guidance and a direct link to the relevant Microsoft admin portal.

Authentication Events

Navigation: Secure → Authentication Events (requires DC Agent)

Aggregated analytics on on-premises authentication activity. Cards show total authentications, failed attempts, failure rate, lockout count, and unique locked accounts. Includes ranked lists of top failing accounts and top source IPs generating failures, a chronological lockout timeline, and a failure reason breakdown chart.

Desktop Module

Visibility and management for Azure Virtual Desktop (AVD) environments — host pools, session hosts, and scaling plans.

Dashboard

Navigation: Desktop → Dashboard

AVD environment health: total host pools, session host count, active sessions, available hosts, unavailable hosts, and session capacity percentage.

Host Pools

Navigation: Desktop → Host Pools

All AVD host pools: name, type (Pooled / Personal), load balancing method, max session limit, total hosts, available hosts, active sessions, and assignment type. Click for full detail: all session hosts with individual status, session counts per host, associated workspace and application groups, and scaling plan assignment.

Session Hosts

Navigation: Desktop → Session Hosts

All session host VMs across all pools: VM name, host pool, status (Available / Unavailable / Shutdown / Upgrading / Draining), active sessions, agent version, OS version, last heartbeat, and whether new sessions are accepted. During off-peak hours, Shutdown is expected for scaling-managed hosts — only Unavailable during active hours requires investigation.

Scaling Plans

Navigation: Desktop → Scaling Plans

Scaling plans that automatically manage host capacity: plan name, timezone, assigned host pools, enabled/disabled status. Click for schedule detail: peak hours (more hosts), off-peak hours (hosts powered down), ramp-up period (pre-peak provisioning), and ramp-down period (graceful shutdown as sessions end).

Protect Module

Backup job status, protected asset inventory, and restore history from all connected backup platforms.

Dashboard

Navigation: Protect → Dashboard

Backup health overview: protected asset count, successful/warning/failed jobs in the last 24 hours, 7-day success rate, last successful backup time, and assets at risk (no successful backup in 24 hours). Traffic-light indicator: green (all healthy), amber (some warnings), red (failures detected).

Backup Jobs

Navigation: Protect → Backup Jobs

All backup jobs from all platforms. Columns: job name, source platform, type (VM / File / M365 / Agent), status, start time, duration, data processed, data transferred, and object count. Filter by status, platform, or date range. Click a job for full log messages, per-object results, storage details, and a link to the source platform.

Protected Assets

Navigation: Protect → Protected Assets

Inventory of all backed-up assets: VMs, physical servers, endpoints, M365 mailboxes, SharePoint sites, OneDrive, and Teams. Shows asset name, type, platform, last backup date, status, oldest recovery point, and retention period. Assets with no backup in 24+ hours are flagged as At Risk and sorted to the top.

Restore History

Navigation: Protect → Restore History

Log of all restore operations: job name, type (full / granular / instant recovery), who initiated it, what was restored, start/complete times, status, and target location. Only restores performed through connected platforms are tracked.

Backup Providers

Meridian aggregates backup data from multiple providers into a single view. Each provider has its own setup process (see the Third-Party Integrations page). When multiple providers are connected, all jobs and assets appear in the unified Protect view with a Source column indicating which platform ran each job.

Monitor Module

Infrastructure health checks, alert rules, status pages, and cost management from connected monitoring platforms.

Dashboard

Navigation: Monitor → Dashboard

Real-time infrastructure overview: total monitored checks, OK/Warning/Critical/Unknown counts, 30-day uptime percentage, active alerts, and recent state changes (what just broke or recovered).

Health Checks

Navigation: Monitor → Health Checks

All monitored hosts and services. Columns: name, host, platform (Checkmk / PRTG / Grafana / Azure Monitor), state, duration in current state, output message, and last checked time. Filter by state, platform, or host. Click for full output, performance data, 7-day state history, and a link to the source platform.

Alert Rules

Navigation: Monitor → Alert Rules

Create Meridian-native alert rules that work across all connected platforms. Available conditions include: state changes to Critical/Warning, check in Critical state for X minutes, host goes offline, or output matches a text pattern. Set notification recipients (email or webhook) and configure suppression schedules for maintenance windows.

Status Pages

Navigation: Monitor → Status Pages (minimum role: Engineer)

Create public or internal-facing status pages. Add components mapped to monitored services. Component states: Operational, Degraded, Partial Outage, Major Outage, Maintenance. Associate alerts with status page incidents to communicate impact to stakeholders with a timeline of updates.

Cost Management

Navigation: Monitor → Cost Management

When Azure Monitor is connected, Meridian can surface Azure cost data alongside infrastructure health. Track resource spending trends, identify cost anomalies, and correlate infrastructure events with billing impacts. This helps IT teams understand not just the health of their infrastructure, but the financial implications of scaling decisions and incidents.

Intelligence Module

Cross-module analytics, health scoring, risk correlation, compliance frameworks, licence optimisation, executive reports, and the AI Copilot. Intelligence is the analytical brain of Meridian Cloud.

Health Score

Navigation: Intelligence → Health Score

The Health Score is a composite metric (0-100) that aggregates data from all connected modules into a single measure of tenant health. It considers factors from every active module:

• Identity — MFA adoption rate, Conditional Access coverage, risky sign-in volume
• Endpoint — device compliance percentage, unpatched vulnerability count
• Secure — Secure Score, open incident count, active threats
• Protect — backup success rate, assets at risk
• Monitor — infrastructure uptime, critical alert count
• Voice — call quality metrics, queue abandon rates
• Service — SLA compliance, ticket backlog trend

The score updates daily and includes a trend graph showing how health has changed over the past 90 days. Score bands: 90-100 (Excellent), 70-89 (Good), 50-69 (Needs Attention), below 50 (Critical).

Correlations

Navigation: Intelligence → Correlations

Intelligence identifies relationships between data from different modules that would be invisible when viewing each module in isolation. Examples:

• Matching Intune device records against Tenable vulnerability findings to show which specific devices carry which CVEs
• Correlating risky sign-in events with backup job failures to identify potential compromise indicators
• Linking authentication failures from the DC Agent with Entra ID risk detections for the same user
• Connecting device non-compliance with security incident timelines

Asset Risk

Navigation: Intelligence → Asset Risk

Every asset (device, server, VM) receives a risk score based on aggregated data: compliance state, vulnerability findings, backup status, security detections, and patch level. Assets are ranked from highest to lowest risk, making it easy to prioritise remediation efforts.

User Risk

Navigation: Intelligence → User Risk

User-level risk scoring combining Entra ID Protection risk signals, MFA registration status, authentication failure patterns, and assigned device compliance. Users with high risk scores should be prioritised for security review.

Exposure Analysis

Navigation: Intelligence → Exposure

Calculates your organisation's overall security exposure by combining data from Secure Score, vulnerability findings, unprotected assets, and Conditional Access gaps. Provides a clear view of where your attack surface is largest and which actions will have the most impact on reducing it.

Compliance Frameworks

Navigation: Intelligence → Compliance

Map your current posture against industry compliance frameworks such as Cyber Essentials, ISO 27001, NIST CSF, and CIS Controls. Intelligence automatically evaluates which controls are satisfied based on your current configuration and data, and highlights gaps that need attention.

Benchmarking

Navigation: Intelligence → Benchmarking

Compare your Health Score and individual module metrics against anonymised aggregates from similar organisations. See whether your MFA adoption, compliance percentage, or backup success rate is above or below the median for organisations of your size and industry.

Licence Optimisation

Navigation: Intelligence → Licence Optimisation

Analyses your Microsoft 365 licence assignments to identify waste and opportunity: users with expensive licences who do not use the premium features, unassigned licences that could be reclaimed, and opportunities to downgrade or right-size SKUs. Provides estimated monthly savings and recommended actions.

Executive Reports

Navigation: Intelligence → Executive Reports

Polished, PDF-format reports designed for leadership review. Include your Health Score, module summaries, key metrics, trend charts, compliance status, and recommended actions. Can be scheduled for automatic generation and email delivery on a weekly, monthly, or quarterly cadence.

AI Copilot

Navigation: Intelligence → Copilot

The AI Copilot is a natural-language interface to your Meridian data. Ask questions in plain English and receive answers drawn from your tenant's data. Examples:

• "Which users have no MFA registered and signed in from outside the UK this week?"
• "Show me devices that are non-compliant and have critical vulnerabilities"
• "What is our backup success rate for the last 30 days?"
• "Summarise the security incidents from the past week"

Copilot generates responses using your data and can produce charts, tables, and follow-up recommendations. All queries are processed against your tenant's data only — no data is shared between tenants.

Tickets

Manage service desk tickets sourced from your PSA or ITSM platform. Create, track, and resolve tickets with SLA tracking and automatic alert-driven creation.

Dashboard

Navigation: Service → Dashboard

Open tickets count, tickets opened/closed today, SLA breach risk count, breached ticket count, average response time (7 days), average resolution time (7 days), and a 30-day ticket backlog trend graph.

Ticket List

Navigation: Service → Tickets

All tickets from connected PSA/ITSM platforms. Columns: ticket ID, subject, status (Open / In Progress / Pending / Resolved / Closed), priority (Critical / High / Medium / Low), customer, contact, assigned technician, created date, last updated, and SLA status (On Track / At Risk / Breached).

Filter by status, priority, SLA state, assigned technician, or date range. Search by ticket ID, subject, or customer name.

Ticket Detail

Click a ticket to see: full description and notes, activity timeline with all updates and responses, SLA countdown timers for response and resolution targets, time entries logged against the ticket, and a link to view/update the ticket in the source PSA platform.

Status Lifecycle

Tickets follow a standard lifecycle: Open (newly created) → In Progress (being worked on) → Pending (awaiting customer response or external action) → Resolved (fix applied, awaiting confirmation) → Closed (complete). The SLA clock pauses when a ticket is in Pending status.

Auto-Creation from Alerts

Meridian can automatically create tickets in your PSA when certain alerts fire. Configure this in Settings → Notifications by mapping notification categories (backup failures, security incidents, monitoring alerts) to ticket creation rules. When the alert fires, a ticket is created in your PSA with the alert details pre-populated.

Knowledge Base

Create and manage internal knowledge base articles for your team and end users. Categorise, search, and track article helpfulness.

Overview

The Knowledge Base in Meridian Cloud allows you to build an internal library of articles that your team and end users can search and browse. Articles are organised into categories and can be set to internal-only (visible to IT staff) or public (visible to self-service users).

Creating Articles

Navigation: Service → Knowledge Base → New Article

1. Click New Article in the top-right corner
2. Enter a title and select a category (or create a new one)
3. Write the article content using the rich text editor — supports headings, lists, code blocks, images, and tables
4. Set visibility: Internal (IT staff only) or Public (visible to self-service users)
5. Optionally add tags for improved searchability
6. Click Publish (or Save Draft to continue editing later)

Categories

Organise articles into categories such as "Getting Started", "Password Reset", "VPN", "Printers", etc. Categories appear in the sidebar of the Knowledge Base view and can be reordered. Each category can have a description and icon.

Search

The Knowledge Base has its own search that indexes article titles, body content, and tags. Results are ranked by relevance. When users search the global search bar, Knowledge Base articles also appear in results alongside users, devices, and tickets.

Helpful Ratings

Each article has a "Was this helpful?" prompt at the bottom with Yes/No options. Ratings are tracked per article and displayed in the article list so you can identify articles that need improvement. Articles with low helpfulness ratings should be reviewed and updated.

SLA Policies

Configure and track response and resolution time targets per ticket priority. Monitor compliance and identify breaches before they escalate.

How SLAs Work

Service Level Agreements define the maximum time allowed for a first response and for full resolution, based on ticket priority. Meridian reads SLA policies from your connected PSA platform and tracks compliance in real time.

Default SLA Targets

These are example defaults. Actual targets are configured in your PSA platform and may vary by customer or contract.

SLA Tracking

Navigation: Service → SLA

The SLA page shows: overall compliance percentage for the selected period, compliance broken down by priority and by customer, a 90-day trend chart, and lists of at-risk and breached tickets.

At-risk tickets are those within 25% of their SLA deadline. Breached tickets show how far past the deadline they are and which target was missed (response, resolution, or both).

Configuration

SLA policies are managed in your source PSA platform (ConnectWise, Autotask, Halo, etc.) and synced to Meridian. Meridian does not allow direct editing of SLA policies to avoid conflicts with your PSA configuration. To change SLA targets, update them in your PSA and they will sync within 30 minutes.

Report Builder

Build custom reports by choosing templates, selecting data sections, and scheduling delivery to stakeholders.

Overview

The Report Builder lets you create professional reports from your Meridian data. Choose from pre-built templates or start from scratch, select which data sections to include, customise the layout and branding, then schedule the report for one-time or recurring generation.

Templates

Meridian provides several report templates out of the box:

• Executive Summary — high-level health metrics, trends, and key findings
• Security Posture — Secure Score, incidents, threats, risky sign-ins, recommendations
• Compliance Report — device compliance, policy adherence, outstanding actions
• Backup Status — success rates, failed jobs, assets at risk, restore history
• Identity Overview — user counts, MFA adoption, licence utilisation, sign-in analytics
• Voice Operations — call volumes, queue performance, quality metrics
• Service Desk Performance — ticket volumes, SLA compliance, response times

Selecting Sections

Each template contains sections that can be individually toggled on or off. For example, the Executive Summary template includes sections for Health Score, Identity Overview, Endpoint Compliance, Backup Status, and Security Posture. You can remove any section that is not relevant and reorder the remaining sections.

Scheduling

Reports can be generated on demand or scheduled for recurring delivery:

• One-time — generate immediately and download
• Weekly — generated every Monday at 06:00 UTC and emailed to recipients
• Monthly — generated on the 1st of each month
• Quarterly — generated on the 1st of January, April, July, and October

Recipients

Add email addresses for report delivery. Recipients do not need a Meridian account — the report is sent as a PDF attachment. You can add internal team members, executives, and external stakeholders (e.g., customers for MSPs).

Scheduled Reports

Automatically generate and deliver reports on a weekly, monthly, or quarterly cadence to keep stakeholders informed without manual effort.

How It Works

Scheduled reports are generated by Meridian's background processing service. At the scheduled time, the system compiles data for the reporting period, renders the report using the selected template and sections, converts it to PDF, and sends it to all configured recipients via email through the SMTP2GO service.

Managing Schedules

Navigation: Reports → Scheduled Reports

View all active report schedules. Each entry shows the report name, template, cadence (weekly/monthly/quarterly), next scheduled generation date, recipient count, and status (Active / Paused). Click to edit the schedule, update recipients, or pause/resume generation.

Generation History

Each scheduled report maintains a history of past generations. View the date, recipient list, delivery status, and download a copy of any previously generated report as PDF.

Email Delivery

Reports are delivered from alerts@meridiancloud.tech with the subject line matching the report name. The email body contains a brief summary with key metrics and the full report is attached as a PDF. MSPs can customise the sender display name and logo through the Branding settings.

Executive Reports

Professional, branded PDF reports designed for leadership review. Health scores, module summaries, trend charts, compliance status, and recommended actions.

What is Included

Executive reports are curated summaries designed for non-technical stakeholders. They include:

• Health Score — the composite score with trend over the reporting period
• Module Summaries — one-paragraph status for each active module with key metrics
• Key Metrics — total users, device compliance, backup success rate, Secure Score, SLA compliance
• Trend Charts — visual charts showing metric movement over time
• Compliance Status — framework compliance percentage (Cyber Essentials, ISO 27001, etc.)
• Top Recommendations — the three highest-impact actions to improve health
• Incident Summary — notable security incidents and resolutions

PDF Format & Branding

Reports are generated as multi-page PDF documents. MSPs can apply their own branding: logo in the header, custom accent colour, company name, and contact information. Each customer's report is branded consistently with the MSP's settings.

The PDF includes a cover page with the report title and date range, a table of contents, and section pages with metric cards, charts, and commentary. Charts are rendered server-side as high-resolution images for print quality.

Scheduling Executive Reports

Executive reports can be generated on demand or scheduled. Most organisations schedule them monthly for board meetings or quarterly for business reviews. Configure in Intelligence → Executive Reports → Schedule.

Integration Catalogue

All available integrations, categories, connection methods, and which modules they power.

Overview

Navigation: Settings → Integrations

The Integration Catalogue is the central place to connect, disconnect, and manage all data sources. Each integration is shown as a tile with its current status: Connected (green), Warning (amber), Error (red), or Not Connected (grey).

Categories

Connection Methods

Integrations connect in three ways:

• Consent-based (Microsoft 365) — automatic via Microsoft admin consent; no credentials to enter
• Credential-based — provide API keys, OAuth credentials, or username/password through the tile setup wizard
• Agent-based (DC Agent) — generate an invite token in Meridian and install the agent on your servers

All credentials are encrypted in Azure Key Vault and never shown after initial entry.

Microsoft Graph Integration

The core connection that powers Identity, Endpoint, Voice, and Secure modules. Consent flow, permissions, and sync behaviour.

The Core Connection

Microsoft Graph is the foundation of all Microsoft 365 data in Meridian Cloud. Virtually all data from Microsoft cloud services flows through the Graph API. This integration is activated automatically when admin consent is granted during onboarding — you do not enter any credentials.

Consent Flow

Consent is a one-time action performed by a Global Administrator. It authorises the Meridian Sync application to read your Microsoft 365 data using application-level permissions. The consent can be incremented later to add optional permissions without revoking the original grant.

For detailed consent steps, see Onboarding Flow.

Permissions

For a complete permission reference, see Graph API Permissions Reference.

Summary: 9 required read-only permissions for core functionality, plus 5 optional permissions for security and risk features.

Sync Behaviour

Data is refreshed on a schedule: users and policies every 4 hours, devices every 2 hours, call records every hour, licences and Secure Score every 24 hours. The first sync runs immediately after consent. Manual sync can be triggered from Settings → Integrations → Microsoft Graph → Sync Now.

Conditional Access Compatibility

Meridian Sync is a service principal and does not interact with user-targeted Conditional Access policies. However, policies that apply to "All service principals" can block the sync service. If you see authentication errors after applying new CA policies, check whether they apply to service principals and exclude Meridian Sync if necessary.

Third-Party Integrations

Setup guides for all API-based integrations. Credentials are stored encrypted in Azure Key Vault and never shown after entry.

Credential Security

All credentials entered in Meridian are encrypted at rest using Azure Key Vault, never logged, never shown after initial entry, and isolated per tenant. If you believe credentials have been compromised, rotate them in the third-party system first, then update in Meridian via the Update Credentials option.

Microsoft Sentinel

Category: Security / SIEM | Modules: Secure → Incidents

Create an Azure App Registration with Microsoft Sentinel Reader role on your workspace. Provide: Azure Client ID, Client Secret, Tenant ID, Subscription ID, and Workspace Resource ID.

Veeam Backup & Replication

Category: Backup | Modules: Protect

Requires Veeam 12.x or later with REST API on port 9419. Create a Veeam Backup Viewer account. Provide: server URL (including port), username, and password.

Veeam Backup for Microsoft 365

Category: Backup | Modules: Protect

Requires Veeam for M365 v7 or later. Generate an API token in the console. Provide: server URL and API token.

Datto BCDR

Category: Backup | Modules: Protect

Generate API keys in the Datto partner portal. Provide: URL, Public Key, Private Key.

Acronis Cyber Protect

Category: Backup | Modules: Protect

Create a service account with Read-Only Administrator role. Provide: Acronis URL, Username, Password.

Tenable.io

Category: Security | Modules: Endpoint → Vulnerabilities

Generate Access Key and Secret Key in Tenable.io settings. Provide: Base URL, Access Key, Secret Key. Standard user role is sufficient.

SentinelOne

Category: Security / EDR | Modules: Secure, Endpoint

Create a service user with Viewer role. Provide: management console URL and API Token.

CrowdStrike Falcon

Category: Security / EDR | Modules: Secure, Endpoint

Create an API client with read-only scopes for Detections, Hosts, Incidents, and Device Control Policies. Provide: Base URL, Client ID, Client Secret.

PSA / ITSM Integrations

ConnectWise Manage, Datto Autotask, Halo PSA, ManageEngine ServiceDesk Plus, FreshService, and ServiceNow each have specific setup steps. Generally: create a dedicated API user with read access, generate API credentials, and enter them in Meridian. See the tiles in Settings → Integrations for platform-specific instructions.

Monitoring Integrations

Checkmk (automation token), PRTG (API token), Grafana (service account token), and Azure Monitor (app registration with Monitoring Reader role). Multiple monitoring platforms can be connected simultaneously — data merges into the unified Monitor view.

Webhooks

Create webhook subscriptions to send real-time event data to external systems — ticketing, chat, automation, or custom applications.

Overview

Navigation: Settings → Webhooks (minimum role: ITManager)

Webhooks allow Meridian to POST JSON event payloads to your specified URL when certain events occur. Use them to integrate with Teams channels, Slack, Power Automate, Zapier, or custom applications.

Creating a Webhook

1. Click New Webhook
2. Enter a descriptive name and the destination URL
3. Select which event types should trigger the webhook (e.g., backup failures, security incidents)
4. Optionally add a shared secret for payload signature verification
5. Click Save

Payload Format

Meridian sends a JSON POST for each triggered event:

{
  "event": "backup.job.failed",
  "timestamp": "2026-03-19T14:32:00Z",
  "tenantId": "abc123",
  "data": {
    "jobName": "Daily VM Backup",
    "platform": "Veeam",
    "error": "Cannot connect to target repository"
  }
}

Signature Verification

If you set a shared secret when creating the webhook, Meridian signs each payload with HMAC-SHA256 and includes the signature in the X-Meridian-Signature header. Verify this signature in your receiving application to confirm payloads are genuine.

Testing

Use the Test button on any webhook to send a sample payload and verify it is received. The webhook log shows the last 50 deliveries with HTTP response codes.

Event Types

Public API Overview

Authenticate, paginate, and integrate with the Meridian Cloud REST API. Build custom integrations and automate workflows.

Base URL

https://api.meridiancloud.tech/v1

Authentication

All API requests require an API key passed in the Authorization header:

Authorization: Bearer mk_live_abc123...

API keys are created in Settings → Developer → API Keys. Each key can be scoped to specific modules and operations.

Rate Limits

When rate limited, the API returns HTTP 429 with a Retry-After header indicating how many seconds to wait.

Pagination

List endpoints return paginated results. Use page and pageSize query parameters:

GET /v1/identity/users?page=1&pageSize=50

The response includes totalCount, page, pageSize, and totalPages in the response body.

Error Handling

Errors return standard HTTP status codes with a JSON body:

{
  "error": {
    "code": "RESOURCE_NOT_FOUND",
    "message": "User with ID 'abc123' was not found",
    "status": 404
  }
}

Filtering & Sorting

Most list endpoints support filtering via query parameters and sorting via the orderBy parameter:

GET /v1/endpoint/devices?complianceState=nonCompliant&orderBy=lastCheckIn desc

API Key Management

Create, scope, and revoke API keys for programmatic access to Meridian Cloud.

Creating an API Key

Navigation: Settings → Developer → API Keys

1. Click Create API Key
2. Enter a descriptive name (e.g., "Reporting Integration", "Monitoring Script")
3. Select the scope — choose which modules and operations the key can access
4. Click Generate
5. Copy the key immediately — it is only shown once and cannot be retrieved later

Key Scoping

Each API key can be scoped to specific modules:

• Identity — read users, groups, MFA status, licences
• Endpoint — read devices, compliance, vulnerabilities
• Voice — read voice users, numbers, queues, call records
• Tickets — read tickets, SLA data, time entries
• All — access all modules (use with caution)

Revoking a Key

Click the menu next to any key and select Revoke. Revocation is immediate — all requests using that key will receive a 401 error. Revoked keys cannot be reinstated; create a new one if needed.

Best Practices

• Create separate keys for each integration or script
• Use the narrowest scope possible
• Rotate keys periodically (revoke old, create new)
• Never commit API keys to source control
• Use environment variables or secret managers to store keys

API Reference

All public REST API endpoints for Voice, Identity, Endpoint, and Tickets.

Identity Endpoints

Endpoint Endpoints

Voice Endpoints

Ticket Endpoints

Webhook Events

Complete reference of all webhook event types with payload examples.

Common Payload Structure

All webhook payloads share a common envelope:

{
  "id": "evt_abc123",
  "event": "event.type.name",
  "timestamp": "2026-03-28T10:30:00Z",
  "tenantId": "tenant_xyz",
  "data": { ... }
}

Backup Events

backup.job.failed

Fired when a backup job completes with a failure status.

{
  "event": "backup.job.failed",
  "data": {
    "jobId": "job_123",
    "jobName": "Daily VM Backup",
    "platform": "Veeam",
    "startedAt": "2026-03-28T02:00:00Z",
    "error": "Cannot connect to target repository",
    "objectsFailed": 3,
    "objectsTotal": 15
  }
}

Security Events

security.incident.created

{
  "event": "security.incident.created",
  "data": {
    "incidentId": "inc_456",
    "title": "Suspicious sign-in from Tor exit node",
    "severity": "high",
    "source": "Sentinel",
    "alertCount": 3,
    "affectedEntities": ["user@company.com", "10.0.0.5"]
  }
}

security.threat.detected

{
  "event": "security.threat.detected",
  "data": {
    "threatName": "Trojan:Win32/Emotet",
    "severity": "critical",
    "deviceName": "DESKTOP-ABC123",
    "userName": "jsmith@company.com",
    "source": "Defender"
  }
}

Identity Events

identity.risky.signin

{
  "event": "identity.risky.signin",
  "data": {
    "userId": "user_789",
    "userPrincipalName": "admin@company.com",
    "riskLevel": "high",
    "riskDetail": "Impossible travel",
    "ipAddress": "192.168.1.1",
    "location": "Lagos, Nigeria"
  }
}

Monitor Events

monitor.check.critical

{
  "event": "monitor.check.critical",
  "data": {
    "checkName": "CPU Usage",
    "hostName": "web-server-01",
    "platform": "Checkmk",
    "output": "CPU usage 97% for 15 minutes",
    "previousState": "warning"
  }
}

General Settings

Notification preferences, timezone, language, and other organisation-wide settings.

Notification Preferences

Navigation: Settings → Notifications

Configure which events send notifications and through which channels (email or webhook). Categories include: backup failures, security alerts, identity alerts, monitoring alerts, integration errors, DC Agent offline, and CA health warnings. Each category can have independent channels.

Timezone

Set your organisation's timezone in Settings → General. This affects how dates and times are displayed throughout the portal, when scheduled reports are generated, and when SLA timers are evaluated. Default: UTC.

Language

Meridian Cloud is available in English (UK). The interface language can be set per organisation. Additional languages will be added in future releases.

Data Retention

Configure how long different data types are retained before automatic deletion:

Branding

Customise the Meridian portal with your logo, colours, domain, and email branding. Available to MSP accounts.

Overview

Navigation: Settings → Branding (MSP accounts only)

MSPs can white-label the Meridian portal so customers see the MSP's brand instead of the default Meridian branding. Branding applies to the customer portal view only — the MSP management console always uses Meridian's default branding.

Custom Logo

Upload your company logo (recommended size: 200x50px, PNG or SVG). It appears in the portal sidebar header and the login page. A square icon variant (50x50px) is also recommended for the browser favicon and PWA icon.

Custom Colours

Set your primary accent colour. This replaces the default indigo (#6366f1) throughout the portal for buttons, links, active states, and highlights. Provide a hex colour code.

Company Name

Your company name appears in the browser tab title, portal header, login page, and generated reports.

Email Branding

Transactional emails (alerts, reports, invitations) can display your company name and logo in the email header and footer. The sender address remains alerts@meridiancloud.tech but the display name shows your company name.

Support Contact

Set a support email address and phone number that appear on the help page within the customer portal, replacing Meridian's default support contact information.

Connection Settings

View Microsoft 365 connection status, consented permissions, and manage integration health.

Connection Status

Navigation: Settings → Connection

This page shows the current status of your Microsoft 365 connection: whether admin consent has been granted, which permissions are active, when the last successful sync occurred, and whether there are any errors.

Consented Permissions

View a list of all permissions that have been granted through admin consent. Each permission shows the scope name, description, which module uses it, and when it was consented. If optional permissions have not been granted, they appear as "Not Consented" with a button to initiate incremental consent.

Integration Health

Each connected integration shows its current health: last successful sync time, sync duration, any error messages, and a history of recent sync attempts. If an integration shows persistent errors, check the error message for guidance (common issues include expired credentials, network connectivity, and insufficient permissions).

Reconnecting

If the Microsoft 365 connection is lost (consent revoked, certificate expired, etc.), click Reconnect to re-initiate the consent flow. This grants fresh consent without affecting existing data in Meridian.

Security Settings

Data deletion (GDPR), session management, IP allowlists, and account security configuration.

Session Timeout

Configure how long inactive sessions remain valid before requiring re-authentication. Default: 8 hours. Range: 1-24 hours. Users who exceed the timeout are redirected to the Microsoft sign-in page.

IP Allowlist

Optionally restrict portal access to specific IP addresses or CIDR ranges. When enabled, sign-in attempts from non-allowlisted IPs are blocked. This is useful for organisations that want to ensure portal access only from their corporate network or VPN.

MFA Enforcement

Meridian can require that all portal users have MFA registered in Microsoft Entra ID. This is enforced at sign-in — users without MFA are directed to register before accessing the portal. Note that this is enforced through your tenant's Conditional Access policies, not by Meridian directly.

Data Deletion (GDPR)

Under Settings → Security → Data Management, TenantAdmins can request complete deletion of all data associated with their tenant. This is an irreversible action that removes all synced data, configuration, users, and audit logs. A 7-day cooling-off period applies before deletion is executed, during which the request can be cancelled.

Account Management

TenantAdmins can view and manage account-level settings including subscription status, usage statistics, and the ability to export all data before account closure.

Developer Settings

API keys, webhook configuration, and API usage monitoring.

Overview

Navigation: Settings → Developer

The Developer settings page provides access to all programmatic integration capabilities: API key management, webhook configuration, and usage statistics.

API Keys

Create, view, and revoke API keys. Each key shows its name, creation date, last used date, scope, and status (Active / Revoked). See API Key Management for detailed instructions.

Webhooks

Create and manage webhook subscriptions. See Webhooks for detailed instructions.

API Usage

Monitor your API consumption: requests per day, requests per minute (current), and total requests for the billing period. A usage chart shows daily request volume over the past 30 days. If you are approaching your plan's rate limits, consider upgrading or optimising your integration's polling frequency.

MSP Console

Manage multiple customer tenants, monitor health across your portfolio, and control billing and usage from a single pane of glass.

Multi-Tenant Dashboard

Navigation: MSP → Tenants

The MSP dashboard shows a grid of all managed customer organisations. Each tenant card displays: organisation name, Health Score, backup status indicator, open security incident count, device compliance percentage, DC Agent status, and last sync time. Click any card to switch into that tenant's environment.

Tenant Switching

Click the organisation name in the top bar or use the sidebar tenant switcher to move between customers. Selecting a tenant switches all module data to that tenant's environment — you remain signed in and do not need to re-authenticate.

Managed Integrations

MSPs can configure integrations on behalf of customers. Integrations managed by the MSP appear as "Managed by MSP" in the customer's portal and cannot be modified by the customer. The customer can still manage their own user settings, notifications, and branding independently.

Billing & Usage

The MSP billing page shows total managed tenants, per-tenant module usage, aggregated billing, and Stripe payment status. MSPs can view invoices, update payment methods, and see per-tenant cost breakdowns.

Onboarding a Customer

1. From the MSP console, click Add Tenant
2. Enter the customer's organisation name and primary contact email
3. Choose whether to perform Microsoft consent now or send an invitation to the customer's admin
4. If consenting now, complete the admin consent flow using the customer's Global Admin credentials
5. The tenant is created and appears in your multi-tenant grid

Platform Admin

Tenant management, sync job monitoring, KYC verification, and platform-wide notification settings.

Tenant Management

View all tenants on the platform, their subscription status, creation date, last activity, and module enablement. Filter by status (Active / Trial / Suspended / Cancelled) or search by name.

Sync Job Monitoring

Monitor the health of all background sync jobs across tenants. View job queues, processing times, failure rates, and retry counts. Identify stuck or failing syncs that need investigation.

KYC Verification

Before a new organisation can access production features, basic verification is required: confirmed domain ownership, valid billing information, and acceptance of terms of service. The KYC page shows verification status for each tenant and allows manual approval when automated checks cannot complete.

Platform Notifications

Configure platform-wide notification templates, email delivery settings, and system-level alerts. This includes maintenance window announcements, platform update notifications, and service health alerts that go to all tenants.

Billing & Licensing

Plans, pricing, Stripe integration, trial periods, and subscription management.

Plans

Meridian Cloud offers modular pricing. You pay a base platform fee plus per-module charges based on your usage:

Trial Period

New organisations receive a 14-day free trial with full access to all modules. No credit card is required to start the trial. At the end of the trial, you select which modules to subscribe to and enter billing information. Data collected during the trial is preserved.

Stripe Integration

All billing is managed through Stripe. Meridian does not store payment card details directly. You can view invoices, update payment methods, and manage your subscription from Settings → Billing. Invoices are generated monthly and sent via email.

Managing Your Subscription

Add or remove modules at any time from Settings → Billing → Manage Subscription. Module additions take effect immediately. Module removals take effect at the end of the current billing period. Data for removed modules is retained per your data retention policy.

PWA Installation

Install Meridian Cloud as a Progressive Web App on iOS, Android, and desktop for native-like access.

What is a PWA

A Progressive Web App (PWA) is a web application that can be installed on your device and runs like a native app — with its own icon, window, and offline capability. Meridian Cloud supports PWA installation on all platforms.

iOS Installation

1. Open portal.meridiancloud.tech in Safari
2. Tap the Share button (box with upward arrow)
3. Scroll down and tap Add to Home Screen
4. Tap Add in the top-right corner

Meridian will appear as an app icon on your home screen. Tapping it launches in a full-screen browser without the Safari address bar.

Android Installation

1. Open portal.meridiancloud.tech in Chrome
2. Tap the three-dot menu in the top-right
3. Tap Add to Home screen (or Install app if shown)
4. Tap Install

Desktop Installation (Windows/macOS)

1. Open portal.meridiancloud.tech in Edge or Chrome
2. Click the install icon in the address bar (or use the browser menu → Install Meridian Cloud)
3. Click Install

The app runs in its own window, separate from the browser, and appears in your taskbar/dock and Start menu/Applications folder.

Mobile Dashboard

Features available on mobile devices and how the responsive layout adapts.

Responsive Layout

On mobile devices, the sidebar collapses to a hamburger menu accessible from the top-left corner. The main content area uses a single-column layout optimised for touch. Tables scroll horizontally where needed.

Available Features

All Meridian Cloud features are available on mobile, including:

• Home dashboard with metric cards
• All module dashboards and detail pages
• User, device, and ticket search
• Notification centre
• Tenant switching (MSP users)
• Settings and configuration

Mobile-Optimised Views

Certain views are optimised for the mobile experience:

• Metric cards stack vertically for easy scanning
• Data tables show the most important columns with horizontal scroll for additional data
• Charts resize to fit the screen width
• Action buttons are touch-friendly with larger tap targets
• Navigation uses a slide-out drawer instead of a fixed sidebar

Push Notifications

When installed as a PWA, Meridian can send push notifications for critical alerts (backup failures, security incidents, agent offline). Enable push notifications in your device's app settings after installing the PWA.

Data Residency

Where your data is stored and processed.

Storage Location

All Meridian Cloud data is stored in Microsoft Azure datacentres in the United Kingdom:

Data Residency Guarantee

Your data never leaves the UK Azure regions. All processing (API requests, background sync, report generation) occurs within these regions. Microsoft's Azure compliance certifications for the UK regions apply, including ISO 27001, SOC 2, and UK Cyber Essentials.

Replication & Backup

Azure SQL databases are backed up automatically by Azure with point-in-time restore capability. Storage accounts use Locally Redundant Storage (LRS) within the UK West region. Key Vault uses Azure's built-in geo-replication for disaster recovery.

GDPR Compliance

Right to erasure, data export, retention policies, and how Meridian Cloud handles personal data.

What Personal Data is Stored

Meridian Cloud stores the following personal data synced from your Microsoft 365 environment:

• User display names, email addresses, and UPNs
• Department and job title information
• MFA registration methods (type only, not secrets)
• Sign-in timestamps and IP addresses
• Device names and serial numbers associated with users

Meridian does not store: email content, file content, chat messages, calendar events, or passwords.

Right to Erasure

Under GDPR Article 17, individuals have the right to request deletion of their personal data. To process an erasure request:

1. Navigate to Settings → Security → Data Management
2. Click Request Data Deletion
3. Select Individual User and enter the user's identifier
4. Confirm the request. The user's data is removed within 30 days.

For complete tenant deletion (all data), see Security Settings.

Data Export

TenantAdmins can export all data associated with their organisation in a machine-readable format (JSON/CSV). Navigate to Settings → Security → Data Export and click Generate Export. The export is prepared as a downloadable ZIP file and contains all synced data, configuration, and audit logs.

Retention

Data is retained according to configurable retention policies (see General Settings). Data beyond the retention period is permanently deleted and cannot be recovered. The audit log is retained for 365 days as a regulatory minimum and cannot be shortened.

Sub-Processors

Meridian Cloud uses the following sub-processors:

Security Architecture

Encryption, VNet isolation, private endpoints, certificate authentication, and the security measures protecting your data.

Encryption

At Rest

All data at rest is encrypted using AES-256 encryption provided by Azure's platform encryption:

• Azure SQL Database — Transparent Data Encryption (TDE) enabled by default
• Azure Key Vault — HSM-backed encryption for all secrets and certificates
• Azure Storage — Storage Service Encryption (SSE) with Microsoft-managed keys

In Transit

All communication uses TLS 1.2 or later. HTTP is not accepted — all endpoints enforce HTTPS. Internal communication between Azure services uses Azure backbone networking with service endpoints.

Network Security

• HTTPS-only — all public endpoints enforce TLS 1.2+; FTPS is disabled
• No public blob access — Azure Storage accounts are configured with no anonymous access
• Key Vault firewall — Key Vault access is restricted to the application's managed identity
• SQL firewall — Azure SQL is configured for Entra ID-only authentication with no SQL username/password

Authentication Security

• User authentication — delegated to Microsoft Entra ID via PKCE; Meridian never sees or stores passwords
• Background sync — certificate-based client credentials; no passwords used
• Managed Identity — API and Functions use a User-Assigned Managed Identity (UAMI) for all Azure resource access; no connection string passwords
• Credential isolation — customer integration credentials are stored in a dedicated Key Vault (separate from platform secrets) with access only via UAMI

Tenant Isolation

All tenants share the same infrastructure (multi-tenant architecture) but data is strictly isolated through:

• Row-Level Security (RLS) in Azure SQL — every query is scoped to the authenticated tenant; it is impossible for one tenant's query to return another tenant's data
• Key Vault isolation — each tenant's integration credentials are stored with tenant-scoped access policies
• API-level enforcement — the API validates the tenant context on every request

Certificate Rotation

The Meridian Sync certificate stored in Key Vault is automatically rotated before expiry. An Event Grid subscription monitors CertificateNewVersionCreated events and triggers a queue message that updates the Entra ID app registration with the new public key. No manual intervention is required.

Common Issues

Solutions to the most frequently encountered problems with login, sync, missing data, and agent connectivity.

Login Problems

"Need admin approval" on the consent page

Your account does not have admin consent permissions. Ask your Global Administrator to complete the consent step. Alternatively, have them grant the Cloud Application Administrator role to your account.

"Your account is not set up in Meridian"

Your organisation has not been onboarded yet. Either your IT administrator needs to complete the onboarding flow, or you need to be invited by an existing TenantAdmin via Settings → Users → Invite User.

Stuck on MFA prompt

Meridian uses your Microsoft 365 MFA. If you are having trouble with MFA, the issue is with your Microsoft Entra ID authentication, not Meridian. Contact your IT administrator or visit aka.ms/mfasetup to manage your methods.

Sync Failures

Consent was granted but data is not appearing

Check Settings → Integrations → Microsoft Graph for sync status. If the integration shows an error, click Retry Sync. If the error persists, check whether a Conditional Access policy in your tenant is blocking service principal sign-ins.

Data appears stale or outdated

Check when the last successful sync occurred in Settings → Integrations. If the sync timestamp is recent but data appears old, the data may genuinely be stale in the source system (e.g., a device has not checked into Intune recently).

Missing some data (e.g., no risky sign-ins)

Some features require optional permissions or specific Microsoft licences:

• Risky sign-ins require Entra ID P2 and the optional risk permissions
• Secure Score requires SecurityEvents.Read.All
• Intune device data requires Intune licensing

If a permission was not included in the initial consent, re-run the consent flow to add it.

DC Agent Issues

Agent shows Offline in portal

1. Open services.msc on the DC and confirm MeridianDcAgent is Running
2. If stopped, check Event Viewer → Windows Logs → Application for errors
3. Test outbound connectivity: Test-NetConnection api.meridiancloud.tech -Port 443
4. If using a standard account, verify the password has not expired

Agent running but no events appear

Check that audit policies are generating events: auditpol /get /subcategory:Logon should show Success and Failure. If not, enable via Group Policy → Advanced Audit Policy Configuration.

Registration fails — invalid invite token

Generate a new token from Settings → Integrations → AD Audit Agent → Connect and re-run the installer.

Frequently Asked Questions

Answers to the most common questions about Meridian Cloud.

Access & Security

Does Meridian have access to my users' passwords?

No. Meridian reads user account metadata through the Graph API. Passwords are managed entirely by Microsoft and are never exposed through the Graph API. Meridian has no ability to read, set, or reset passwords.

Can Meridian sign in as a user?

No. Meridian Sync uses the client credentials flow with a certificate — this authenticates as the application itself, not as any user. It is not possible to impersonate a user using application permissions.

Does Meridian read my emails or Teams messages?

No. Meridian does not request Mail.Read, Chat.Read.All, or any other message content permission. Only call records (metadata about calls) are read from Teams, not message content.

Can Meridian modify my Microsoft 365 configuration?

No. All Graph API permissions are read-only. The only write actions Meridian performs are Teams voice management operations (call queues, auto attendants, number assignments) which are explicitly triggered by an administrator through the Voice module.

Data & Privacy

Where is my data stored?

All data is stored in Microsoft Azure datacentres in the UK (UK West for data tier, UK South for application tier). See Data Residency for details.

Can I delete all my data?

Yes. TenantAdmins can request complete data deletion from Settings → Security → Data Management. There is a 7-day cooling-off period before deletion is executed. See GDPR Compliance.

Can I export my data?

Yes. Navigate to Settings → Security → Data Export to generate a downloadable ZIP file containing all synced data, configuration, and audit logs in machine-readable format.

Billing

Is there a free trial?

Yes. New organisations receive a 14-day free trial with full access to all modules. No credit card is required to start.

What happens if I cancel?

When you cancel, access is removed at the end of the current billing period. Data is retained for 30 days after cancellation (in case you change your mind), then permanently deleted.

Microsoft Consent

What happens if I add a new permission to the consent?

Re-running the consent flow adds the new permission. Existing permissions remain in place. New data types covered by the new permission begin syncing on the next scheduled sync.

Can the consent be granted for only some users?

No. Meridian Sync uses application permissions which are granted at the tenant level. It is not possible to scope application permissions to a subset of users.

How often does Meridian access the Graph API?

Sync frequency varies by data type: every hour (call records, devices), every 4 hours (users, policies), or every 24 hours (licences, Secure Score). The sync service respects Microsoft's throttling limits and backs off automatically when rate-limited.