How to.... Use The API Integration For Evidence Collection

FutureFeed's API Integration lets you connect Microsoft 365 / Entra ID (Azure AD) to  pull inventory data and attach it as evidence to your Tools and Documents.

This article covers how to set up on-demand evidence collection using the Task Assignments and Evidence tabs, and how to ensure that collected evidence is linked to the right CMMC/NIST controls in your Assess workflow.

 

What the API Integration Does

• Pulls data from Microsoft Graph when the task is manually completed
• Exports a CSV and attaches it as evidence to your Tool or Document

 

Currently Available APIs:

• Microsoft 365 / Entra ID - Knowledge Article

 

Prerequisites

Before setting up API evidence collection, ensure you have:

1. Admin access to your FutureFeed company
2. A Microsoft 365 / Entra ID tenant with an Azure AD App Registration or permission to authorize via OAuth
3. The appropriate Microsoft Graph API permissions granted to your Azure AD app (see the table above)
4. Your API integration connected in Start > Settings > Platform/API (see the API Integration Setup article if not yet connected)

 

Step 1: Verify Your API Connection

1. Navigate to Start > Settings > Platform/API
2. Locate the Microsoft 365 / Entra ID Graph API Evidence Connector.
3. Confirm it shows a green Connected status badge. If not, click Configure and complete the connection setup.

📌 Note: If you need to connect for the first time, see the companion article: API Integration Setup: Microsoft 365 / Entra ID.

 

Step 2: Set Up Evidence Collection on a Tool or Document

On-Demand Collection (Evidence Tab)

Use this option for a one-time or ad-hoc pull without creating a recurring task.

1. Navigate to Tools or Documents and click the Edit (pencil) icon on the item you want to add evidence to.
2. In the item dialog, click the Evidence
3. Click Add Evidence.
4. Select Pull from API from the list of evidence types.
5. Choose the API service you want to pull from (e.g., Users, Devices, Security Alerts).
6. The system will fetch the data from Microsoft Graph and attach it as a CSV file to the evidence record.

 

Step 3: Tag Your Tool or Document to CMMC/NIST Controls

⚠️ Important: This is the most commonly missed step. Without control tags on the Tool or Document, API-collected evidence will not appear in your Assess workflow or SSP report.

Why This Step Matters

The API integration collects evidence and attaches it to a Tool or Document. It does not automatically determine which CMMC or NIST controls that evidence supports — that mapping lives on the Tool or Document itself.

When you tag a Tool or Document to specific controls, all evidence on that item (including all future API pulls) becomes associated with those controls. The evidence will then:

• Appear in the Assess workflow for the tagged controls
• Be included in the SSP (System Security Plan) report
• Count toward your compliance posture for those controls

 

📌 Note: You only need to tag each Tool or Document once. Tags persist across all future evidence collections.

 

How to Tag Controls

1. Open the Tool or Document by clicking its Edit (pencil) icon, or the Title.
2. Click the Connect
3. Use the control tagger to search for and add the relevant CMMC practices / NIST controls.
4. The tags will persist for all future evidence pulls.

 

Viewing Collected Evidence

1. Open the Tool or Document.
2. Click the Evidence
3. Each API collection appears as a separate evidence entry, showing:

• • The date the data was collected
  • The type of data (e.g., Users, Devices)
  • A downloadable CSV file attachment

 

Troubleshooting

"No API services are available"

• Verify the API integration is connected in Start > Settings > Platform/API
• Ensure the Azure AD app has the required Microsoft Graph permissions granted
• If using client credentials, confirm the client secret has not expired

 

"Unable to determine available services"

• Connection credentials are likely invalid or expired
• Click Update Credentials in the Manage dialog to re-authenticate

 

Connection shows Connected but no data is returned

• Confirm that Microsoft Graph permissions have been admin-consented in your Azure AD tenant
• Sign-In Logs and some other data types require Azure AD Premium P1 or P2 licenses

 

API evidence is not appearing in Assess

• Most common cause: the Tool or Document has not been tagged to Assess controls. See Step 3.
• API evidence inherits its control associations from the parent Tool or Document — if no tags exist, the evidence won’t appear in Assess

 

Current Limitations

Limitation	Detail
Supported integrations	Currently Microsoft 365 / Entra ID only. Use Request an Integration for others.
No auto control tagging	Evidence does not automatically map to CMMC/NIST controls. Manual tagging on the Tool or Doc is required (see Step 3).
Data format	All API-collected evidence is exported as CSV files.

 

FAQ

Q: Can the API automatically tag evidence to the correct Assess controls?

Not at this time. The API integration automates evidence collection only. Control tagging must be done manually on the Tool or Document via the Connect tab. Once tagged, all evidence (including API-pulled data) will be associated with those controls.

 

Q: Do I need to re-tag controls every time new evidence is collected?

No. Control tags are set on the Tool or Document itself and persist across all evidence collections. You only need to tag once.

 

Q: Can I use the API integration with both Tools and Documents?

Yes. The Pull from API option is available on any Tool or Document in FutureFeed.

 

Q: What happens if my Microsoft credentials expire?

Evidence collection will fail until credentials are updated. Navigate to Start > Settings > Platform/API, click Manage on the integration, and click Update Credentials to re-authenticate.

 

Q: Can I set up multiple API tasks on the same Tool or Document?

Yes. You can create multiple task assignments pulling different types of data (e.g., one for Users and another for Security Alerts) on the same item.