Stella Unified Docs

Everything an MSP needs to run Stella.

Onboarding, CMMC L2 control coverage, M365 permissions, PSA integrations, white-label setup, and the API. Most of these guides are live; the soon badge marks deep-dives we're publishing as the beta cohort hits each milestone.

Quick startCMMC L2 coverageM365 permissionsBlueprint →

Getting started

From sign-up to your first CMMC L2 baseline in under 30 minutes.

Run your first baseline
Sign up, connect a tenant, watch the gap report appear.
Microsoft 365 permissions
Exactly which Graph permissions Stella requests and why.
soon
Adding more tenants
How to onboard 5, 25, or 250 client tenants under one MSP console.

CMMC L2

What Stella auto-remediates, what stays a policy decision, and how evidence is captured.

Control coverage by domain
All 17 CMMC L2 domains with auto-vs-policy split. The honest version.
Assessor-defensible evidence
How configs, screenshots, timestamps, and audit log entries are captured per control.
soon
Pre-assessment dry-run
(MSP Pro) How the dry-run scoring works and what to share with your client's C3PAO.

Frameworks beyond CMMC L2

NIST 800-171, CIS Controls, SOC 2 Type II, HIPAA. Map once, deploy anywhere.

soon
NIST 800-171
How Stella maps M365 settings to NIST 800-171 controls (and why CMMC L2 inherits this work).
soon
CIS Controls v8
CIS Controls coverage matrix and the M365 settings each control depends on.
soon
SOC 2 / HIPAA evidence packs
Pre-built artefact bundles for each framework's most-requested evidence types.

PSA & report integrations

On the roadmap · not yet shipped

Push tickets, evidence, and reports into the tools your team already runs.

We haven't built this yet. These integrations are on the near-term roadmap, not in the platform today. If a specific PSA or report destination is a deal-breaker for your shop, email [email protected] — we prioritise builds based on which beta-cohort MSPs are asking. Until then, Stella reports + drift events export as PDF / JSON and we have customers wiring them into PSAs manually for now.
soon
ConnectWise PSA
Auto-create tickets from drift events; push report PDFs to client records.
soon
Autotask & HaloPSA
Same pattern as ConnectWise — Stella drift event becomes a PSA ticket.
soon
SharePoint client folders
Drop signed monthly posture reports straight into each client's Compliance folder.

White-label & branding

Your logo, your colours, your domain. Reports go out as if your team built them.

soon
Custom domain setup
Point reports.your-msp.com at Stella's white-label endpoint.
soon
Report theming
Logo upload, colour palette, cover-letter templates, exec-summary tone control.
soon
Reseller branding
Multi-tier white-label for MSPs delivering through partners.

API reference

Programmatic access to every Stella capability, for shops automating their own workflows.

soon
Authentication
How to mint a service token and which scopes it should request.
soon
Tenants & onboarding
REST endpoints for adding tenants, kicking off scans, fetching reports.
soon
Webhooks
Drift events, scan completions, report-ready notifications — all webhookable.

Security & trust

How Stella stores tokens, isolates tenants, and proves it's not the weakest link.

soon
Tenant isolation model
How per-tenant tokens are encrypted at rest and scoped on every request.
soon
M365 token storage
Where Stella stores the OAuth tokens it needs and how rotation works.
soon
SOC 2 status
Current Stella platform SOC 2 status and what's audited vs in-flight.
Live guides

Three things every MSP needs before they sign up.

Getting started

Run your first baseline

  1. Sign up at the trial tier. stella-ai.ai/signup?plan=trial. 14 days, one tenant, no card. Use whichever client tenant has the easiest M365 admin access.
  2. Connect Microsoft 365. On the Tenants page click Connect new tenant. Stella opens the Microsoft device-code flow — sign in as a Global Admin (or Privileged Role Admin) of the target tenant. The connect step takes about 60 seconds; consent is granted to a documented scope list (see below).
  3. Wait for the first scan. As soon as the tenant connects, Stella runs a full baseline against 1,800+ M365 settings, all 17 CMMC L2 domains, and the active framework set. Typical wall-clock: 20–35 minutes. You don't have to stay on the page; Stella emails the on-call address when the scan finishes.
  4. Open the gap report. The report lands at /audit-report with per-domain coverage, prioritised remediation queue, and an exportable PDF for the client. This is the document you quote against.
Security

Microsoft 365 permissions Stella requests

Stella requests Microsoft Graph delegated permissions, scoped to read posture and to apply specific remediations the MSP approves. Tokens are encrypted at rest with a per-key identifier; refresh tokens are rotated on each use. Reading the actual scope list before consent is a normal MSP audit step — here's what to expect:

ScopeWhy Stella needs it
Directory.Read.AllEnumerate users, groups, admin roles, license assignments — the input to ~40 CMMC L2 controls.
Policy.Read.AllRead Conditional Access, authentication strength, identity-protection policies.
Policy.ReadWrite.ConditionalAccessApply the auto-remediation queue — only when the MSP approves a fix.
AuditLog.Read.AllMirror the unified audit log into Stella's append-only evidence store.
SecurityEvents.Read.AllPull Microsoft 365 Defender alerts for SI / IR control coverage.
DeviceManagementConfiguration.Read.AllRead Intune device baselines for CM / MA / MP control coverage.
DeviceManagementConfiguration.ReadWrite.AllPush approved Intune policy fixes when the MSP triggers auto-remediation.
Reports.Read.AllPull Secure Score breakdown, sign-in reports, license usage.
Mail.ReadSample inbox forwarding rules + transport rule audits (read-only, never message bodies).

Read-write scopes are only exercised when the MSP explicitly approves a fix from the remediation queue. No scope is invoked on auto-discovery; nothing changes on a tenant without a logged operator decision. Every applied change goes into the append-only audit log mapped to the relevant control.

CMMC L2

Control coverage by domain (the honest version)

Microsoft 365 governs more of CMMC L2 than most MSPs realise. The remaining domains are policy or human-process — Stella evidences them but doesn't auto-fix them. A truthful split:

AC
Access Controlauto
AT
Awareness & Trainingauto
AU
Audit & Accountabilityauto
CM
Configuration Managementauto
IA
Identification & Authauto
IR
Incident Responsepolicy
Plan + tabletop cadence is policy work.
MA
Maintenancepolicy
Field maintenance procedures stay policy.
MP
Media Protectionauto
PE
Physical Protectionpolicy
Facility security is on-site.
PS
Personnel Securityauto
RA
Risk Assessmentauto
CA
Security Assessmentauto
SC
System & Comms Protectionauto
SI
System & Info Integrityauto
SR
Supply Chain Risk Mgmtpolicy
Vendor relationships are human.
PL
Planningpolicy
Policy adoption is your team.
RM
Risk Management Strategypolicy
Strategy ratification is leadership.

~110 controls auto-remediated via Microsoft Graph, Exchange Online PowerShell, and Intune. The rest are evidenced (configs, screenshots, timestamps captured automatically) but require your team to ratify policy or perform on-site work.

For the full economics + 90-day deployment plan, see the CMMC L2 service-line blueprint.

CMMC L2

Assessor-defensible evidence: what gets captured automatically

The reason most MSPs walk away from CMMC L2 work isn't the controls — it's the evidence pipeline. Per control, an assessor wants to see configuration that proves it, on a date that proves it. Stella captures all of this in the background:

  • Configuration snapshots
    Per scan, every M365 setting Stella reads is hashed and snapshotted to an append-only store. The snapshot ID is referenced from the report.
  • Screenshot evidence
    For settings that an assessor traditionally wants to 'see', Stella renders a deterministic screenshot of the M365 admin view at scan time.
  • Timestamps + actor
    Every applied change is logged with the M365 token used, the operator who approved it, and the resulting object diff.
  • Per-control mapping
    Each evidence record carries the CMMC L2 control IDs it satisfies (and any inherited NIST 800-171 control). Assessors can filter the store by control.
  • Append-only storage
    Once written, evidence records are immutable. Edits or revocations create a new record; the original stays for audit.

When the C3PAO walks in, your client doesn't dig through admin centers — your MSP hands over a single PDF that links every claim to the underlying evidence record by ID.

Question we haven't answered?

Email [email protected] with the question. We'll either point you at the right doc or write the doc that day. The MSP cohort drives what we publish next.