Azure AD

Description

The Azure AD connector uses the Microsoft Graph API to discover user accounts, groups, and directory role assignments in an Azure Active Directory (Entra ID) tenant. It is the cloud counterpart to the on-premises Active Directory connector and provides identity data for organisations that use Azure AD as their primary identity provider.

System Type Classification

Field	Value
System Type	Directory Service
Default Scan Priority	10 (scanned first)

Version Support

OrbisID Edition	Supported
Community	No
Pro	Yes
Enterprise	Yes

Azure AD scanning requires a Pro or Enterprise licence.

Supported Protocol

Protocol	Port	Notes
Microsoft Graph API (HTTPS)	443 TCP	OAuth 2.0 client credentials flow

What OrbisID Discovers

Data	Source
User accounts	GET /users
User status (enabled/disabled)	accountEnabled property
Group memberships	GET /groups/{id}/members
Directory roles	GET /directoryRoles
Privileged role members	Global Administrator, Privileged Role Administrator, Security Administrator, Exchange Administrator, SharePoint Administrator, User Administrator, Helpdesk Administrator, Compliance Administrator, Application Administrator, Cloud Application Administrator
On-premises synced accounts	onPremisesSyncEnabled property (optional filter)

Connection Requirements

Azure App Registration

OrbisID authenticates using an App Registration (service principal) with the client credentials flow. No user interaction is required.

1. In the Azure Portal, navigate to Azure Active Directory → App registrations → New registration
2. Give the app a name (e.g., OrbisID Scanner) and register it
3. Note the Application (client) ID and Directory (tenant) ID
4. Navigate to Certificates & secrets → New client secret — note the secret value immediately
5. Navigate to API permissions → Add a permission → Microsoft Graph → Application permissions, and add:

Permission	Purpose
User.Read.All	Read all user accounts and their properties
Group.Read.All	Read group memberships
Directory.Read.All	Read directory roles and privileged role members

6. Click Grant admin consent for the permissions

Credential Mapping

OrbisID Field	Azure AD Value
credential.username	Application (client) ID
credential.password	Client secret value
credential.domain	Directory (tenant) ID

System Attributes

Attribute	Required	Description
azureTenantId	Fallback	Tenant ID if not stored in credential.domain
azureOnPremSyncedOnly	No	Set to true to scan only on-premises synced accounts

Network Requirements

The OrbisID server (or On-Premise Agent) must have outbound HTTPS access to:

• login.microsoftonline.com — OAuth 2.0 token endpoint
• graph.microsoft.com — Microsoft Graph API

Configuration Steps

1. Complete the Azure App Registration steps above
2. Create a Credential in OrbisID:
   • Username: Application (client) ID
   • Password: Client secret value
   • Domain: Directory (tenant) ID
3. Navigate to Systems → Add System
4. Fill in the fields:

Field	Value
Name	Descriptive name (e.g., Azure AD – contoso.com)
Hostname	graph.microsoft.com (used for reference only)
OS Type	Azure AD
System Type	Directory Service
Credential	The App Registration credential created above

5. Click Test Connection to verify the app registration credentials
6. Click Save

Troubleshooting

Symptom	Likely Cause	Resolution
401 Unauthorized on test connection	Invalid client ID or secret	Verify the client ID and secret; ensure the secret has not expired
403 Forbidden	Missing or unapproved API permissions	Ensure all three permissions are granted with admin consent
AADSTS700016 token error	Incorrect tenant ID	Verify the Directory (tenant) ID in credential.domain
Users discovered but roles missing	Directory.Read.All not granted	Grant and consent to Directory.Read.All in the app registration
Scan completes with zero accounts	Tenant ID mismatch	Confirm the tenant ID matches the tenant where the app is registered