Microsoft Entra External Identities
Description
The Microsoft Entra External Identities connector uses the Microsoft Graph API to discover B2B (business-to-business) and B2C (business-to-consumer) guest and external user accounts within an Entra ID (Azure AD) tenant. It enumerates external users, their assigned directory roles, and group memberships to provide visibility into third-party and partner identity sprawl.
System Type Classification
| Field | Value |
|---|
| System Type | Directory Service |
| Default Scan Priority | 10 |
Version Support
| OrbisID Edition | Supported |
|---|
| Community | No |
| Pro | Yes |
| Enterprise | Yes |
Supported Protocol
| Protocol | Port | Notes |
|---|
| Microsoft Graph API (HTTPS) | 443 TCP | OAuth 2.0 client credentials flow |
What OrbisID Discovers
| Data | Source |
|---|
| External / guest users | GET /v1.0/users?$filter=userType eq 'Guest' |
| Directory role assignments | GET /v1.0/directoryRoles/{id}/members |
| Group memberships | GET /v1.0/users/{id}/memberOf |
| User enabled/disabled state | accountEnabled property |
Connection Requirements
Required Permissions
Register an application in Microsoft Entra ID and grant it the following application permissions (not delegated):
Minimum permissions:
User.Read.All — read all user profiles including guest accountsGroup.Read.All — read group membershipsRoleManagement.Read.Directory — read directory role assignments
Credential Mapping
| OrbisID Field | Value |
|---|
credential.username | Application (Client) ID |
credential.password | Client Secret value |
system.tenantId | Entra ID Tenant ID (Directory ID) |
Network Requirements
The OrbisID server must have HTTPS access to login.microsoftonline.com and graph.microsoft.com on port 443.
Configuration Steps
- In the Azure portal, navigate to Entra ID → App registrations → New registration
- Grant the required application permissions and obtain admin consent
- Create a Client Secret under Certificates & secrets
- Create a Credential in OrbisID:
- Username: Application (Client) ID
- Password: Client Secret value
- Navigate to Systems → Add System
- Fill in the fields:
| Field | Value |
|---|
| Name | Descriptive name (e.g., Entra External Identities – Contoso) |
| OS Type | EntraExternalIdentities |
| System Type | Directory Service |
| Tenant ID | Entra ID Tenant ID |
| Credential | The app registration credential |
- Click Test Connection
- Click Save
Troubleshooting
| Symptom | Likely Cause | Resolution |
|---|
Authentication failed | Invalid client ID or secret | Verify the app registration credentials in the Entra portal |
| No guest users returned | Filter issue or no guests present | Confirm guest accounts exist; check userType filter |
Insufficient privileges | Missing Graph permissions | Ensure all required permissions have admin consent |
AADSTS700016 | App not found in tenant | Verify the Tenant ID and Client ID match |