Microsoft Entra ID (formerly Azure AD)
Description
The Entra ID connector uses the Microsoft Graph API to discover user accounts, groups, and directory role assignments in a Microsoft Entra ID tenant (Microsoft's rebrand of Azure Active Directory, effective 2023). It is the cloud counterpart to the on-premises Active Directory connector and provides identity data for organisations that use Entra ID as their primary identity provider.
This connector replaces the earlier separate "Microsoft 365" connector, which scanned the same tenant's users and groups but had no visibility into real Entra directory roles — it approximated privilege by checking whether a group's name contained "Admin", "Global", or "Privileged". Entra ID's role-based detection is a strict superset of what Microsoft 365 discovered, so the two were consolidated into this single connector.
System Type Classification
| Field | Value |
|---|
| System Type | Directory Service |
| Default Scan Priority | 10 (scanned first) |
Version Support
| OrbisID Edition | Supported |
|---|
| Community | No |
| Pro | Yes |
| Enterprise | Yes |
Entra ID scanning requires a Pro or Enterprise licence.
Supported Protocol
| Protocol | Port | Notes |
|---|
| Microsoft Graph API (HTTPS) | 443 TCP | OAuth 2.0 client credentials flow |
What OrbisID Discovers
| Data | Source |
|---|
| User accounts | GET /users |
| User status (enabled/disabled) | accountEnabled property |
| Group memberships | GET /groups/{id}/members |
| Directory roles | GET /directoryRoles |
| Privileged role members | Global Administrator, Privileged Role Administrator, Security Administrator, Exchange Administrator, SharePoint Administrator, User Administrator, Helpdesk Administrator, Compliance Administrator, Application Administrator, Cloud Application Administrator |
| On-premises synced accounts | onPremisesSyncEnabled property (optional filter) |
Connection Requirements
Entra ID App Registration
OrbisID authenticates using an App Registration (service principal) with the client credentials flow. No user interaction is required.
- In the Azure Portal, navigate to Microsoft Entra ID → App registrations → New registration
- Give the app a name (e.g.,
OrbisID Scanner) and register it
- Note the Application (client) ID and Directory (tenant) ID
- Navigate to Certificates & secrets → New client secret — note the secret value immediately
- Navigate to API permissions → Add a permission → Microsoft Graph → Application permissions, and add:
| Permission | Purpose |
|---|
User.Read.All | Read all user accounts and their properties |
Group.Read.All | Read group memberships |
Directory.Read.All | Read directory roles and privileged role members |
- Click Grant admin consent for the permissions
Credential Mapping
| OrbisID Field | Entra ID Value |
|---|
credential.username | Application (client) ID |
credential.password | Client secret value |
credential.domain | Directory (tenant) ID |
System Attributes
| Attribute | Required | Description |
|---|
azureTenantId | Fallback | Tenant ID if not stored in credential.domain |
azureOnPremSyncedOnly | No | Set to true to scan only on-premises synced accounts |
Network Requirements
The OrbisID server (or On-Premise Agent) must have outbound HTTPS access to:
login.microsoftonline.com — OAuth 2.0 token endpoint
graph.microsoft.com — Microsoft Graph API
Configuration Steps
- Complete the Entra ID App Registration steps above
- Create a Credential in OrbisID:
- Username: Application (client) ID
- Password: Client secret value
- Domain: Directory (tenant) ID
- Navigate to Systems → Add System
- Fill in the fields:
| Field | Value |
|---|
| Name | Descriptive name (e.g., Entra ID – contoso.com) |
| Hostname / IP Address | graph.microsoft.com — pre-filled and locked; Microsoft Graph is a fixed global endpoint, not something you configure per system |
| OS Type | Microsoft Entra ID |
| System Type | Directory Service |
| Credential | The App Registration credential created above |
- Click Test Connection to verify the app registration credentials
- Click Save
Troubleshooting
| Symptom | Likely Cause | Resolution |
|---|
401 Unauthorized on test connection | Invalid client ID or secret | Verify the client ID and secret; ensure the secret has not expired |
403 Forbidden | Missing or unapproved API permissions | Ensure all three permissions are granted with admin consent |
AADSTS700016 token error | Incorrect tenant ID | Verify the Directory (tenant) ID in credential.domain |
| Users discovered but roles missing | Directory.Read.All not granted | Grant and consent to Directory.Read.All in the app registration |
| Scan completes with zero accounts | Tenant ID mismatch | Confirm the tenant ID matches the tenant where the app is registered |
| System was migrated from an old "Microsoft 365" connector | The old connector was consolidated into this one | No action needed — the migration renamed the system's OS Type in place and preserved its credential and tenant ID; existing scan history is unaffected |