Skip to main content

Microsoft Entra ID (formerly Azure AD)

Description

The Entra ID connector uses the Microsoft Graph API to discover user accounts, groups, and directory role assignments in a Microsoft Entra ID tenant (Microsoft's rebrand of Azure Active Directory, effective 2023). It is the cloud counterpart to the on-premises Active Directory connector and provides identity data for organisations that use Entra ID as their primary identity provider.

This connector replaces the earlier separate "Microsoft 365" connector, which scanned the same tenant's users and groups but had no visibility into real Entra directory roles — it approximated privilege by checking whether a group's name contained "Admin", "Global", or "Privileged". Entra ID's role-based detection is a strict superset of what Microsoft 365 discovered, so the two were consolidated into this single connector.

System Type Classification

FieldValue
System TypeDirectory Service
Default Scan Priority10 (scanned first)

Version Support

OrbisID EditionSupported
CommunityNo
ProYes
EnterpriseYes

Entra ID scanning requires a Pro or Enterprise licence.

Supported Protocol

ProtocolPortNotes
Microsoft Graph API (HTTPS)443 TCPOAuth 2.0 client credentials flow

What OrbisID Discovers

DataSource
User accountsGET /users
User status (enabled/disabled)accountEnabled property
Group membershipsGET /groups/{id}/members
Directory rolesGET /directoryRoles
Privileged role membersGlobal Administrator, Privileged Role Administrator, Security Administrator, Exchange Administrator, SharePoint Administrator, User Administrator, Helpdesk Administrator, Compliance Administrator, Application Administrator, Cloud Application Administrator
On-premises synced accountsonPremisesSyncEnabled property (optional filter)

Connection Requirements

Entra ID App Registration

OrbisID authenticates using an App Registration (service principal) with the client credentials flow. No user interaction is required.

  1. In the Azure Portal, navigate to Microsoft Entra ID → App registrations → New registration
  2. Give the app a name (e.g., OrbisID Scanner) and register it
  3. Note the Application (client) ID and Directory (tenant) ID
  4. Navigate to Certificates & secrets → New client secret — note the secret value immediately
  5. Navigate to API permissions → Add a permission → Microsoft Graph → Application permissions, and add:
PermissionPurpose
User.Read.AllRead all user accounts and their properties
Group.Read.AllRead group memberships
Directory.Read.AllRead directory roles and privileged role members
  1. Click Grant admin consent for the permissions

Credential Mapping

OrbisID FieldEntra ID Value
credential.usernameApplication (client) ID
credential.passwordClient secret value
credential.domainDirectory (tenant) ID

System Attributes

AttributeRequiredDescription
azureTenantIdFallbackTenant ID if not stored in credential.domain
azureOnPremSyncedOnlyNoSet to true to scan only on-premises synced accounts

Network Requirements

The OrbisID server (or On-Premise Agent) must have outbound HTTPS access to:

  • login.microsoftonline.com — OAuth 2.0 token endpoint
  • graph.microsoft.com — Microsoft Graph API

Configuration Steps

  1. Complete the Entra ID App Registration steps above
  2. Create a Credential in OrbisID:
    • Username: Application (client) ID
    • Password: Client secret value
    • Domain: Directory (tenant) ID
  3. Navigate to Systems → Add System
  4. Fill in the fields:
FieldValue
NameDescriptive name (e.g., Entra ID – contoso.com)
Hostname / IP Addressgraph.microsoft.com — pre-filled and locked; Microsoft Graph is a fixed global endpoint, not something you configure per system
OS TypeMicrosoft Entra ID
System TypeDirectory Service
CredentialThe App Registration credential created above
  1. Click Test Connection to verify the app registration credentials
  2. Click Save

Troubleshooting

SymptomLikely CauseResolution
401 Unauthorized on test connectionInvalid client ID or secretVerify the client ID and secret; ensure the secret has not expired
403 ForbiddenMissing or unapproved API permissionsEnsure all three permissions are granted with admin consent
AADSTS700016 token errorIncorrect tenant IDVerify the Directory (tenant) ID in credential.domain
Users discovered but roles missingDirectory.Read.All not grantedGrant and consent to Directory.Read.All in the app registration
Scan completes with zero accountsTenant ID mismatchConfirm the tenant ID matches the tenant where the app is registered
System was migrated from an old "Microsoft 365" connectorThe old connector was consolidated into this oneNo action needed — the migration renamed the system's OS Type in place and preserved its credential and tenant ID; existing scan history is unaffected