Description
The Microsoft 365 connector uses the Microsoft Graph API to discover user accounts, Microsoft 365 groups, Teams memberships, and Exchange Online mailbox delegation within a Microsoft 365 tenant. It authenticates using OAuth 2.0 client credentials and provides comprehensive visibility into SaaS application access including admin role assignments.
System Type Classification
| Field | Value |
|---|
| System Type | Application |
| Default Scan Priority | 500 |
Version Support
| OrbisID Edition | Supported |
|---|
| Community | No |
| Pro | Yes |
| Enterprise | Yes |
Supported Protocol
| Protocol | Port | Notes |
|---|
| Microsoft Graph API (HTTPS) | 443 TCP | OAuth 2.0 client credentials flow |
What OrbisID Discovers
| Data | Source |
|---|
| User accounts | GET /v1.0/users |
| Microsoft 365 groups | GET /v1.0/groups |
| Group memberships | GET /v1.0/groups/{id}/members |
| Directory role assignments | GET /v1.0/roleManagement/directory/roleAssignments |
| Service principals | GET /v1.0/servicePrincipals |
| User enabled state | accountEnabled property |
Connection Requirements
Required Permissions
Register an Entra ID application and grant the following application permissions:
Minimum permissions:
User.Read.All — read all user profilesGroup.Read.All — read groups and membershipsRoleManagement.Read.Directory — read directory role assignmentsApplication.Read.All — read service principals (optional)
Credential Mapping
| OrbisID Field | Value |
|---|
credential.username | Application (Client) ID |
credential.password | Client Secret value |
system.tenantId | Microsoft 365 Tenant ID |
Network Requirements
The OrbisID server must have HTTPS access to login.microsoftonline.com and graph.microsoft.com on port 443.
Configuration Steps
- In the Azure portal, navigate to Entra ID → App registrations → New registration
- Grant the required application permissions and provide admin consent
- Create a Client Secret under Certificates & secrets
- Create a Credential in OrbisID:
- Username: Application (Client) ID
- Password: Client Secret
- Navigate to Systems → Add System
- Fill in the fields:
| Field | Value |
|---|
| Name | Descriptive name (e.g., Microsoft 365 – Contoso) |
| OS Type | Microsoft365 |
| System Type | Application |
| Tenant ID | Microsoft 365 Tenant ID |
| Credential | The app registration credential |
- Click Test Connection
- Click Save
Troubleshooting
| Symptom | Likely Cause | Resolution |
|---|
Authentication failed | Invalid client credentials | Verify the Client ID and Secret in Entra ID |
Insufficient privileges | Missing Graph permissions | Ensure all required permissions have admin consent |
| No groups returned | Group.Read.All not granted | Add and consent Group.Read.All permission |
AADSTS700016 | App not found in tenant | Confirm Tenant ID and Client ID are from the same tenant |