Prepare Microsoft Entra ID connector

note

This connector has changed name from Microsoft Azure Active Directory to Microsoft Entra ID due to Microsoft's recent name change to this product.

The Microsoft Entra ID connector retrieves information about users and their organizational details in Microsoft Entra ID. In the Microsoft Azure Portal, you are required to configure a Graph API application, add API access, and grant the application permissions. You are required to copy Directory (tenant) ID and Application (tenant) ID, create and copy client secret, and enter these values in Settings when adding the connector.

Prerequisites

The user account used to create the application in Step 2:

• If Microsoft Azure > User settings > Users can register applications is Yes, the user account used to create the application does not have to be assigned to a role.

• If Microsoft Azure > User settings > Users can register applications is No, the user account used to create the application must be assigned to one of the following roles:

  • Global administrator

  • Application administrator

  • Cloud application administrator

  • Application developer

The user who grants administrator consent in Step 3.iii must be assigned to the Global administrator role.

Collection of the CredentialUserRegistration report in Step 6, with application permissions set in Step 3.ii.b, requires a premium tier Azure AD B2C license.

Procedure

1. Sign in to the Microsoft Azure Portal: https://azure.microsoft.com/

2. In App registrations, create an Azure Active Directory application.

   1. Set Supported account types to Accounts in this organizational directory only.

   2. Set Redirect URI to Web.

   3. In URI, enter http://localhost.

3. Add API permissions to Microsoft Graph for the application you created.

   1. Configure Delegated permissions:

      1. Select Delegated permissions.

      2. Select offline_access in the list of permissions.

      3. Clear the User: User.Read permission, if it is selected.

   2. Configure Application permissions:

      1. In the list of permissions, do one of the following:

         • Select Directory: Directory.Read.All.

         • Select User: User.Read.All and Group: Group.Read.All.

      2. Optional: If you want to collect the CredentialUserRegistration report, select Reports: Reports.Read.All in the list of permissions. This step is only required if Collect user credential details report is selected when adding the connector, and you must fullfil the Prerequisites.

         The report represents the details of the usage of self-service password reset and multi-factor authentication (MFA) for all registered users. Details include user information, status of registration, and the authentication method used.

   3. Select Grant admin consent for [your company name].

4. In Certificates & secrets, create a new client secret with the following information:

   1. Enter a Description for the key, for your own reference.

   2. Set Expires to your desired value.

      caution

      When the client secret expires, the connector will not be able to import data.

      Regenerate the client secret when it expires and enter the new value in the connector Settings.

   3. To display the client secret, select Add.

      Copy and save the value. It is used when adding the connector.

5. Copy Application (client) ID and Directory (tenant) ID for the application. They used when adding the connector.

6. When adding the connector in Snow Atlas, in Settings, enter the saved values according to the table.

   Setting	Value from Microsoft Azure Portal
   Tenant ID	Directory (tenant) ID
   Client ID	Application (client) ID
   Client secret	Client secret
   Domains	The domains in your organization for which you want to collect data. An asterisk, *, collects data for all domains connected to your organization, including user accounts without an email address, since the domain is in their User Principal Name. This is the default value. One or several domains connected to your organization collect data only for those, and will exclude user accounts without the domain in their User Principal Name. One name per row. If you add both an asterisk and names, the asterisk takes precedence and data is collected for all domains. Note: If you also have the SaaS connector for Microsoft 365, you must populate the Domains field in the same way in both settings, otherwise the undesired data is collected anyway from Microsoft.
   Collect user credential details report	Select this checkbox if you want to collect the CredentialUserRegistration report. This requires the permission Report.Read.All in the created application, and you must fullfil the Prerequisites.

After completing this task, follow the general procedure to Add connectors.

The connector makes API calls to the vendor and retrieves data. For more information, see API calls and Data retrieved by the connector.

Snow Software does not own the third party trademarks, software, products, or tools (collectively, the "Third Party Products") referenced herein. Third Party Product updates, including user interface updates, may not be reflected in this content.