Microsoft Entra ID (Azure AD) Data Integration

2025.07.30

Overview

Identity Intelligence’s platform can analyze authentication events in Microsoft Entra ID (formerly Azure AD) to give insights into how users are accessing your applications. In order to provide Insights, you have to set up an integration between Microsoft Entra ID and Identity Intelligence for analysis. This document will walk you through the process of setting up API access inside of Entra ID and will also walk you through the complementary set up inside of the Identity Intelligence console.

Important Notes

  • UPDATE [2025.07.25] - Cisco Identity Intelligence now has Microsoft Azure Marketplace apps for both the primary data integration AND the Azure Event Hub streaming capability. We highly recommend you use these methods.

  • Microsoft Licensing - Please see the Entra ID Sign-in Log Availability section below for the implications of Microsoft product licensing on CII data collection for specific data types.

  • This integration is for Entra ID data collection. For SSO to your Identity Intelligence tenant using Entra ID, please use Duo SSO with Entra ID as an external authentication source (article).

  • If this is a brand new Microsoft Entra ID tenant, for instance a development environment, then make sure to enable a Microsoft Entra ID subscription and resource provider.

Entra ID Integration

Entra ID has different activity log types which each contain different sets of information. Identity Intelligence will ingest the Sign-ins and audit logs, as well as the Directory data. Sign-in and audit logs are available through the Microsoft Entra ID portal.

  • Sign-ins – Information about sign-ins and how your resources are used by your users.

  • Directory - User and Group information from your Entra ID.

Entra ID Sign-in Log Availability

Sign-in logs are available via Microsoft Graph API for 30 days inside Entra ID with a Premium subscription (P1 or P2).

Note - sign-in logs are NOT currently available via Graph API with non-P1 or P2 Entra ID subscriptions, e.g Microsoft Entra ID Free.

Based on this 30 day retention, Identity Intelligence will start ingestion with the last 30 days of logs. On subsequent log collections, Identity Intelligence will ingest only the latest logs.

Pre-requisites

  • Azure / Entra admin permissions sufficient to

    • Create a User-assigned Managed Identity

    • Add a role to a Managed Identity which allows it to create App Registrations and Service Principals - Application Administrator role contains the minimum permissions required

  • Azure Resource group to deploy Azure Marketplace application. Consider creating or using an EMPTY resource group, in case of any resource group-level policies that may cause issues.

Create Managed Identity and assign Entra ID role

  1. Go to portal.azure.com

  2. Click on Create a resource

  3. In the search box, enter “user-assigned managed identity” and select the resource to create

  4. On the creation screen, enter the following info: Resource Group name, Region and Identity name

  1. Proceed with Review and Create step

  2. Go to Entra ID and navigate to roles

  3. In All roles, find Application Administrator role and click on the number in Assignments column

  4. Click on Add assignments, locate your managed identity by name, and it to the role

  5. Proceed to the following section.

Install Azure Marketplace Application

  1. Within Azure or Entra ID portal, click on Create a resource

  2. Search for Cisco Identity Intelligence and select Entra ID Data Integration

  3. Select the Free Plan option and Create it

  4. Enter all the details into the input boxes as per the table and example screenshot below. NOTE: As mentioned above, the Azure Resource group specified here to deploy Marketplace offer MUST be empty. (It cannot have other existing resources already contained within it.)

Region

Which Azure region Deployment Script should be deployed

App Registration Name

Name of App Registration for Data Integration

Assign write permissions

Yes/No –This provides selected write permissions for CII administrators to be able to take actions from within the CII dashboard, such as logout active Entra user sessions. For more information, see Understanding CII API Permissions for Entra and Remediation Actions

Tenant has Intune License

Yes/No – Does this Entra ID tenant have Intune Licenses (if yes, this Device Management data read permissions)

Managed Identity Name

User-Assigned Managed Identity name from previous section

Managed Identity Resource Group

Resource Group name where Managed Identity is created

  1. Click Create. The necessary App Registration and Service Principal will be created in Entra ID and corresponding Graph API permissions will be assigned to it.

Now you need to grant Admin Consent to the permissions that were assigned to the app registration.

  1. Navigate to Entra ID and go to App Registrations,

  2. Select All Applications and enter the CII application name that you specified during the Marketplace app creation

  3. Click on App Registration and go to the API Permissions pane on the left menu

  4. Click Grant admin consent button as shown

  5. The Status column for all API permissions listed in the table should now be shown as Granted.

  6. Move to the next section to create a client secret for the application.

Create Client Secret

  1. Go to the Certificates & Secrets pane in the left menu under your Identity Intelligence app registration

  2. Click on New client secret

  3. Fill in the description, such as "Identity Intelligence Integration", and the desired Expiration timeframe for the secret, (i.e. 12 months). Click Add.

  4. Save the Secret Value and Secret ID, as this will be used later in the Identity Intelligence dashboard

    1. Click the copy icon to copy and save both values to a secure location Important: Once you leave this page you WILL NOT be able to get the key again. If lost, you will have to delete the secret and create a new one.

  1. At this point, you can proceed to adding the Entra ID integration to the CII tenant in this section - Add Microsoft Entra ID Integration to Identity Intelligence Dashboard

Legacy App Registration Setup Steps (Deprecated Soon)

This section details the older manual process to create the Entra ID app registration for CII data collection.

YOU DO NOT NEED TO DO THIS SECTION IF YOU HAVE ALREADY COMPLETED THE RECOMMENDED Azure Marketplace App Data Integration (Recommended) PROCESS ABOVE.

There are 2 high-level steps you need to go through to set up your Microsoft Entra ID API key then connect it to Identity Intelligence.

  1. Setup App registration with API permissions and create an app secret in Microsoft Entra ID

  2. Add Entra ID API details to Identity Intelligence Dashboard

  3. Select Free plan and Create it

  4. Enter all the details into the input boxes as per the table:

Setup App and API secret in Microsoft Entra ID

Next, we will create the app in your Microsoft Entra ID tenant, assigning the correct permissions, and add an API secret.

Add an app in your Microsoft Entra ID tenant

  1. Go to Microsoft Entra ID...App registrations

  2. Click on New registration

  3. Fill in the details for the new app

    • Name this app "Identity Intelligence Data Integration" or something similar

    • Make sure to select “Accounts in any organizational directory (Any Microsoft Entra ID – Multitenant)

    • No redirect URI is required - just leave this blank.

  4. Click on Register

  5. Save the following information as it will get entered into the Identity Intelligence dashboard.

    • Application (client) ID

    • Directory (tenant) ID

Understanding CII API Permissions for Entra

There are two groups of API permissions sets that can be used with your Identity Intelligence tenant

  • Read-only - used for data ingestion and analysis only

  • Read/write (which includes the first set of read-only permissions) - read/write permissions are used for the defined list of Identity Intelligence Remediation Actions.

Remediation actions can only be taken by administrator or help desk roles in Identity Intelligence and are limited to the list in the above article. This table outlines the relationship from remediation actions to the API permissions.

Write Permission
Associated Remediation Type

User.ReadWrite.All, User.ManageIdentities.All, Directory.ReadWrite.All

Update User Type, Delete Guest User

User.ReadWrite.All, Directory.ReadWrite.All

User Log out

UserAuthenticationMethod.ReadWrite.All

Reset MFA

User.ReadWrite.All

Delete Guest User

Add API Permissions

The instructions below are shown for full read/write capabilities. For a read-only model, please omit the read/write API permissions.

  1. Go to API Permissions under your newly created Identity Intelligence Integration app

  2. Click on Add a permission

  3. Click on Microsoft Graph

  4. Click on Application Permissions

    • NOTE - Permissions to be added below must ALL be of type Application

  5. Read-only permissions: Please repeat steps 5 and 6 for all of the following permissions. See notes for details.

    • AuditLog.Read.All

    • Directory.Read.All

    • Group.Read.All

    • GroupMember.Read.All

    • Reports.Read.All

    • User.Read.All

    • Policy.Read.All

    • MailboxSettings.Read

    • UserAuthenticationMethod.Read.All

    • IdentityRiskEvent.Read.All

    • IdentityRiskyUser.Read.All (requires P2 license)

    • DeviceManagementApps.Read.All (requires Intune license)

    • DeviceManagementConfiguration.Read.All (requires Intune license)

    • DeviceManagementManagedDevices.Read.All (requires Intune license)

  6. Read/write permissions for Remediation Actions:

    • User.ReadWrite.All

    • User.ManageIdentities.All

    • Directory.ReadWrite.All

    • UserAuthenticationMethod.ReadWrite.All

  7. Once added to the list, click Add Permissions Click on Grant admin consent

  8. Click on Yes

  9. When finished, the API Permissions should look as follows:

Create Client secret

  1. Go to Certificates & Secrets under your Identity Intelligence Integration app

  2. Click on New client secret

  3. Fill in the description, such as "Identity Intelligence Integration", and the desired Expiration timeframe for the secret, (i.e. 12 months). Click Add.

  4. Save the Secret ID and Secret Value as this will be used later in the Identity Intelligence dashboard

    • Click the copy icon to copy and save both to a secure location

    • Important: Once you leave this page you WILL NOT be able to get the secret value again. If lost, you will have to delete and create a new one.

Add Microsoft Entra ID Integration to Identity Intelligence Dashboard

Next, we will add the integration in the Identity Intelligence dashboard.

  1. Login to the Identity Intelligence Dashboard

  2. From the Integrations tab, click on Add Integration

  3. Click on Add Integration under Microsoft Entra ID

  4. Fill in the details for the Microsoft Entra ID Integration. Enter the values saved from earlier on in the Microsoft Entra ID setup:

    • Directory ID

    • Application ID

    • Secret ID

    • Secret VALUE

  5. Click Connect to test the connectivity. This may take a few minutes

  6. If the connectivity test is successful, if desired, you can then review the data types that will be collected. Navigate to the Advanced tab and review the responses to the questions at the top of the page to confirm they are answered correctly based on your licenses and permissions. Adjust any responses as needed. To read more ahout the data types, read the docs about Managed Integrations

  7. Click Save. You will now have a new integration listed on the Integrations page.

  8. If real-time event streaming is desired, please continue to the Azure Event Hub Log Streaming for Microsoft Entra ID article to create an Azure Event Hub integration.

Test the Integration and Start Initial Collection

  1. For more details click on the integration name for details.

  2. You can also click on Test Connectivity to test the API connectivity with Azure

  3. If you see “Connected!” everything is working.

  4. IMPORTANT - Now click the Azure integration bar again and click Collect Now to begin the first data collection.

  5. Congratulations, you have successfully set up the Microsoft Entra ID Integration!

Update the Microsoft Entra ID API App (client) Secret

You can monitor the status of your Identity Intelligence Microsoft Entra ID integration secret via a Check in your Identity Intelligence tenant using the Identity Intelligence Client Secret Expiring Soon check.

The default setting is 90 days prior to expiration and we highly recommend sending notifications for this check to the channel of your choosing via email or Teams.

Before your app (client) secret reaches its expiration, you will need to delete the old one, create a new one in the Microsoft Entra ID portal, and update the Microsoft Entra ID integration in your Identity Intelligence tenant.

Notes:

  • You can confirm which Microsoft Entra ID app registration is the right one by checking the Identity Intelligence Entra ID integration app (client) ID in the Identity Intelligence console.

  • Deleting the previous expired secret is a best practice to avoid confusion about which one is in use.

Steps

  1. Create the new app (client) secret in the Microsoft Entra ID portal for the Identity Intelligence data integration. Save the Secret ID and Value to a secure location.

    1. Important: Once you leave this page you WILL NOT be able to get the Value again. If lost, you will have to delete and create a new one.

  2. Login to Identity Intelligence and go to Integrations -> your Microsoft Entra ID integration -> Edit settings

  3. Click Reset Credentials

  4. Add the new app secret ID and Value to the settings and click Save.

  5. On the integrations page, click the 3-dot menu for the Microsoft Entra ID integration and click Test Connectivity to verify the new secret is working.

Last updated