Microsoft Entra ID (Azure AD) Data Integration

Overview

Identity Intelligence’s platform can analyze authentication events in Microsoft Entra ID (Azure AD)to give insights into how users are accessing your applications. In order to provide Insights, you have to set up an integration between Microsoft Entra ID and Identity Intelligence for analysis. This document will walk you through the process of setting up API access inside of Entra ID and will also walk you through the complementary set up inside of the Identity Intelligence console.

Important Notes

• This integration is for Entra ID data collection. For SSO to your Identity Intelligence tenant using Entra ID, please see Microsoft Entra ID (Azure AD) SSO Integration

• If this is a brand new Microsoft Entra ID tenant, for instance a development environment, then make sure to enable a Microsoft Entra ID subscription and resource provider

Entra ID Integration

Entra ID has different activity log types which each contain different sets of information. Identity Intelligence will ingest the Sign-ins as well as the Directory. Sign-in logs are available through the Microsoft Entra ID portal.

• Sign-ins – Information about sign-ins and how your resources are used by your users.

• Directory - User and Group information from your Entra ID.

Entra ID Sign-in Log Availability

Sign-in logs are available via Microsoft Graph API for 30 days inside Entra ID with a Premium subscription (P1 or P2).

Note - sign-in logs are NOT currently available via Graph API with non-P1 or P2 Entra ID subscriptions, e.g Microsoft Entra ID Free.

• Reference:

  • Data Retention - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-reports-data-retention

  • Sign-in Logs - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-sign-ins

Based on this 30 day retention, Identity Intelligence will start ingestion with the last 30 days of logs. On subsequent log collections, Identity Intelligence will ingest only the latest logs.

Permission requirements for setting up Entra ID integration

To add the necessary configuration in Entra ID, you need to be one of the following:

• Microsoft Entra ID - Global Administrator or Service Administrator role https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal

• Azure Subscription - Owner role https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal-subscription-admin

The main thing that you will need to configure in Microsoft Entra ID:

• Add an App inside your Microsoft Entra ID tenant that defines the keys and permissions needed by Identity Intelligence

Setup Steps

There are 2 high-level steps you need to go through to set up your Microsoft Entra ID API key then connect it to Identity Intelligence.

1. Setup App registration with API permissions and create an app secret in Microsoft Entra ID

2. Add Entra ID API details to Identity Intelligence Dashboard

Setup App and API secret in Microsoft Entra ID

Next, we will create the app in your Microsoft Entra ID tenant, assigning the correct permissions, and add an API secret.

Add an app in your Microsoft Entra ID tenant

1. Go to Microsoft Entra ID...App registrations

2. Click on New registration

   
3. Fill in the details for the new app

   • Name this app "Identity Intelligence Data Integration" or something similar

   • Make sure to select “Accounts in any organizational directory (Any Microsoft Entra ID – Multitenant)”

   • No redirect URI is required - just leave this blank.

     
4. Click on Register

5. Save the following information as it will get entered into the Identity Intelligence dashboard.

   • Application (client) ID

   • Directory (tenant) ID

Understanding Identity Intelligence API Permissions

There are two groups of API permissions sets that can be used with your Identity Intelligence tenant

• Read-only - used for data ingestion and analysis only

• Read/write (which includes the first set of read-only permissions) - read/write permissions are used for the defined list of Identity Intelligence Remediation Actions.

Remediation actions can only be taken by administrator or help desk roles in Identity Intelligence and are limited to the list in the above article. This table outlines the relationship from remediation actions to the API permissions.

Add API Permissions

The instructions below are shown for full read/write capabilities. For a read-only model, please omit the read/write API permissions.

1. Go to API Permissions under your newly created Identity Intelligence Integration app

2. Click on Add a permission

   
3. Click on Microsoft Graph

   
4. Click on Application Permissions

   • NOTE - Permissions to be added below must ALL be of type Application

5. Read-only permissions: Please repeat steps 5 and 6 for all of the following permissions. See notes for details.

   • AuditLog.Read.All

   • Directory.Read.All

   • Group.Read.All

   • GroupMember.Read.All

   • Reports.Read.All

   • User.Read.All

   • Policy.Read.All

   • MailboxSettings.Read

   • UserAuthenticationMethod.Read.All

   • IdentityRiskEvent.Read.All

   • IdentityRiskyUser.Read.All (requires P2 license)

   • DeviceManagementApps.Read.All (requires Intune license)

   • DeviceManagementConfiguration.Read.All (requires Intune license)

   • DeviceManagementManagedDevices.Read.All (requires Intune license)

6. Read/write permissions for Remediation Actions:

   • User.ReadWrite.All

   • User.ManageIdentities.All

   • Directory.ReadWrite.All

   • UserAuthenticationMethod.ReadWrite.All

7. Once added to the list, click Add Permissions Click on Grant admin consent

   
8. Click on Yes

9. When finished, the API Permissions should look as follows:

   

Create API secret

1. Go to Certificates & Secrets under your Identity Intelligence Integration app

2. Click on New client secret

3. Fill in the description, such as "Identity Intelligence Integration", and the desired Expiration timeframe for the secret, (i.e. 12 months). Click Add.

   
4. Save the Secret Value as this will be used later in the Identity Intelligence dashboard

   • Click the copy icon to copy and save it somewhere

   • Important: Once you leave this page you WILL NOT be able to get the key again. If lost, you will have to delete and create a new one.

Add Microsoft Entra ID Integration to Identity Intelligence Dashboard

Next, we will add the integration in the Identity Intelligence dashboard.

1. Login to the Identity Intelligence Dashboard

2. From the Integrations tab, click on Add Integration

3. Click on Add Integration under Microsoft Entra ID

4. Fill in the details for the Microsoft Entra ID Integration. Enter the values saved from earlier on in the Microsoft Entra ID setup:

   • Directory ID

   • Application ID

   • Secret

5. Click Connect to test the connectivity. This may take a few minutes

6. If the connectivity test is successful, if desired, you can then review the data types that will be collected. Navigate to the Advanced tab and review the responses to the questions at the top of the page to confirm they are answered correctly based on your licenses and permissions. Adjust any responses as needed. To read more ahout the data types, read the docs about Managed Integrations

7. Click Save. You will now have a new integration listed on the Integrations page.

8. If real-time event streaming is desired, please continue to the Azure Event Hub Log Streaming for Microsoft Entra ID (Azure AD) article to create an Azure Event Hub integration.

Test the Integration and Start Initial Collection

1. For more details click on the integration name for details.

2. You can also click on Test Connectivity to test the API connectivity with Azure

3. If you see “Connected!” everything is working.

4. IMPORTANT - Now click the Azure integration bar again and click Collect Now to begin the first data collection.

5. Congratulations, you have successfully set up the Microsoft Entra ID Integration!

Update the Microsoft Entra ID API App (client) Secret

You can monitor the status of your Identity Intelligence Microsoft Entra ID integration secret via a Check in your Identity Intelligence tenant using the Identity Intelligence Client Secret Expiring Soon check.

The default setting is 90 days prior to expiration and we highly recommend sending notifications for this check to the channel of your choosing via email or Teams.

Before your app (client) secret reaches its expiration, you will need to delete the old one, create a new one in the Microsoft Entra ID portal, and update the Microsoft Entra ID integration in your Identity Intelligence tenant.

Notes:

• You can confirm which Microsoft Entra ID app registration is the right one by checking the Identity Intelligence Entra ID integration app (client) ID in the Identity Intelligence console.

  
• Deleting the previous expired secret is a best practice to avoid confusion about which one is in use.

• If you also use Microsoft Entra ID (Azure AD) SSO Integration and that secret is set to expire at the same time, you will need to create a new one for that app registration and provide it to your Identity Intelligence technical contact prior to its expiration, or you will not be able to login to Identity Intelligence.

Steps

1. Create the new app (client) secret in the Microsoft Entra ID portal for the Identity Intelligence data integration. Save the Secret Value to a secure location.

   1. Important: Once you leave this page you WILL NOT be able to get the key again. If lost, you will have to delete and create a new one.

      
2. Login to Identity Intelligence and go to Integrations -> your Microsoft Entra ID integration -> Edit settings

3. Click Reset Credentials

   
4. Add the new app secret and click Save.

5. On the integrations page, click the 3-dot menu for the Microsoft Entra ID integration and click Test Connectivity to verify the new secret is working.