Oort Knowledge Base
  • Home
  • Glossary
  • 📊Dashboard
    • Get Started Dashboard
    • Overview Dashboard
    • MFA Dashboard
  • 👥Understanding your users
    • 📇Users
      • 💾Saved Filters
      • ❓Basic Search & Advanced Query Mode
    • 🩻User 360
      • 🗺️Overview Tab
      • 🔬Activity Tab
      • 📶Networks Tab
      • 💻Devices Tab
      • 🪺Applications and Groups Tabs
      • ✅Checks Tab
    • 🛠️Triaging Alerts and Remediation Actions
    • 🔗Linking User Accounts
    • 🤷User Statuses
  • 🗃️Applications
  • 💻Devices
  • 🧩Configuring Integrations
    • Managed Integrations
    • Auth0
      • Auth0 Data Integration
      • Auth0 Log Streaming & Marketplace App
    • Microsoft Entra ID (Azure AD) Data Integration
    • Microsoft Entra ID (Azure AD) SSO Integration
    • Azure Event Hub Log Streaming for Microsoft Entra ID (Azure AD)
    • Azure Sentinel SIEM Integration
    • AWS
    • AWS User-Based Access [Deprecated]
    • Duo Security Integration
    • Email Notifications
    • Github
    • Google Workspace Integration
    • Jamf
    • Jira Integration
    • Mailgun Integration
    • Microsoft Teams Notification Integration
    • Okta Log Streaming AWS EventBridge Integration
    • Okta Data Integration
    • Okta Workflows
    • Okta Integration Network - Production SSO App
    • Okta SSO
    • Polarity Integration
    • Salesforce Integration
    • SendGrid Integration
    • ServiceNOW Integration
    • Slack
    • Snowflake
    • Webex Notification Integration
    • Webhooks
    • Workday
      • Manual Import (CSV)
      • Report as a Service (RaaS)
  • ☑️Understanding Check failures
    • 🔍Reviewing Check Results
    • 🧹Customizing Checks
    • 📖Cisco Identity Insights
      • Identity Posture Management Insights
        • Access from Denied Territories
        • Allow/Block Email Logins
        • Application Login Bypasses SSO
        • Applications with Expired Secret
        • HRIS Discrepancies
        • Identity Intelligence Client Secret Expiring Soon
        • Inactive Account Probing
        • Inactive Guest Users
        • Inactive Users
        • Missing Value in Mandatory Field
        • Never Logged In
        • No MFA Configured
        • No Strong MFA Configured
        • Okta Long Running Sessions
        • Okta Session Length Policy Compliance
        • Personal VPN Usage
        • Provider User Type Missing
        • Rate Limit Alert
        • Role Assigned to Azure Cloud Only Account
        • Salesforce Direct Login Settings
        • Shared Mailbox Sign In Enabled
        • Slack User Inconsistencies
        • Telecom MFA Limit Reached
        • Unmanaged Devices Access
        • Unused Application for a User
        • Upcoming App Key Expiration
        • User Authorized to Bypass MFA
        • User Has Directly Assigned Application
        • User in IDP but not in HRIS
        • User Password Expiration Failure
        • User Stuck in Non-functional State
        • Users Sharing Authenticators
        • Weak MFA Was Used To Successfully Sign In
      • Identity Threat Detection Insights
        • A Bypass Code Was Used To Successfully Sign In
        • Access From Dormant Account
        • Accounts With Unusually High Activity
        • Active Account Under Heavy Attack
        • Activity From Untrustworthy ISP
        • Admin Impersonation in Okta
        • Admin Role Assigned to User
        • Authenticator Registration Anomalies
        • Code Exfiltration By Guest Account
        • Compromised Session
        • Google Drive File with Excessive Sharing Permissions
        • Impossible Travel
        • IP Threat Detected
          • IP Threat Detected In Depth
        • Login to Admin Console
        • MFA Flood
        • Microsoft Entra ID Admin Activity Anomaly
        • New Country for Tenant
        • New IDP Created
        • Okta Admin Activity Anomaly
        • Rare Browser Activity
        • Registered Location Mismatch
        • Risky Parallel Sessions
        • Service Account Successful Sign In
        • Shared Mailbox Successful Sign In
        • Sign In Threat Detected
        • Sign-in from Recently Created IdP
        • Successful Access from a Previously Only Failing IP
        • Super Admin Login to Google
        • Suspicious Activity Reported by End User
        • Unusual Repo Access
        • User IP in Blocked State
        • User Lock Out Risk Detected
        • User Trust Level Alert
        • Users With Defined Email Forward Rules
        • Users With New Email Forward Rules
        • Weak MFA Manually Activated and Utilized
  • ⚙️Tenant Settings
    • 👨‍💼Role-based Access (RBAC) and Tenant Access Logs
    • Systems Logs
  • 🏥Identity Posture Score
  • 🚨User Trust Level
  • How-to Guides
    • 🔐Accessing and Securing your Cisco Identity Intelligence Tenant
    • 🏎️Can Identity Intelligence analyze behavior and fail checks more frequently?
    • 🛂Importing Known IP Address Lists
    • 🔎Networks Tab & User Investigations
    • 🔁Okta Workflows Webhook Example
    • 🗃️Understanding HRIS Data and SCIM
    • MFA Factors FAQ
  • Public API
    • APIs
  • Troubleshooting & Support
    • API Permissions for Integrations
    • Responsible Disclosure Policy
  • Best Practices
    • 🛣️What’s Next? How to use Identity Intelligence effectively
    • 📚Identity Security Reading List
    • ✍️KPIs for
 IAM Teams
  • Blogs
    • 0ktapus for humans
    • Oort Releases GitHub Integration To Extend Identity Threat Detection
    • Oort Recognized Twice as a Sample Vendor in Gartner® 2023 Hype Cycle Reports™
    • Oort's Response Capabilities: Remediate Compromised Accounts with Just One Click
    • Oort Unveils Dashboard, Providing A Single Pane of Glass for Identities
    • Oort’s New Identity Security Dashboard
    • Oort Unveils Identity Technology Ecosystem, Bringing Identity Data out of Orbit and Into View
    • Oort: Your Security Layer On Top Of Okta
    • Populating the Unpopulated: Challenges of Building a Comprehensive User Inventory
    • Protecting IT Help Desk Teams Against Cyber Attacks
    • Protecting Salesforce Accounts from Takeovers and Ungoverned Access
    • Restrict Guest Access Permissions: Best Practices and Challenges
    • Seizing the Communication Opportunity: Aligning Perspectives in Identity Security
    • Session Hijacking in a Post-Genesis World
    • SIEM vs. Security Data Lake: Why it's Time to Rethink Your Security Program
    • Speaking the Same Language for Identity Security: Identify, Protect, Detect, Respond
    • State of Identity Security research reveals 40% of accounts use weak or no form of multi-factor authentication to protect identities
    • Strengthening Identity Controls: Mapping to CIS CSC and NIST CSF Security Frameworks
    • Strengthening Identity Security with Single Sign-On (SSO) Systems
    • Succeeding with Proper Detection for Identity Security: A Comprehensive Approach
    • Taking a Data-Driven Approach to Identity Security
    • The Concerning Prevalence of Weak Second Factors
    • The Crucial Role of an Identity Security Leader
    • Why I am Joining Oort
    • The Quest for a Passwordless World
    • Understanding Azure Active Directory (Azure AD)
    • Understanding the Implications of New SEC Rules on Cyber Incident Disclosure
    • Unlocking the Power of Zero Trust: The Crucial Role of Identity and Oort's Identity Security Platform
    • Respond Even Quicker to Identity Threats
    • What to Look Out For at Gartner IAM
    • 7 Critical Requirements for Securing Third-Party and Vendor Access
    • Best Practices for Efficiently Responding to Identity Threats
    • Announcing our Identity Technology Partner Ecosystem
    • Catching waves and building clouds
    • Cisco Announces Intent to Acquire Oort
    • CISO Perspectives: Eric Richard, HubSpot
    • Defining Roles & Responsibilities for an Identity Security Program
    • Detecting Session Hijacking
    • 8 Things to Look for in an ITDR Solution
    • Enhancing Identity Threat Detection: Introducing Oort’s New GitHub Integration
    • Founder Perspective: Matt Caulfield On Why He Started Oort
    • Founder Perspective: Vision To Reality
    • Four Reasons Why Traditional SIEMs Fall Short For Identity Security Programs
    • How Oort Partners with Duo for Unbeatable Secure Access
    • Governance, Risk, and Compliance
    • How to Find Inactive Users
    • Identity and Access Management and Oort Explained
    • 5 Identity Security Questions Every IAM Leader Needs to Answer
    • Identity security is bigger than just ITDR
    • Identity is the apex threat vector, so why is identity security still a mess?
    • Identity Threat Detection
    • Identity Threat Detection and Response: what you need to know
    • Identiverse 2023: What I'm Looking Forward to & What Not to Miss
    • Interview with Oort: Best Practices for Managing & Protecting Service Accounts
    • Interview with Alex “Sasha” Zaslavsky (Oort Data Science Lead)
    • Interview with Andy Winiarski (Head of Solutions Engineering)
    • Interview with Nicolas Dard (Oort’s VP of Product Management)
    • Introducing our Latest Integration to Protect Identities in AWS
    • Introducing The 2023 State of Identity Security Report
    • Maintaining a Strong Identity Security Posture: Why IAM Hygiene Matters
    • Managing Machine Identities: A Comprehensive Guide
    • Managing Risk In Shipwreck Diving and Security
    • Monitoring MFA Usage and Adoption: Strengthening Your Security Strategy
    • Okta Breach: Why Attackers Target GitHub, and What You Can Do to Secure It
    • Okta Security
    • Oort and Polarity Combine to Provide Instant Context on Identities
    • Oort + Polarity: Instant Identity Context to Power Investigations and Response
    • Oort Announces $15M in Seed and Series A Funding Round
    • Oort Stacks Go-to-Market Leadership Team Following Series A Investment
    • Oort Extends Identity Threat Detection with New AWS Integration
    • Announcing General Availability of the Oort Identity Analytics & Automation Platform
    • Oort Joins Forces with Microsoft Intelligent Security Association to Bring Visibility into Unmanaged Devices
    • Oort Joins the Microsoft Intelligent Security Association (MISA)
    • Building an Effective Identity Security Program: A Comprehensive Handbook
    • Oort Launches Identity Security Platform in Auth0 Marketplace
    • Oort Launches Identity Security Platform in AWS Marketplace
    • Oort Launches One-Click Remediation Actions for Streamlined Identity Security Response
    • Oort Origins and Our Vision for Identity Security
  • Release Notes
    • Week 22, 2024
    • Week 21, 2024
    • Week 20, 2024
    • Week 19, 2024
    • Week 18, 2024
    • Week 17, 2024
    • Week 16, 2024
    • Week 14, 2024
    • Week 13, 2024
    • Week 11, 2024
    • Week 9, 2024
    • Week 7, 2024
    • Week 5, 2024
    • Week 4, 2024
    • Week 3, 2024
    • Week 2, 2024
    • 2023
      • Week 49, 2023
      • Week 48, 2023
      • Week 47, 2023
      • Week 46, 2023
      • Week 45, 2023
      • Week 44, 2023
      • Week 43, 2023
      • Week 42, 2023
      • Week 41, 2023
      • Week 40, 2023
      • Week 39, 2023
      • Week 38, 2023
      • Week 37, 2023
      • Week 35, 2023
      • Week 34, 2023
      • Week 33, 2023
      • Week 32, 2023
      • Week 31, 2023
      • Week 30, 2023
      • Week 29, 2023
      • Week 28, 2023
      • Week 27, 2023
      • Week 26, 2023
      • Week 25, 2023
      • Week 24, 2023
      • Week 23, 2023
      • Week 22, 2023
      • Week 21, 2023
      • Week 20, 2023
      • Week 19, 2023
      • Week 18, 2023
      • Week 17, 2023
      • Week 16, 2023
      • Week 15, 2023
      • Week 13, 2023
      • Week 12, 2023
      • Week 11, 2023
      • Week 10, 2023
      • Week 9, 2023
      • Week 8, 2023
      • Week 7, 2023
      • Week 6, 2023
      • Week 5, 2023
      • Week 4, 2023
      • Week 3, 2023
      • Week 2, 2023
      • Week 1, 2023
    • 2022
      • Week 51, 2022
      • Week 50, 2022
      • Week 49, 2022
      • Week 48, 2022
      • Week 47, 2022
      • Week 46, 2022
      • Week 43, 2022
      • Week 42, 2022
      • Week 41, 2022
      • Week 38, 2022
      • Week 37, 2022
      • Week 36, 2022
      • Week 35, 2022
      • Week 34, 2022
      • Week 33, 2022
      • Week 32, 2022
      • Week 31, 2022
      • Week 30, 2022
      • Week 29, 2022
      • Week 24, 2022
      • Week 12, 2022
Powered by GitBook
On this page
  • Overview
  • Important Notes
  • Entra ID Integration
  • Entra ID Sign-in Log Availability
  • Permission requirements for setting up Entra ID integration
  • Setup Steps
  • Setup App and API secret in Microsoft Entra ID
  • Understanding Identity Intelligence API Permissions
  • Add API Permissions
  • Create API secret
  • Add Microsoft Entra ID Integration to Identity Intelligence Dashboard
  • Test the Integration and Start Initial Collection
  • Update the Microsoft Entra ID API App (client) Secret
  1. Configuring Integrations

Microsoft Entra ID (Azure AD) Data Integration

11/2023

PreviousAuth0 Log Streaming & Marketplace AppNextMicrosoft Entra ID (Azure AD) SSO Integration

Last updated 5 months ago

Overview

Identity Intelligence’s platform can analyze authentication events in Microsoft Entra ID (Azure AD)to give insights into how users are accessing your applications. In order to provide Insights, you have to set up an integration between Microsoft Entra ID and Identity Intelligence for analysis. This document will walk you through the process of setting up API access inside of Entra ID and will also walk you through the complementary set up inside of the Identity Intelligence console.

Important Notes

  • This integration is for Entra ID data collection. For SSO to your Identity Intelligence tenant using Entra ID, please see Microsoft Entra ID (Azure AD) SSO Integration

  • If this is a brand new Microsoft Entra ID tenant, for instance a development environment, then make sure to enable a Microsoft Entra ID subscription and resource provider

Entra ID Integration

Entra ID has different activity log types which each contain different sets of information. Identity Intelligence will ingest the Sign-ins as well as the Directory. Sign-in logs are available through the Microsoft Entra ID portal.

  • Sign-ins – Information about sign-ins and how your resources are used by your users.

  • Directory - User and Group information from your Entra ID.

Entra ID Sign-in Log Availability

Sign-in logs are available via Microsoft Graph API for 30 days inside Entra ID with a Premium subscription (P1 or P2).

Note - sign-in logs are NOT currently available via Graph API with non-P1 or P2 Entra ID subscriptions, e.g Microsoft Entra ID Free.

  • Reference:

    • Data Retention -

    • Sign-in Logs -

Based on this 30 day retention, Identity Intelligence will start ingestion with the last 30 days of logs. On subsequent log collections, Identity Intelligence will ingest only the latest logs.

Permission requirements for setting up Entra ID integration

To add the necessary configuration in Entra ID, you need to be one of the following:

The main thing that you will need to configure in Microsoft Entra ID:

  • Add an App inside your Microsoft Entra ID tenant that defines the keys and permissions needed by Identity Intelligence

Setup Steps

There are 2 high-level steps you need to go through to set up your Microsoft Entra ID API key then connect it to Identity Intelligence.

  1. Setup App registration with API permissions and create an app secret in Microsoft Entra ID

  2. Add Entra ID API details to Identity Intelligence Dashboard

Setup App and API secret in Microsoft Entra ID

Next, we will create the app in your Microsoft Entra ID tenant, assigning the correct permissions, and add an API secret.

Add an app in your Microsoft Entra ID tenant

  1. Go to Microsoft Entra ID...App registrations

  2. Click on New registration

  3. Fill in the details for the new app

    • Name this app "Identity Intelligence Data Integration" or something similar

    • Make sure to select “Accounts in any organizational directory (Any Microsoft Entra ID – Multitenant)”

    • No redirect URI is required - just leave this blank.

  4. Click on Register

  5. Save the following information as it will get entered into the Identity Intelligence dashboard.

    • Application (client) ID

    • Directory (tenant) ID

Understanding Identity Intelligence API Permissions

There are two groups of API permissions sets that can be used with your Identity Intelligence tenant

  • Read-only - used for data ingestion and analysis only

Remediation actions can only be taken by administrator or help desk roles in Identity Intelligence and are limited to the list in the above article. This table outlines the relationship from remediation actions to the API permissions.

Name
Remediation Type

User.ReadWrite.All, User.ManageIdentities.All, Directory.ReadWrite.All

Update User Type, Delete Guest User

User.ReadWrite.All, Directory.ReadWrite.All

User Log out

UserAuthenticationMethod.ReadWrite.All

Reset MFA

User.ReadWrite.All

Delete Guest User

Add API Permissions

The instructions below are shown for full read/write capabilities. For a read-only model, please omit the read/write API permissions.

  1. Go to API Permissions under your newly created Identity Intelligence Integration app

  2. Click on Add a permission

  3. Click on Microsoft Graph

  4. Click on Application Permissions

    • NOTE - Permissions to be added below must ALL be of type Application

  5. Read-only permissions: Please repeat steps 5 and 6 for all of the following permissions. See notes for details.

    • AuditLog.Read.All

    • Directory.Read.All

    • Group.Read.All

    • GroupMember.Read.All

    • Reports.Read.All

    • User.Read.All

    • Policy.Read.All

    • MailboxSettings.Read

    • UserAuthenticationMethod.Read.All

    • IdentityRiskEvent.Read.All

    • IdentityRiskyUser.Read.All (requires P2 license)

    • DeviceManagementApps.Read.All (requires Intune license)

    • DeviceManagementConfiguration.Read.All (requires Intune license)

    • DeviceManagementManagedDevices.Read.All (requires Intune license)

  6. Read/write permissions for Remediation Actions:

    • User.ReadWrite.All

    • User.ManageIdentities.All

    • Directory.ReadWrite.All

    • UserAuthenticationMethod.ReadWrite.All

  7. Once added to the list, click Add Permissions Click on Grant admin consent

  8. Click on Yes

  9. When finished, the API Permissions should look as follows:

Create API secret

  1. Go to Certificates & Secrets under your Identity Intelligence Integration app

  2. Click on New client secret

  3. Fill in the description, such as "Identity Intelligence Integration", and the desired Expiration timeframe for the secret, (i.e. 12 months). Click Add.

  4. Save the Secret Value as this will be used later in the Identity Intelligence dashboard

    • Click the copy icon to copy and save it somewhere

    • Important: Once you leave this page you WILL NOT be able to get the key again. If lost, you will have to delete and create a new one.

Add Microsoft Entra ID Integration to Identity Intelligence Dashboard

Next, we will add the integration in the Identity Intelligence dashboard.

  1. Login to the Identity Intelligence Dashboard

  2. From the Integrations tab, click on Add Integration

  3. Click on Add Integration under Microsoft Entra ID

  4. Fill in the details for the Microsoft Entra ID Integration. Enter the values saved from earlier on in the Microsoft Entra ID setup:

    • Directory ID

    • Application ID

    • Secret

  5. Click Connect to test the connectivity. This may take a few minutes

  6. Click Save. You will now have a new integration listed on the Integrations page.

  7. If real-time event streaming is desired, please continue to the Azure Event Hub Log Streaming for Microsoft Entra ID (Azure AD) article to create an Azure Event Hub integration.

Test the Integration and Start Initial Collection

  1. For more details click on the integration name for details.

  2. You can also click on Test Connectivity to test the API connectivity with Azure

  3. If you see “Connected!” everything is working.

  4. IMPORTANT - Now click the Azure integration bar again and click Collect Now to begin the first data collection.

  5. Congratulations, you have successfully set up the Microsoft Entra ID Integration!

Update the Microsoft Entra ID API App (client) Secret

You can monitor the status of your Identity Intelligence Microsoft Entra ID integration secret via a Check in your Identity Intelligence tenant using the Identity Intelligence Client Secret Expiring Soon check.

The default setting is 90 days prior to expiration and we highly recommend sending notifications for this check to the channel of your choosing via email or Teams.

Before your app (client) secret reaches its expiration, you will need to delete the old one, create a new one in the Microsoft Entra ID portal, and update the Microsoft Entra ID integration in your Identity Intelligence tenant.

Notes:

  • You can confirm which Microsoft Entra ID app registration is the right one by checking the Identity Intelligence Entra ID integration app (client) ID in the Identity Intelligence console.

  • Deleting the previous expired secret is a best practice to avoid confusion about which one is in use.

  • If you also use Microsoft Entra ID (Azure AD) SSO Integration and that secret is set to expire at the same time, you will need to create a new one for that app registration and provide it to your Identity Intelligence technical contact prior to its expiration, or you will not be able to login to Identity Intelligence.

Steps

  1. Create the new app (client) secret in the Microsoft Entra ID portal for the Identity Intelligence data integration. Save the Secret Value to a secure location.

    1. Important: Once you leave this page you WILL NOT be able to get the key again. If lost, you will have to delete and create a new one.

  2. Login to Identity Intelligence and go to Integrations -> your Microsoft Entra ID integration -> Edit settings

  3. Click Reset Credentials

  4. Add the new app secret and click Save.

Microsoft Entra ID - Global Administrator or Service Administrator role

Azure Subscription - Owner role

Read/write (which includes the first set of read-only permissions) - read/write permissions are used for the defined list of Identity Intelligence .

If the connectivity test is successful, if desired, you can then review the data types that will be collected. Navigate to the Advanced tab and review the responses to the questions at the top of the page to confirm they are answered correctly based on your licenses and permissions. Adjust any responses as needed. To read more ahout the data types, read the docs about

On the integrations page, click the 3-dot menu for the Microsoft Entra ID integration and click Test Connectivity to verify the new secret is working.

🧩
https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-reports-data-retention
https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-sign-ins
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal
https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal-subscription-admin
Remediation Actions
Managed Integrations