# Microsoft Entra ID Data Integration ## Overview Identity Intelligence’s platform can analyze authentication events in Microsoft Entra ID (formerly Azure AD) to give insights into how users are accessing your applications. In order to provide Insights, you have to set up an integration between Microsoft Entra ID and Identity Intelligence for analysis. This document will walk you through the process of setting up API access inside of Entra ID and will also walk you through the complementary set up inside of the Identity Intelligence console. ### Important Notes * **UPDATE \[2026.05.05]** - Please note the updated API permissions required to collect Entra ID agent data types for non-Marketplace based integrations - see [#add-api-permissions-1](#add-api-permissions-1 "mention") section below. After adding the API permissions, review the Advanced settings tab of the integration and set the corresponding data type selection to `Yes`

* **UPDATE \[2025.08.20]** - Cisco Identity Intelligence now has Beta releases of Microsoft Azure Marketplace apps for both the primary Data Integration (this article, see [below](#azure-marketplace-app-data-integration-beta-release)) AND the [Azure Event Hub](/integrations/azure-active-directory-event-hub-streaming.md) streaming capability. * **Microsoft Licensing** - Please see the [#azure-a-d-sign-in-log-availability](#azure-a-d-sign-in-log-availability "mention") section below for the implications of Microsoft product licensing on Identity Intelligence data collection for specific data types. * [Microsoft Entra ID B2C](https://learn.microsoft.com/en-us/azure/active-directory-b2c/overview) is *not* supported. * This integration is for Entra ID data collection. For SSO to your Identity Intelligence tenant using Entra ID, please use Duo SSO with Entra ID as an external authentication source ([article](https://duo.com/docs/sso#configure-the-duo-single-sign-on-app-in-entra-id)). * If this is a brand new Microsoft Entra ID tenant, for instance a development environment, then make sure to enable a Microsoft Entra ID subscription and resource provider. ### Entra ID Integration At a high-level, Entra ID has different activity log types which each contain different sets of information. Identity Intelligence will ingest the Sign-ins and audit logs, as well as the Directory data. Sign-in and audit logs are available through the Microsoft Entra ID portal. * Sign-ins – Information about sign-ins and how your resources are used by your users. * Directory - User and Group information from your Entra ID. ### Entra ID Sign-in Log Availability Sign-in logs are available via Microsoft Graph API for 30 days inside Entra ID with a Premium subscription (P1 or P2). ***Note*** - sign-in logs are NOT currently available via Graph API with non-P1 or P2 Entra ID subscriptions, e.g Microsoft Entra ID Free. * Reference: * **Data Retention** - * **Sign-in Logs** - Based on this 30 day retention, Identity Intelligence will start ingestion with the last 30 days of logs. On subsequent log collections, Identity Intelligence will ingest only the latest logs. ## Manual App Registration Setup Steps This section details the manual process to create the Entra ID app registration for Identity Intelligence data collection. {% hint style="info" %} You do not need to complete this section if you prefer to use the [#azure-marketplace-app-data-integration-beta-release](#azure-marketplace-app-data-integration-beta-release "mention") method detailed below. Skip to that section. {% endhint %} There are 2 high-level steps you need to go through to set up your Microsoft Entra ID API key then connect it to Identity Intelligence. 1. Setup App registration with API permissions and create an app secret in Microsoft Entra ID 2. Add Entra ID API details to Identity Intelligence Dashboard ### Setup App and API secret in Microsoft Entra ID Next, we will create the app in your Microsoft Entra ID tenant, assigning the correct permissions, and add an API secret. Add an app in your Microsoft Entra ID tenant 1. Go to ***Microsoft Entra ID...App registrations*** 2. Select ***New registration***

3. Fill in the details for the new app * Name this app "Identity Intelligence Data Integration" or something similar * Make sure to select “*Accounts in this organizational directory only (`Your Entra ID tenant name` only – Single Tenant)*” * **No redirect URI is required - leave these fields blank**

4. Select ***Register*** 5. Save the following information as it will get entered into the Identity Intelligence dashboard. * *Application (client) ID* * *Directory (tenant) ID*

### Understanding Identity Intelligence API Permissions for Entra There are two groups of API permissions sets that can be used with your Identity Intelligence tenant * **Read-only** - used for data ingestion and analysis only * **Read/write** (which includes the first set of read-only permissions) - read/write permissions are used for the defined list of Identity Intelligence [Remediation Actions](/understanding-your-users/remediation-actions.md). Remediation actions can only be taken by administrator or help desk roles in Identity Intelligence and are limited to the list in the above article. This table outlines the relationship from remediation actions to the API permissions.

Write Permission	Associated Remediation Type
`User.ReadWrite.All, User.ManageIdentities.All, Directory.ReadWrite.All`	Update User Type, Delete Guest User
`User.ReadWrite.All, Directory.ReadWrite.All`	User Log out
`UserAuthenticationMethod.ReadWrite.All`	Reset MFA
`User.ReadWrite.All`	Delete Guest User

### Add API Permissions The instructions below are shown for full read/write capabilities. For a read-only model, please omit the read/write API permissions. 1. Go to ***API Permissions*** under your newly created Identity Intelligence Integration app 2. Select ***Add a permission***

3. Select ***Microsoft Graph***

4. Select ***Application Permissions*** * NOTE - Permissions to be added below must **ALL** be of type **Application** 5. **Read-only permissions:** Please repeat steps 5 and 6 for all of the following permissions. See notes for details. * AgentCardManifest.Read.All * AgentInstance.Read.All * Application.Read.All * AuditLog.Read.All * DeviceManagementApps.Read.All (requires Intune license) * DeviceManagementConfiguration.Read.All (requires Intune license) * DeviceManagementManagedDevices.Read.All (requires Intune license) * Directory.Read.All * Group.Read.All * GroupMember.Read.All * IdentityRiskEvent.Read.All * IdentityRiskyAgent.Read.All (requires P2 license) * IdentityRiskyServicePrincipal.Read.All (requires P2 license) * IdentityRiskyUser.Read.All (requires P2 license) * MailboxSettings.Read * Policy.Read.All * Reports.Read.All * Synchronization.Read.All * User.Read.All * UserAuthenticationMethod.Read.All 6. **Read/write permissions** for Remediation Actions: * User.ReadWrite.All * User.ManageIdentities.All * Directory.ReadWrite.All * UserAuthenticationMethod.ReadWrite.All 7. Once added to the list, select ***Add Permissions,*** then select ***Grant admin consent**.* Then select ***Yes***

### Create Client secret 1. Go to ***Certificates & Secrets*** under your Identity Intelligence Integration app 2. Select **New client secret** 3. Fill in the description, such as "Identity Intelligence Integration", and the desired Expiration timeframe for the secret, (i.e. 12 months). Select ***Add***

4. Save the Secret ID and Secret Value as this will be used later in the Identity Intelligence dashboard * Select the **copy** icon to copy and save both to a secure location * **Important**: Once you leave this page you **WILL NOT** be able to get the secret value again. If lost, you will have to delete and create a new one

5. You can now proceed to the section [#add-azure-a-d-integration-to-oort-dashboard](#add-azure-a-d-integration-to-oort-dashboard "mention")\ Skip the subsequent section referencing the [#azure-marketplace-app-data-integration-betarelease](#azure-marketplace-app-data-integration-betarelease "mention") ## Azure Marketplace App Data Integration (Beta release) ### Notes At the present time, when the Azure Marketplace app is updated, for example to include new API permissions for new features and data collection, an existing instance of the application in your Entra tenant is not updated. The app must be removed and reinstalled to obtain the latest version. ### Pre-requisites * An Azure Subscription - this is separate from an Entra ID P1 or P2 license referenced above and is required for the creation of User-assigned Managed Identities and Resource Groups. * Azure / Entra admin permissions sufficient to * Create a User-assigned Managed Identity * Add a role to a Managed Identity which allows it to create App Registrations and Service Principals - Application Administrator role contains the minimum permissions required * Azure Resource group to deploy Azure Marketplace application. Consider creating or using an EMPTY resource group, in case of any resource group-level policies that may cause issues ### Create Managed Identity and assign Entra ID role 1. Go to portal.azure.com 2. Select ***Create a resource***

3. In the search box, enter “**user-assigned managed identity**” and select the resource to create it

4. On the creation screen, enter the following info: Subscription, Resource Group name for a new resource group, Identity name, and Region

1. Proceed with ***Review and Create*** step. Create the managed identity. 2. Go to Entra ID and navigate to roles

3. In All roles, find ***Application Administrator*** role and select the number in ***Assignments*** column

4. Select ***Add assignments***. Locate your managed identity by name, and it to the role. Once you have completed these steps, proceed to the instructions in the next section of the documentation

### Install Azure Marketplace Application 1. Within Azure or Entra ID portal, select ***Create a resource*** 2. Search for "**Cisco Identity Intelligence**" and select ***Entra ID Data Integration***

3. Select the **Free Plan** option and Create it 4. Enter all the details into the relevant input boxes as per the table and example screenshot below\ **NOTE:** As mentioned above, the Azure Resource group specified here to deploy Marketplace offer *MUST* be empty. It cannot have other existing resources already contained within it.

5. Select **Next** 6. Enter or select the following fields accordingly, as shown in the screenshot and table below

Input Field	Description
Region	Which Azure region Deployment Script should be deployed
App Registration Name	Name of App Registration for Data Integration
Assign write permissions	Yes or No (Recommended: Yes) Identity Intelligence does NOT take automated write actions. Selecting Yes grants Identity Intelligence a limited set of write permissions to Entra. If write permissions are granted, Admins or Helpdesk users in Identity Intelligence can manually trigger certain remediation actions on Entra users, directly within the Identity Intelligence interface, instead of navigating back to Entra to complete the same task(e.g: log user out of active Entra sessions, reset user's MFA). For more information on the actions available, see #add-api-permissions and /pages/qKAN2j0zanyuw7ewCvxi#remediation-actions
Tenant has Intune License	Yes or No Select Yes if this Entra ID tenant has Intune Licenses. This grants Identity Intelligence `read` permissions to Device Management data. Select No if this Entra ID tenant does not have Intune Licenses
Managed Identity Name	User-Assigned Managed Identity name from previous section
Managed Identity Resource Group	Resource Group name where Managed Identity is created

5. Select **Create**. The necessary App Registration and Service Principal will be created in Entra ID and corresponding Graph API permissions will be assigned to it ### Grant Admin Consent for Graph permissions Now you need to grant Admin Consent to the permissions that were assigned to the app registration. 1. Navigate to Entra ID and go to ***App Registrations*** 2. Select ***All Applications*** and enter the Identity Intelligence application name that you specified during the Marketplace app creation steps above

3. Select ***App Registration*** and go to the API Permissions pane found in the left menu 4. Select the ***Grant admin consent*** button as shown in the screenshot below

5. The **Status** column for all API permissions listed in the table should now be shown as **Granted**. \ \ Once you have confirmed all the API permissions have the correct status, proceed to the next section of the documentation and follow the steps listed to create a client secret for this applications

### Create Client Secret 1. Go to the **Certificates & Secrets** pane in the left menu under your Identity Intelligence app registration 2. Select ***New client secret***

3. Fill in the description using an easily recognizable and memorable name, such as "Identity Intelligence Integration". Then select the desired Expiration timeframe for the secret (recommended: 365 days/12 months) and select ***Add*** 4. Select the **Copy** icon to copy both the **Secret Value** and **Secret ID** and paste this information somewhere safe, as this will be needed to complete later steps of the integration set up in Identity Intelligence\ \ **Important**: Once you leave this page you ***WILL NOT*** be able to generate the same key again. If the key is lost, you will need to delete the existing secret, create a new one and save that info

5. After you have pasted the secret value and ID somewhere secure, proceed to the next section of the documentation to add the Entra ID integration to your Identity Intelligence tenant and complete the integration set up prcess. ## Create Microsoft Entra ID Integration in Identity Intelligence Next, we will add the integration in the Identity Intelligence dashboard 1. Login to the Identity Intelligence Dashboard with an Identity Intelligence Admin role 2. Using the left hand menu bar, navigate to the **Integrations** page. Select the ***Add Integration*** button 3. Locate the Microsoft Entra ID integration tile and select the ***Add Integration*** button within that tile 4. Fill in the details for the Microsoft Entra ID Integration. Enter the values saved from earlier on in the Microsoft Entra ID setup for all fields except *Name* * *Name - The display name for the Entra Integration that will be used to recongize the integration throughout Identity Intelligence* * *Directory ID* * *Application ID* * *Secret ID* * *Secret VALUE*

5. Select **Connect** to test the connectivity. This may take a few minutes to complete 6. Once the connectivity test is successful, if desired, you can then review the data types that will be collected. Otherwise, proceed to step 7 1. Navigate to the **Advanced** tab and review the responses to the questions at the top of the page to confirm they are answered correctly based on your Entra Licensing and permissions. Adjust the responses to any questions as needed. We highly recommended keeping your integration set to **Managed** mode. To read more ahout managed data types, refere to our [Managed Integrations](/integrations/managed-integrations.md) documentation 7. Select **Save**. You will now see the integration listed on the Integrations page. Ensure that the integration's Connectivity Status is `Connected` 8. On the right hand side of the row for your Entra integration, select the **3-dot** button to open the pop-up menu. Select **Collect Now** to start the first data ingestion. You can also skip this step and it will happen automatically within the next 24 hours. 9. If you would like to enable real-time event streaming, please continue to the [Azure Event Hub Log Streaming for Microsoft Entra ID](/integrations/azure-active-directory-event-hub-streaming.md) article to follow the steps to create an Azure Event Hub integration 10. Congratulations, you have successfully set up the Microsoft Entra ID Integration! ## Update the Microsoft Entra ID API App (client) Secret It is critical that your Entra ID Secret for the Identity Intelligence integration does not expire. If the secret expires before it can be refreshed, Identity Intelligence will not be able to collect data from Entra until a new secret is created. If too many days lapse before a new secret can be created and assigned, Identity Intelligence will not be able to collect all the historical data and logs generated in that period, which will create gaps in your org's Entra data set.\ \ You can proactively monitor the status of your Identity Intelligence Microsoft Entra ID integration secret via the **Identity Intelligence Client Secret Expiring Soon** check within Identity Intelligence. The default setting for this check is configured to start alerting 90 days prior to the secret's expiration date. W**e**** *****highly***** ****recommend** [**enabling notifications on this check**](/understanding-check-failures/customizing-checks.md#notification-settings) to send alerts to the channel of your choosing (email, messaging system, webhooks) so that you can be made aware of the upcoming expiration date with sufficient notice to take the appropriate steps. If you app (client) secret is expiring or has expired, you must: 1. Navigate to Entra ID and **delete** the expiring/expired secret for the Identity Intelligence data integration app * Having multiple secrets on the same app, even if expired, is not security best practice 2. Create a new app (client) secret and copy it somewhere secure as you will need it to complete later steps. Refer to the [Create Client Secret](#create-api-secret) section of this article for detailed instructions on how to make a new secret

3. Navigate back to Identity Intelligence and go to the **Integrations** page. Locate the existing Entra integration that needs to have its app (client) secret updated 4. Select the **3-dot** menu button on the right side of the row for the desired Integration. Select **Edit Settings** from the pop up menu 1. If you have more than one Entra integration, you can confirm which Microsoft Entra ID app registration is the correct one by comparing the Entra ID integration app (client) **ID** listed in Identity Intelligence console to the Client ID listed in Entra. 5. Select the **Reset Credentials** button to remove the previous secret from Identity Intelligence. **Note**: This does **not** delete the Secret in Entra. You must also delete the previous secret within Entra, which the recommended best practice to avoid confusion about which secret is in use

6. Paste the new **Secret ID** and **Secret Value** that were generated in Entra during earlier steps into the respective fields. Then select **Save**

7. Back on the **Integations** page, select the **3-dot** menu button for the Microsoft Entra ID integration and select **Test Connectivity** to verify the new secret is working correctly. This may take a few minutes to complete. The **Connectivity** column in the table of Integrations will change to **Connected** once the test is successful. \ \ If it shows a status other than Connected, it means something was configured incorrectly and you will need to repeat the steps to resolve the error.

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.oort.io/integrations/azure-active-directory-integration.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.