Microsoft Entra ID (Azure AD) Data Integration

11/2023

Overview

Oort’s platform can analyze authentication events in Microsoft Entra ID (Azure AD)to give insights into how users are accessing your applications. In order to provide Insights, you have to set up an integration between Microsoft Entra ID and Oort for analysis. This document will walk you through the process of setting up API access inside of Entra ID and will also walk you through the complementary set up inside of the Oort console.

Important Notes

  • This integration is for Entra ID data collection. For SSO to your Oort tenant using Entra ID, please see Microsoft Entra ID (Azure AD) SSO Integration

  • If this is a brand new Microsoft Entra ID tenant, for instance a development environment, then make sure to enable a Microsoft Entra ID subscription and resource provider.

Next Steps

Once the integration is complete and the Oort platform has completed the analysis of the data, Oort will set up a review with you and your team to share insights discovered through the integration.

Entra ID Integration

Entra ID has different activity log types which each contain different sets of information. Oort will ingest the Sign-ins as well as the Directory. Sign-in logs are available through the Microsoft Entra ID portal.

  • Sign-ins – Information about sign-ins and how your resources are used by your users.

  • Directory - User and Group information from your Entra ID.

Entra ID Sign-in Log Availability

Sign-in logs are available via Microsoft Graph API for 30 days inside Entra ID with a Premium subscription (P1 or P2).

Note - sign-in logs are NOT currently available via Graph API with non-P1 or P2 Entra ID subscriptions, e.g Microsoft Entra ID Free.

Based on this 30 day retention, Oort will start ingestion with the last 30 days of logs. On subsequent log collections, Oort will ingest only the latest logs.

Permission requirements for setting up Entra ID integration

To add the necessary configuration in Entra ID, you need to be one of the following:

The main thing that you will need to configure in Microsoft Entra ID:

  • Add an App inside your Microsoft Entra ID tenant that defines the keys and permissions needed by Oort

Setup Steps

There are 2 high-level steps you need to go through to set up your Microsoft Entra ID API key then connect it to Oort.

  1. Setup App registration with API permissions and create an app secret in Microsoft Entra ID

  2. Add Entra ID API details to Oort Dashboard

Setup App and API secret in Microsoft Entra ID

Next, we will create the app in your Microsoft Entra ID tenant, assigning the correct permissions, and add an API secret.

Add an app in your Microsoft Entra ID tenant

  1. Go to Microsoft Entra ID...App registrations

  2. Click on New registration

  3. Fill in the details for the new app

    • Name this app "Oort Data Integration" or something similar

    • Make sure to select β€œAccounts in any organizational directory (Any Microsoft Entra ID – Multitenant)”

  4. Click on Register

  5. Save the following information as it will get entered into the Oort dashboard.

    • Application (client) ID

    • Directory (tenant) ID

Understanding Oort API Permissions

There are two groups of API permissions sets that can be used with your Oort tenant

  • Read-only - used for data ingestion and analysis only

  • Read/write (which includes the first set of read-only permissions) - read/write permissions are used for the defined list of Oort Remediation Actions.

Remediation actions can only be taken by administrator or help desk roles in Oort and are limited to the list in the above article. This table outlines the relationship from remediation actions to the API permissions.

NameRemediation Type

User.ReadWrite.All, User.ManageIdentities.All, Directory.ReadWrite.All

Update User Type, Delete Guest User

User.ReadWrite.All, Directory.ReadWrite.All

User Log out

UserAuthenticationMethod.ReadWrite.All

Reset MFA

User.ReadWrite.All

Delete Guest User

Add API Permissions

The instructions below are shown for full read/write capabilities. For a read-only model, please omit the read/write API permissions.

  1. Go to API Permissions under your newly created Oort Integration app

  2. Click on Application Permissions

    • NOTE - Permissions to be added below must ALL be of type Application

  3. Read-only permissions: Please repeat steps 5 and 6 for all of the following permissions. See notes for details.

    • AuditLog.Read.All

    • Directory.Read.All

    • Group.Read.All

    • GroupMember.Read.All

    • Reports.Read.All

    • User.Read.All

    • Policy.Read.All

    • MailboxSettings.Read

    • UserAuthenticationMethod.Read.All

    • IdentityRiskEvent.Read.All

    • IdentityRiskyUser.Read.All (requires P2 license)

    • DeviceManagementApps.Read.All (requires Intune license)

    • DeviceManagementConfiguration.Read.All (requires Intune license)

    • DeviceManagementManagedDevices.Read.All (requires Intune license)

  4. Read/write permissions for Remediation Actions:

    • User.ReadWrite.All

    • User.ManageIdentities.All

    • Directory.ReadWrite.All

    • UserAuthenticationMethod.ReadWrite.All

  5. Click on Yes

  6. When finished, the API Permissions should look as follows:

Create API secret

  1. Go to Certificates & Secrets under your Oort Integration app

  2. Click on New client secret

  3. Save the Secret Value as this will be used later in the Oort dashboard

    • Click the copy icon to copy and save it somewhere

    • Important: Once you leave this page you WILL NOT be able to get the key again. If lost, you will have to delete and create a new one.

Add Microsoft Entra ID Integration to Oort Dashboard

Next, we will add the integration in the Oort dashboard.

  1. Login to the Oort Dashboard

  2. From the Integrations tab, click on Add Integration

  3. Click on Add Integration under Microsoft Entra ID

  4. Fill in the details for the Microsoft Entra ID Integration. Enter the values saved from earlier on in the Microsoft Entra ID setup:

    • Directory ID

    • Application ID

    • Secret

  5. Click the Advanced tab.

    1. If Intune device management is used in your environment, select the Devices checkboxs.

  6. Click Save. You will now have a new integration listed on the Integrations page.

  7. If real-time event streaming is desired, please continue to the Azure Event Hub Log Streaming for Microsoft Entra ID (Azure AD) article to create an Azure Event Hub integration.

Test the Integration and Start Initial Collection

  1. For more details click on the integration name for details.

  2. You can also click on Test Connectivity to test the API connectivity with Azure

  3. If you see β€œConnected!” everything is working.

  4. IMPORTANT - Now click the Azure integration bar again and click Collect Now to begin the first data collection.

  5. Congratulations, you have successfully set up the Microsoft Entra ID Integration!

Update the Microsoft Entra ID API App (client) Secret

You can monitor the status of your Oort Microsoft Entra ID integration secret via a Check in your Oort tenant using the Oort Client Secret Expiring Soon check.

The default setting is 90 days prior to expiration and we highly recommend sending notifications for this check to the channel of your choosing via email or Teams.

Before your app (client) secret reaches its expiration, you will need to delete the old one, create a new one in the Microsoft Entra ID portal, and update the Microsoft Entra ID integration in your Oort tenant.

Notes:

  • Deleting the previous expired secret is a best practice to avoid confusion about which one is in use.

  • If you also use Microsoft Entra ID (Azure AD) SSO Integration and that secret is set to expire at the same time, you will need to create a new one for that app registration and provide it to your Oort technical contact prior to its expiration, or you will not be able to login to Oort.

Steps

  1. Create the new app (client) secret in the Microsoft Entra ID portal for the Oort data integration. Save the Secret Value to a secure location.

  2. Login to Oort and go to Integrations -> your Microsoft Entra ID integration -> Edit settings

  3. Add the new app secret and click Save.

Last updated