Comment on page
Microsoft Entra ID (Azure AD) Data Integration
11/2023
Oort’s platform can analyze authentication events in Microsoft Entra ID (Azure AD)to give insights into how users are accessing your applications. In order to provide Insights, you have to set up an integration between Microsoft Entra ID and Oort for analysis. This document will walk you through the process of setting up API access inside of Entra ID and will also walk you through the complementary set up inside of the Oort console.
- This integration is for Entra ID data collection. For SSO to your Oort tenant using Entra ID, please see Microsoft Entra ID (Azure AD) SSO Integration
- If this is a brand new Microsoft Entra ID tenant, for instance a development environment, then make sure to enable a Microsoft Entra ID subscription and resource provider.
Once the integration is complete and the Oort platform has completed the analysis of the data, Oort will set up a review with you and your team to share insights discovered through the integration.
Entra ID has different activity log types which each contain different sets of information. Oort will ingest the Sign-ins as well as the Directory. Sign-in logs are available through the Microsoft Entra ID portal.
- Sign-ins – Information about sign-ins and how your resources are used by your users.
- Directory - User and Group information from your Entra ID.
Sign-in logs are available via Microsoft Graph API for 30 days inside Entra ID with a Premium subscription (P1 or P2).
Note - sign-in logs are NOT currently available via Graph API with non-P1 or P2 Entra ID subscriptions, e.g Microsoft Entra ID Free.
Based on this 30 day retention, Oort will start ingestion with the last 30 days of logs. On subsequent log collections, Oort will ingest only the latest logs.
To add the necessary configuration in Entra ID, you need to be one of the following:
- Microsoft Entra ID - Global Administrator or Service Administrator role https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal
- Azure Subscription - Owner role https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal-subscription-admin
The main thing that you will need to configure in Microsoft Entra ID:
- Add an App inside your Microsoft Entra ID tenant that defines the keys and permissions needed by Oort
There are 2 high-level steps you need to go through to set up your Microsoft Entra ID API key then connect it to Oort.
- 1.Setup App registration with API permissions and create an app secret in Microsoft Entra ID
- 2.Add Entra ID API details to Oort Dashboard
Next, we will create the app in your Microsoft Entra ID tenant, assigning the correct permissions, and add an API secret.
Add an app in your Microsoft Entra ID tenant
- 1.Go to Microsoft Entra ID...App registrations
- 2.Click on New registration
- 3.Fill in the details for the new app
- Name this app "Oort Data Integration" or something similar
- Make sure to select “Accounts in any organizational directory (Any Microsoft Entra ID – Multitenant)”
- No redirect URI is required - just leave this blank.
- 4.Click on Register
- 5.Save the following information as it will get entered into the Oort dashboard.
- Application (client) ID
- Directory (tenant) ID
There are two groups of API permissions sets that can be used with your Oort tenant
- Read-only - used for data ingestion and analysis only
- Read/write (which includes the first set of read-only permissions) - read/write permissions are used for the defined list of Oort Remediation Actions.
Remediation actions can only be taken by administrator or help desk roles in Oort and are limited to the list in the above article. This table outlines the relationship from remediation actions to the API permissions.
Name | Remediation Type |
|---|---|
User.ReadWrite.All, User.ManageIdentities.All, Directory.ReadWrite.All | Update User Type, Delete Guest User |
User.ReadWrite.All, Directory.ReadWrite.All | User Log out |
UserAuthenticationMethod.ReadWrite.All | Reset MFA |
User.ReadWrite.All | Delete Guest User |
The instructions below are shown for full read/write capabilities. For a read-only model, please omit the read/write API permissions.
- 1.Go to API Permissions under your newly created Oort Integration app
- 2.Click on Add a permission
- 3.Click on Microsoft Graph
- 4.Click on Application Permissions
- NOTE - Permissions to be added below must ALL be of type Application
- 5.Read-only permissions: Please repeat steps 5 and 6 for all of the following permissions. See notes for details.
- AuditLog.Read.All
- Directory.Read.All
- Group.Read.All
- GroupMember.Read.All
- Reports.Read.All
- User.Read.All
- Policy.Read.All
- MailboxSettings.Read
- UserAuthenticationMethod.Read.All
- IdentityRiskEvent.Read.All
- IdentityRiskyUser.Read.All (requires P2 license)
- DeviceManagementApps.Read.All (requires Intune license)
- DeviceManagementConfiguration.Read.All (requires Intune license)
- DeviceManagementManagedDevices.Read.All (requires Intune license)
- 6.Read/write permissions for Remediation Actions:
- User.ReadWrite.All
- User.ManageIdentities.All
- Directory.ReadWrite.All
- UserAuthenticationMethod.ReadWrite.All
- 7.Once added to the list, click Add Permissions Click on Grant admin consent
- 8.Click on Yes
- 9.When finished, the API Permissions should look as follows:
- 1.Go to Certificates & Secrets under your Oort Integration app
- 2.Click on New client secret
- 3.Fill in the description, such as "Oort Integration", and the desired Expiration timeframe for the secret, (i.e. 12 months). Click Add.
- 4.Save the Secret Value as this will be used later in the Oort dashboard
- Click the copy icon to copy and save it somewhere
- Important: Once you leave this page you WILL NOT be able to get the key again. If lost, you will have to delete and create a new one.
Next, we will add the integration in the Oort dashboard.
- 1.Login to the Oort Dashboard
- 2.From the Integrations tab, click on Add Integration
- 3.Click on Add Integration under Microsoft Entra ID
- 4.Fill in the details for the Microsoft Entra ID Integration. Enter the values saved from earlier on in the Microsoft Entra ID setup:
- Directory ID
- Application ID
- Secret
- 5.Click the Advanced tab.
- 1.If Intune device management is used in your environment, select the Devices checkboxs.
- 2.If your Microsoft Entra ID contains any P2 licenses, select the Microsoft Entra ID Risky User checkbox.
- 6.Click Save. You will now have a new integration listed on the Integrations page.
- 7.If real-time event streaming is desired, please continue to the Azure Event Hub Log Streaming for Microsoft Entra ID (Azure AD) article to create an Azure Event Hub integration.
- 1.For more details click on the integration name for details.
- 2.You can also click on Test Connectivity to test the API connectivity with Azure
- 3.If you see “Connected!” everything is working.
- 4.IMPORTANT - Now click the Azure integration bar again and click Collect Now to begin the first data collection.
- 5.Congratulations, you have successfully set up the Microsoft Entra ID Integration!
You can monitor the status of your Oort Microsoft Entra ID integration secret via a Check in your Oort tenant using the Oort Client Secret Expiring Soon check.
The default setting is 90 days prior to expiration and we highly recommend sending notifications for this check to the channel of your choosing via email or Teams.
Before your app (client) secret reaches its expiration, you will need to delete the old one, create a new one in the Microsoft Entra ID portal, and update the Microsoft Entra ID integration in your Oort tenant.
Notes:
- You can confirm which Microsoft Entra ID app registration is the right one by checking the Oort Entra ID integration app (client) ID in the Oort console.
- Deleting the previous expired secret is a best practice to avoid confusion about which one is in use.
- If you also use Microsoft Entra ID (Azure AD) SSO Integration and that secret is set to expire at the same time, you will need to create a new one for that app registration and provide it to your Oort technical contact prior to its expiration, or you will not be able to login to Oort.
Steps
- 1.Create the new app (client) secret in the Microsoft Entra ID portal for the Oort data integration. Save the Secret Value to a secure location.
- 1.Important: Once you leave this page you WILL NOT be able to get the key again. If lost, you will have to delete and create a new one.
- 2.Login to Oort and go to Integrations -> your Microsoft Entra ID integration -> Edit settings
- 3.Click Reset Credentials
- 4.Add the new app secret and click Save.
- 5.On the integrations page, click the 3-dot menu for the Microsoft Entra ID integration and click Test Connectivity to verify the new secret is working.
