Microsoft Entra ID (Azure AD) Data Integration
11/2023
Overview
Oort’s platform can analyze authentication events in Microsoft Entra ID (Azure AD)to give insights into how users are accessing your applications. In order to provide Insights, you have to set up an integration between Microsoft Entra ID and Oort for analysis. This document will walk you through the process of setting up API access inside of Entra ID and will also walk you through the complementary set up inside of the Oort console.
Important Notes
This integration is for Entra ID data collection. For SSO to your Oort tenant using Entra ID, please see Microsoft Entra ID (Azure AD) SSO Integration
If this is a brand new Microsoft Entra ID tenant, for instance a development environment, then make sure to enable a Microsoft Entra ID subscription and resource provider.
Next Steps
Once the integration is complete and the Oort platform has completed the analysis of the data, Oort will set up a review with you and your team to share insights discovered through the integration.
Entra ID Integration
Entra ID has different activity log types which each contain different sets of information. Oort will ingest the Sign-ins as well as the Directory. Sign-in logs are available through the Microsoft Entra ID portal.
Sign-ins – Information about sign-ins and how your resources are used by your users.
Directory - User and Group information from your Entra ID.
Entra ID Sign-in Log Availability
Sign-in logs are available via Microsoft Graph API for 30 days inside Entra ID with a Premium subscription (P1 or P2).
Note - sign-in logs are NOT currently available via Graph API with non-P1 or P2 Entra ID subscriptions, e.g Microsoft Entra ID Free.
Based on this 30 day retention, Oort will start ingestion with the last 30 days of logs. On subsequent log collections, Oort will ingest only the latest logs.
Permission requirements for setting up Entra ID integration
To add the necessary configuration in Entra ID, you need to be one of the following:
Microsoft Entra ID - Global Administrator or Service Administrator role https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal
Azure Subscription - Owner role https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal-subscription-admin
The main thing that you will need to configure in Microsoft Entra ID:
Add an App inside your Microsoft Entra ID tenant that defines the keys and permissions needed by Oort
Setup Steps
There are 2 high-level steps you need to go through to set up your Microsoft Entra ID API key then connect it to Oort.
Setup App registration with API permissions and create an app secret in Microsoft Entra ID
Add Entra ID API details to Oort Dashboard
Setup App and API secret in Microsoft Entra ID
Next, we will create the app in your Microsoft Entra ID tenant, assigning the correct permissions, and add an API secret.
Add an app in your Microsoft Entra ID tenant
Go to Microsoft Entra ID...App registrations
Click on New registration
Fill in the details for the new app
Name this app "Oort Data Integration" or something similar
Make sure to select “Accounts in any organizational directory (Any Microsoft Entra ID – Multitenant)”
Click on Register
Save the following information as it will get entered into the Oort dashboard.
Application (client) ID
Directory (tenant) ID
Understanding Oort API Permissions
There are two groups of API permissions sets that can be used with your Oort tenant
Read-only - used for data ingestion and analysis only
Read/write (which includes the first set of read-only permissions) - read/write permissions are used for the defined list of Oort Remediation Actions.
Remediation actions can only be taken by administrator or help desk roles in Oort and are limited to the list in the above article. This table outlines the relationship from remediation actions to the API permissions.
Add API Permissions
The instructions below are shown for full read/write capabilities. For a read-only model, please omit the read/write API permissions.
Go to API Permissions under your newly created Oort Integration app
Click on Application Permissions
NOTE - Permissions to be added below must ALL be of type Application
Read-only permissions: Please repeat steps 5 and 6 for all of the following permissions. See notes for details.
AuditLog.Read.All
Directory.Read.All
Group.Read.All
GroupMember.Read.All
Reports.Read.All
User.Read.All
Policy.Read.All
MailboxSettings.Read
UserAuthenticationMethod.Read.All
IdentityRiskEvent.Read.All
IdentityRiskyUser.Read.All (requires P2 license)
DeviceManagementApps.Read.All (requires Intune license)
DeviceManagementConfiguration.Read.All (requires Intune license)
DeviceManagementManagedDevices.Read.All (requires Intune license)
Read/write permissions for Remediation Actions:
User.ReadWrite.All
User.ManageIdentities.All
Directory.ReadWrite.All
UserAuthenticationMethod.ReadWrite.All
Click on Yes
When finished, the API Permissions should look as follows:
Create API secret
Go to Certificates & Secrets under your Oort Integration app
Click on New client secret
Save the Secret Value as this will be used later in the Oort dashboard
Click the copy icon to copy and save it somewhere
Important: Once you leave this page you WILL NOT be able to get the key again. If lost, you will have to delete and create a new one.
Add Microsoft Entra ID Integration to Oort Dashboard
Next, we will add the integration in the Oort dashboard.
Login to the Oort Dashboard
From the Integrations tab, click on Add Integration
Click on Add Integration under Microsoft Entra ID
Fill in the details for the Microsoft Entra ID Integration. Enter the values saved from earlier on in the Microsoft Entra ID setup:
Directory ID
Application ID
Secret
Click the Advanced tab.
If Intune device management is used in your environment, select the Devices checkboxs.
Click Save. You will now have a new integration listed on the Integrations page.
If real-time event streaming is desired, please continue to the Azure Event Hub Log Streaming for Microsoft Entra ID (Azure AD) article to create an Azure Event Hub integration.
Test the Integration and Start Initial Collection
For more details click on the integration name for details.
You can also click on Test Connectivity to test the API connectivity with Azure
If you see “Connected!” everything is working.
IMPORTANT - Now click the Azure integration bar again and click Collect Now to begin the first data collection.
Congratulations, you have successfully set up the Microsoft Entra ID Integration!
Update the Microsoft Entra ID API App (client) Secret
You can monitor the status of your Oort Microsoft Entra ID integration secret via a Check in your Oort tenant using the Oort Client Secret Expiring Soon check.
The default setting is 90 days prior to expiration and we highly recommend sending notifications for this check to the channel of your choosing via email or Teams.
Before your app (client) secret reaches its expiration, you will need to delete the old one, create a new one in the Microsoft Entra ID portal, and update the Microsoft Entra ID integration in your Oort tenant.
Notes:
Deleting the previous expired secret is a best practice to avoid confusion about which one is in use.
If you also use Microsoft Entra ID (Azure AD) SSO Integration and that secret is set to expire at the same time, you will need to create a new one for that app registration and provide it to your Oort technical contact prior to its expiration, or you will not be able to login to Oort.
Steps
Create the new app (client) secret in the Microsoft Entra ID portal for the Oort data integration. Save the Secret Value to a secure location.
Login to Oort and go to Integrations -> your Microsoft Entra ID integration -> Edit settings
Add the new app secret and click Save.
Last updated