Microsoft Entra ID
Identity · OAuth 2.0 · Hourly
OAuth 2.0 via the Microsoft identity platform v2.0. Pulls user inventory, MFA registration, conditional-access policy count, and risky sign-in events for SOC 2 access-control evidence.
- Authentication
- OAuth 2.0
- Sync cadence
- Hourly
- Stale threshold
- Every 6 hours
- Category
- Identity
Evidence this connector produces
Every sync writes typed evidence rows linked to the controls below. Evidence is immutable once attached to an approved assessment, fingerprinted for de-dup, and surfaced in the control coverage calculation on your dashboard.
How to connect
Register an app in Entra (Azure AD) admin center with delegated read permissions on Microsoft Graph. We'll redirect you there to authorize after you submit.
- 1Register the app
Entra admin center → App registrations → New registration. Single-tenant. Redirect URI (Web): http://localhost:3000/api/integrations/entra/callback
- 2Grant Graph permissions
API permissions → Microsoft Graph → Delegated → User.Read.All, AuditLog.Read.All, Policy.Read.All, IdentityRiskyUser.Read.All. Grant admin consent.
- 3Copy tenant + client credentials
From the app's Overview: copy the Application (client) ID and Directory (tenant) ID. From Certificates & secrets: create a client secret and copy its value (it's only shown once).
Security model
Every connector ships behind the same auditor-grade primitives — not just RBAC config, but architectural enforcement.
Tokens, client secrets, and service-account keys are encrypted under a per-tenant AWS KMS data key. The plaintext is never persisted, never logged, and never leaves the FastAPI process boundary.
Every Connection, ConnectorRun, and emitted Evidence row carries an organization ObjectId. The scheduler never iterates without an org-scoped filter; cross-tenant evidence bleed is impossible at the data layer.
Connect, sync, sync-failure, re-auth, and revoke each write a row to the immutable AuditLog. The full lifecycle is reconstructable for any examiner.
Revoking a connection sets deletedAt and clears the encrypted credential blob, but the historical evidence + sync log stays queryable for the retention window. Auditors can still trace what was attested when.
If this connector hasn't synced in Every 6 hours, control coverage degrades automatically and an alert fires. Auditors don't trust stale evidence — neither do we.
We request the minimum read-only scopes needed for the listed evidence. No write scopes, no admin scopes, no scopes outside the documented set.
Ready to connect Microsoft Entra ID?
Connect from Settings → Integrations — typically under 5 minutes. Or talk to us first.