Microsoft Entra ID Integration Setup
This guide walks you through integrating Microsoft Entra ID (formerly Azure Active Directory) with RAD Security for enterprise identity and access management, allowing you to sync users, groups, and organizational data from Microsoft Entra ID. The setup process involves:- Creating an Entra ID application and service principal
- Generating a client secret
- Assigning Microsoft Graph API permissions
- Configuring the integration in RAD Security
Prerequisites
Before you begin, ensure you have:- Admin access to Microsoft Entra ID
- An Entra ID tenant
- P1 or P2 premium subscription for your Entra ID tenant
- Access to RAD Security workspace with integration permissions
Premium Subscription Required: Your Entra ID tenant must have a P1 or P2 premium subscription to support advanced query capabilities. Without this, filtering functionality may not work correctly.Note: Azure AD B2C tenants do not support advanced query capabilities and may have limited functionality.
Step 1: Create Application and Service Principal
1
Follow Microsoft Documentation
Follow the Microsoft guide to create a Microsoft Entra application and service principal.
2
Configure Application Settings
When creating the application:
- Choose a descriptive name (e.g., “RAD Security Integration”)
- For Redirect URI type, select Single-page application (SPA)
- Leave the redirect URI field blank (users don’t need to sign in directly)
Since this is a service-to-service integration, no user sign-in is required, so we can leave the redirect URI empty.
3
Note Application Credentials
Once the application is created, navigate to the Overview tab and copy the following values to a secure location:
- Application (client) ID
- Directory (tenant) ID
You’ll need these values later for configuring the integration in RAD Security.
Step 2: Create Client Secret
1
Navigate to Certificates & Secrets
In your Entra ID application, go to Manage > Certificates & secrets
2
Create New Client Secret
Follow the Microsoft guide to add a new client secret.
- Click New client secret
- Add a description (e.g., “RAD Security Integration Key”)
- Select an expiration period
- Click Add
3
Copy Secret Value
Immediately copy the secret value to a secure location alongside your Client ID and Tenant ID.
This is your only chance to view the secret! Once you navigate away from this page, you cannot retrieve the secret value again. If you lose it, you’ll need to create a new secret.
Step 3: Assign Application Permissions
1
Navigate to API Permissions
In your Entra ID application, go to Manage > API permissions
2
Add Microsoft Graph Permissions
Follow the Microsoft guide to assign app roles to the application.Add the following Application permissions from the Microsoft Graph API section:
Required Permissions
Microsoft Graph API - Application Permissions
Microsoft Graph API - Application Permissions
Grant the following Application (not Delegated) permissions:
AuditLog.Read.All- Read audit log dataDirectory.Read.All- Read directory dataGroup.ReadWrite.All- Read and write all groupsGroupMember.ReadWrite.All- Read and write group membershipsRoleManagementPolicy.Read- Read role management policiesUser.Read- Read basic user profile informationUser.ReadWrite.All- Read and write all users’ full profilesUserAuthenticationMethod.ReadWrite.All- Read and write user authentication methods
These are Application permissions that allow the service principal to access data without a signed-in user present.
Grant Admin Consent
1
Grant Consent
After adding all permissions, click Grant admin consent for [Your Organization]
Admin consent is required! The permissions will not be active until an administrator grants consent for the organization.
2
Verify Consent Status
Verify that all permissions show a green checkmark in the Status column indicating consent has been granted.
Step 4: Configure in RAD Security
Navigate to your RAD Security workspace and configure the Microsoft Entra ID integration with the following parameters:Required Parameters
| Parameter | Description | Example |
|---|---|---|
| Tenant ID | The Directory (tenant) ID from Step 1 | 00000000-0000-0000-0000-000000000000 |
| Client ID | The Application (client) ID from Step 1 | 11111111-1111-1111-1111-111111111111 |
| Client Secret | The client secret value from Step 2 | your-secret-value-here |
| Base URL | Microsoft Graph API root URL (for special deployments only) | https://graph.microsoft.com/ |
When to use custom URLs
When to use custom URLs
Leave URL and Token URL blank unless you’re using a special deployment of Microsoft Graph API.For special deployments:URL Format:
- Root URL without paths:
https://graph.microsoft.com/ - Example for US Government:
https://graph.microsoft.us/ - Example for China:
https://microsoftgraph.chinacloudapi.cn/
- Full token endpoint with tenant ID:
https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/token - Example:
https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000/oauth2/v2.0/token - Replace
{tenant-id}with your actual Directory (tenant) ID
- Global: Use defaults (leave blank)
- US Government L4:
graph.microsoft.us/login.microsoftonline.us - US Government L5 (DOD):
dod-graph.microsoft.us/login.microsoftonline.us - China (21Vianet):
microsoftgraph.chinacloudapi.cn/login.chinacloudapi.cn
Verify Integration
After completing the setup, verify your integration is working:- Navigate to Data Sources > Integrations > IAM in RAD Security
- Locate your Microsoft Entra ID integration
- Check the connection status shows as Connected
- Verify users and groups are syncing correctly
Your Microsoft Entra ID integration is now configured! RAD Security can now sync users, groups, and organizational data from your Entra ID tenant.
What Data is Synced
Once configured, RAD Security will sync the following data from Microsoft Entra ID:User Information
User Information
- User identities and profiles
- Email addresses and contact information
- User principal names (UPNs)
- Account status (enabled/disabled)
- User attributes and properties
- Authentication methods
Group Information
Group Information
- Group names and descriptions
- Group memberships
- Group types (Security, Microsoft 365, etc.)
- Nested group relationships
Directory Data
Directory Data
- Organizational structure
- Directory roles and assignments
- Role management policies
- Organizational units
Audit Logs
Audit Logs
- Sign-in activity
- User and group changes
- Authentication events
- Administrative actions
Use Cases
SSO & Authentication
Enable single sign-on for RAD Security users through Microsoft Entra ID.
User Provisioning
Automatically sync users and groups from Entra ID to RAD Security.
RBAC Integration
Map Entra ID groups to RAD Security roles for streamlined access control.
Audit & Compliance
Track identity-related events and maintain audit trails for compliance.
Troubleshooting
Authentication Failed
Authentication Failed
Possible causes:
- Client ID, Tenant ID, or Client Secret is incorrect
- Client secret has expired
- Service principal was deleted or disabled
- Verify all credentials are copied correctly (no extra spaces)
- Check client secret expiration in Entra ID
- Ensure the application still exists in Entra ID
- Verify Tenant ID matches the directory you’re trying to access
Insufficient Permissions
Insufficient Permissions
Possible causes:
- Required Graph API permissions not granted
- Admin consent not provided
- Wrong permission type (Delegated vs Application)
- Navigate to API permissions in your Entra ID app
- Verify all 8 required permissions are present
- Ensure permissions are Application type, not Delegated
- Click “Grant admin consent” if status shows “Not granted”
- Wait a few minutes for permissions to propagate
No Data Syncing
No Data Syncing
Possible causes:
- Premium subscription not active
- Advanced query capabilities not available (B2C tenants)
- Initial sync still in progress
- No users or groups in the directory
- Verify P1 or P2 subscription is active
- Check tenant type (B2C tenants have limitations)
- Allow up to 15 minutes for initial data sync
- Verify users and groups exist in Entra ID
- Review integration logs in RAD Security for errors
Filtering Issues
Filtering Issues
Possible causes:
- Tenant doesn’t support advanced query capabilities
- Using Azure AD B2C which has limitations
- Premium subscription not configured
- Confirm P1 or P2 premium subscription is active
- Check advanced query capability requirements
- Note that B2C tenants do not support advanced queries
- Contact Microsoft support to enable advanced capabilities
Secret Expired
Secret Expired
Possible causes:
- Client secret has reached its expiration date
- Secret was manually deleted
- Log in to Entra ID
- Navigate to your application > Certificates & secrets
- Check expiration dates
- Create a new client secret if needed
- Update the secret in RAD Security integration settings
- Remove the old secret from Entra ID after verifying the new one works
Wrong Cloud Deployment
Wrong Cloud Deployment
Possible causes:
- Using wrong Graph API URL for your cloud
- Token URL doesn’t match your deployment
- Verify your cloud deployment (Global, US Gov, China, etc.)
- For standard deployments, leave URL and Token URL blank
- For special deployments, see “When to use custom URLs” section
- Ensure Token URL includes your actual tenant ID, not the placeholder
Security Best Practices
Rotate Secrets Regularly
Set short expiration periods for client secrets and rotate them before expiry. Create the new secret before deleting the old one.
Least Privilege Access
Only grant the permissions required for your use case. Remove any unused permissions.
Monitor Application Activity
Regularly review sign-in logs and audit logs for the service principal to detect anomalous activity.
Secure Secret Storage
Store client secrets in a secure password manager or secrets vault. Never commit them to version control.
Track Expiration Dates
Set calendar reminders for secret expiration dates to avoid service disruptions.
Use Managed Identity
Where possible, consider using Azure Managed Identities instead of client secrets for enhanced security.