> ## Documentation Index
> Fetch the complete documentation index at: https://docs.rad.security/llms.txt
> Use this file to discover all available pages before exploring further.

# Microsoft Entra ID

> Configure Microsoft Entra ID (formerly Azure AD) integration with RAD Security for enterprise identity management.

# Microsoft Entra ID Integration Setup

This guide walks you through integrating Microsoft Entra ID (formerly Azure Active Directory) with RAD Security for enterprise identity and access management, allowing you to sync users, groups, and organizational data from Microsoft Entra ID.

The setup process involves:

1. Creating an Entra ID application and service principal
2. Generating a client secret
3. Assigning Microsoft Graph API permissions
4. Configuring the integration in RAD Security

## Prerequisites

Before you begin, ensure you have:

<Check>
  * Admin access to Microsoft Entra ID
  * An [Entra ID tenant](https://learn.microsoft.com/en-us/entra/fundamentals/create-new-tenant)
  * **P1 or P2 premium subscription** for your Entra ID tenant
  * Access to RAD Security workspace with integration permissions
</Check>

<Warning>
  **Premium Subscription Required:** Your Entra ID tenant must have a [P1 or P2 premium subscription](https://learn.microsoft.com/en-us/entra/fundamentals/get-started-premium) to support [advanced query capabilities](https://learn.microsoft.com/en-us/graph/aad-advanced-queries?tabs=http#query-scenarios-that-require-advanced-query-capabilities). Without this, filtering functionality may not work correctly.

  **Note:** Azure AD B2C tenants do not support advanced query capabilities and may have limited functionality.
</Warning>

***

## Step 1: Create Application and Service Principal

<Steps>
  <Step title="Follow Microsoft Documentation">
    Follow the Microsoft guide to [create a Microsoft Entra application and service principal](https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal).
  </Step>

  <Step title="Configure Application Settings">
    When creating the application:

    1. Choose a descriptive name (e.g., "RAD Security Integration")
    2. For **Redirect URI type**, select **Single-page application (SPA)**
    3. Leave the redirect URI field **blank** (users don't need to sign in directly)

    <Info>
      Since this is a service-to-service integration, no user sign-in is required, so we can leave the redirect URI empty.
    </Info>
  </Step>

  <Step title="Note Application Credentials">
    Once the application is created, navigate to the **Overview** tab and copy the following values to a secure location:

    * **Application (client) ID**
    * **Directory (tenant) ID**

    <Note>
      You'll need these values later for configuring the integration in RAD Security.
    </Note>
  </Step>
</Steps>

***

## Step 2: Create Client Secret

<Steps>
  <Step title="Navigate to Certificates & Secrets">
    In your Entra ID application, go to **Manage > Certificates & secrets**
  </Step>

  <Step title="Create New Client Secret">
    Follow the Microsoft guide to [add a new client secret](https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal#option-3-create-a-new-client-secret).

    1. Click **New client secret**
    2. Add a description (e.g., "RAD Security Integration Key")
    3. Select an expiration period
    4. Click **Add**
  </Step>

  <Step title="Copy Secret Value">
    **Immediately copy the secret value** to a secure location alongside your Client ID and Tenant ID.

    <Warning>
      **This is your only chance to view the secret!** Once you navigate away from this page, you cannot retrieve the secret value again. If you lose it, you'll need to create a new secret.
    </Warning>
  </Step>
</Steps>

***

## Step 3: Assign Application Permissions

<Steps>
  <Step title="Navigate to API Permissions">
    In your Entra ID application, go to **Manage > API permissions**
  </Step>

  <Step title="Add Microsoft Graph Permissions">
    Follow the Microsoft guide to [assign app roles to the application](https://learn.microsoft.com/en-us/entra/identity-platform/howto-add-app-roles-in-apps#assign-app-roles-to-applications).

    Add the following **Application** permissions from the **Microsoft Graph API** section:
  </Step>
</Steps>

### Required Permissions

<AccordionGroup>
  <Accordion title="Microsoft Graph API - Application Permissions" icon="microsoft">
    Grant the following **Application** (not Delegated) permissions:

    * `AuditLog.Read.All` - Read audit log data
    * `Directory.Read.All` - Read directory data
    * `Group.ReadWrite.All` - Read and write all groups
    * `GroupMember.ReadWrite.All` - Read and write group memberships
    * `RoleManagementPolicy.Read` - Read role management policies
    * `User.Read` - Read basic user profile information
    * `User.ReadWrite.All` - Read and write all users' full profiles
    * `UserAuthenticationMethod.ReadWrite.All` - Read and write user authentication methods

    <Info>
      These are **Application** permissions that allow the service principal to access data without a signed-in user present.
    </Info>
  </Accordion>
</AccordionGroup>

### Grant Admin Consent

<Steps>
  <Step title="Grant Consent">
    After adding all permissions, click **Grant admin consent for \[Your Organization]**

    <Warning>
      **Admin consent is required!** The permissions will not be active until an administrator grants consent for the organization.
    </Warning>
  </Step>

  <Step title="Verify Consent Status">
    Verify that all permissions show a green checkmark in the **Status** column indicating consent has been granted.
  </Step>
</Steps>

***

## Step 4: Configure in RAD Security

Navigate to your RAD Security workspace and configure the Microsoft Entra ID integration with the following parameters:

### Required Parameters

| Parameter         | Description                                                 | Example                                |
| ----------------- | ----------------------------------------------------------- | -------------------------------------- |
| **Tenant ID**     | The Directory (tenant) ID from Step 1                       | `00000000-0000-0000-0000-000000000000` |
| **Client ID**     | The Application (client) ID from Step 1                     | `11111111-1111-1111-1111-111111111111` |
| **Client Secret** | The client secret value from Step 2                         | `your-secret-value-here`               |
| **Base URL**      | Microsoft Graph API root URL (for special deployments only) | `https://graph.microsoft.com/`         |

<AccordionGroup>
  <Accordion title="When to use custom URLs" icon="globe">
    Leave **URL** and **Token URL** blank unless you're using a [special deployment of Microsoft Graph API](https://learn.microsoft.com/en-us/graph/deployments).

    **For special deployments:**

    **URL Format:**

    * Root URL without paths: `https://graph.microsoft.com/`
    * Example for US Government: `https://graph.microsoft.us/`
    * Example for China: `https://microsoftgraph.chinacloudapi.cn/`

    **Token URL Format:**

    * Full token endpoint with tenant ID: `https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/token`
    * Example: `https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000/oauth2/v2.0/token`
    * Replace `{tenant-id}` with your actual Directory (tenant) ID

    **Common Deployments:**

    * **Global:** Use defaults (leave blank)
    * **US Government L4:** `graph.microsoft.us` / `login.microsoftonline.us`
    * **US Government L5 (DOD):** `dod-graph.microsoft.us` / `login.microsoftonline.us`
    * **China (21Vianet):** `microsoftgraph.chinacloudapi.cn` / `login.chinacloudapi.cn`
  </Accordion>
</AccordionGroup>

***

## Verify Integration

After completing the setup, verify your integration is working:

1. Navigate to **Data Sources > Integrations > IAM** in RAD Security
2. Locate your Microsoft Entra ID integration
3. Check the connection status shows as **Connected**
4. Verify users and groups are syncing correctly

<Check>
  Your Microsoft Entra ID integration is now configured! RAD Security can now sync users, groups, and organizational data from your Entra ID tenant.
</Check>

## What Data is Synced

Once configured, RAD Security will sync the following data from Microsoft Entra ID:

<AccordionGroup>
  <Accordion title="User Information" icon="users">
    * User identities and profiles
    * Email addresses and contact information
    * User principal names (UPNs)
    * Account status (enabled/disabled)
    * User attributes and properties
    * Authentication methods
  </Accordion>

  <Accordion title="Group Information" icon="users-rectangle">
    * Group names and descriptions
    * Group memberships
    * Group types (Security, Microsoft 365, etc.)
    * Nested group relationships
  </Accordion>

  <Accordion title="Directory Data" icon="building">
    * Organizational structure
    * Directory roles and assignments
    * Role management policies
    * Organizational units
  </Accordion>

  <Accordion title="Audit Logs" icon="file-lines">
    * Sign-in activity
    * User and group changes
    * Authentication events
    * Administrative actions
  </Accordion>
</AccordionGroup>

## Use Cases

<CardGroup cols={2}>
  <Card title="SSO & Authentication" icon="key">
    Enable single sign-on for RAD Security users through Microsoft Entra ID.
  </Card>

  <Card title="User Provisioning" icon="user-plus">
    Automatically sync users and groups from Entra ID to RAD Security.
  </Card>

  <Card title="RBAC Integration" icon="shield-halved">
    Map Entra ID groups to RAD Security roles for streamlined access control.
  </Card>

  <Card title="Audit & Compliance" icon="clipboard-check">
    Track identity-related events and maintain audit trails for compliance.
  </Card>
</CardGroup>

## Troubleshooting

<AccordionGroup>
  <Accordion title="Authentication Failed" icon="triangle-exclamation">
    **Possible causes:**

    * Client ID, Tenant ID, or Client Secret is incorrect
    * Client secret has expired
    * Service principal was deleted or disabled

    **Solution:**

    * Verify all credentials are copied correctly (no extra spaces)
    * Check client secret expiration in Entra ID
    * Ensure the application still exists in Entra ID
    * Verify Tenant ID matches the directory you're trying to access
  </Accordion>

  <Accordion title="Insufficient Permissions" icon="shield-exclamation">
    **Possible causes:**

    * Required Graph API permissions not granted
    * Admin consent not provided
    * Wrong permission type (Delegated vs Application)

    **Solution:**

    * Navigate to API permissions in your Entra ID app
    * Verify all 8 required permissions are present
    * Ensure permissions are **Application** type, not Delegated
    * Click "Grant admin consent" if status shows "Not granted"
    * Wait a few minutes for permissions to propagate
  </Accordion>

  <Accordion title="No Data Syncing" icon="database-slash">
    **Possible causes:**

    * Premium subscription not active
    * Advanced query capabilities not available (B2C tenants)
    * Initial sync still in progress
    * No users or groups in the directory

    **Solution:**

    * Verify P1 or P2 subscription is active
    * Check tenant type (B2C tenants have limitations)
    * Allow up to 15 minutes for initial data sync
    * Verify users and groups exist in Entra ID
    * Review integration logs in RAD Security for errors
  </Accordion>

  <Accordion title="Filtering Issues" icon="filter">
    **Possible causes:**

    * Tenant doesn't support advanced query capabilities
    * Using Azure AD B2C which has limitations
    * Premium subscription not configured

    **Solution:**

    * Confirm P1 or P2 premium subscription is active
    * Check [advanced query capability requirements](https://learn.microsoft.com/en-us/graph/aad-advanced-queries?tabs=http#query-scenarios-that-require-advanced-query-capabilities)
    * Note that B2C tenants do not support advanced queries
    * Contact Microsoft support to enable advanced capabilities
  </Accordion>

  <Accordion title="Secret Expired" icon="clock">
    **Possible causes:**

    * Client secret has reached its expiration date
    * Secret was manually deleted

    **Solution:**

    * Log in to Entra ID
    * Navigate to your application > Certificates & secrets
    * Check expiration dates
    * Create a new client secret if needed
    * Update the secret in RAD Security integration settings
    * Remove the old secret from Entra ID after verifying the new one works
  </Accordion>

  <Accordion title="Wrong Cloud Deployment" icon="globe">
    **Possible causes:**

    * Using wrong Graph API URL for your cloud
    * Token URL doesn't match your deployment

    **Solution:**

    * Verify your cloud deployment (Global, US Gov, China, etc.)
    * For standard deployments, leave URL and Token URL blank
    * For special deployments, see "When to use custom URLs" section
    * Ensure Token URL includes your actual tenant ID, not the placeholder
  </Accordion>
</AccordionGroup>

## Security Best Practices

<CardGroup cols={2}>
  <Card title="Rotate Secrets Regularly" icon="rotate">
    Set short expiration periods for client secrets and rotate them before expiry. Create the new secret before deleting the old one.
  </Card>

  <Card title="Least Privilege Access" icon="shield-halved">
    Only grant the permissions required for your use case. Remove any unused permissions.
  </Card>

  <Card title="Monitor Application Activity" icon="chart-line">
    Regularly review sign-in logs and audit logs for the service principal to detect anomalous activity.
  </Card>

  <Card title="Secure Secret Storage" icon="lock">
    Store client secrets in a secure password manager or secrets vault. Never commit them to version control.
  </Card>

  <Card title="Track Expiration Dates" icon="calendar">
    Set calendar reminders for secret expiration dates to avoid service disruptions.
  </Card>

  <Card title="Use Managed Identity" icon="fingerprint">
    Where possible, consider using Azure Managed Identities instead of client secrets for enhanced security.
  </Card>
</CardGroup>

## Next Steps

<CardGroup cols={2}>
  <Card title="IAM Integrations Overview" icon="key" href="/rad-security/integrations/identity-and-access">
    Explore other identity integration options
  </Card>

  <Card title="User Management" icon="users" href="/rad-security/platform/workspace">
    Configure RBAC and manage users in your workspace
  </Card>

  <Card title="Okta Integration" icon="okta" href="/rad-security/integrations/okta-setup">
    Add Okta as an additional identity provider
  </Card>

  <Card title="Google Workspace" icon="google" href="/rad-security/integrations/google-workspace-setup">
    Integrate with Google Workspace for identity management
  </Card>
</CardGroup>