Skip to content

Entra ID Connector

The Entra ID (Azure AD) connector pulls identity and access data from Microsoft's directory via the Graph API, enriching the digital twin with verified enterprise identity posture.

What It Provides

Data Description
Users Directory users with account status, last sign-in, MFA registration
MFA Coverage Per-user MFA method registration (Authenticator, FIDO2, phone, email)
Groups Security groups and membership counts
Privileged Roles Global Admin, Security Admin, and other directory role assignments
Conditional Access Policies CA policy inventory with state (enabled/report-only/disabled) and grant controls
Sign-in Logs Authentication events with risk levels, location, device info
Applications Enterprise app registrations and service principals

Twin Enrichment

After a sync, the twin gains:

  • MFA coverage with method-level breakdown (verified confidence)
  • Privileged role mapping — who has Global Admin, how many accounts
  • Conditional access posture — policies in place, what they enforce
  • Sign-in risk events generated as SecurityEvents
  • Stale account detection — users who have not signed in recently
  • Application inventory — registered enterprise apps and their permissions

Setup

Prerequisites

  • Azure AD app registration with the following Graph API permissions (Application type):
    • User.Read.All
    • Group.Read.All
    • Directory.Read.All
    • AuditLog.Read.All
    • Policy.Read.All

3-Step Setup

Navigate to Integrations and click the Entra ID card.

Step 1 — Configure: 

Tenant ID:     your-tenant-id
Client ID:     your-app-client-id
Client Secret: your-app-client-secret

Step 2 — Test: Click "Test Connection" to verify Graph API access.

Step 3 — Sync: Click "Sync Now" to pull data.

entra_id_status()         # Check if configured
entra_id_sync(            # Pull data
  sync_users=true,
  sync_groups=true,
  sync_roles=true,
  sync_sign_ins=true,
  sync_policies=true,
  sync_apps=true,
  hours_back=24
)

Sync Options

Parameter Default Description
sync_users true Pull user directory with MFA registration
sync_groups true Pull security groups and memberships
sync_roles true Pull privileged directory role assignments
sync_sign_ins true Pull sign-in logs with risk levels
sync_policies true Pull conditional access policy inventory
sync_apps true Pull enterprise application registrations
hours_back 24 How many hours of sign-in logs to retrieve

Permissions

Ensure the app registration has admin-consented Application permissions, not Delegated. Delegated permissions require a signed-in user and will not work for background syncs.

Combined Identity Posture

Organizations using both Okta and Entra ID get a unified identity view. The twin merges data from both connectors, identifying:

  • MFA coverage across both IdPs
  • Users present in one but not the other
  • Conflicting role assignments
  • SSO overlap and gaps

Okta · Connectors Overview