Microsoft Entra ID Connector
The Microsoft Entra ID connector syncs users, groups, directory-role memberships, enterprise app access entitlements, app registrations, service principals, and optional discovery data from Microsoft Graph.
What Gets Synced
- Users
- Groups
- Active directory-role memberships
- Effective enterprise app access entitlements
- App registrations
- Service principals
- Discovery evidence when enabled
The first sync bootstraps Microsoft Graph delta cursors for users, groups, app registrations, and service principals. Later syncs use those cursors to pull only changes and explicit deletes. Owners and app-role entitlements are reconciled from the current delta-backed inventory; Microsoft Graph does not expose the same delta shape for those relationships, so incremental runs still make per-asset owner and assignment calls. Credential audit events are pulled incrementally from the latest stored event time.
Microsoft Graph change-notification push and a standalone tail run mode are not enabled yet. The existing Graph delta behavior remains inside the connector's full sync path until it can be split without changing full-run finalization semantics.
Prerequisites
- A Microsoft Entra tenant
- An application registration
- Admin consent for the required Microsoft Graph application permissions
Known Working Graph Permissions
The in-app connector form currently calls out this working permission set for full sync:
User.Read.AllGroup.Read.AllApplication.Read.AllAppRoleAssignment.Read.AllRoleManagement.Read.Directory
For discovery, also grant:
AuditLog.Read.AllDirectory.Read.AllDelegatedPermissionGrant.Read.All
Setup Instructions
1. Register an Application
Create an Entra application registration for Open-SSPM and note:
- Application (client) ID
- Directory (tenant) ID
2. Create a Client Secret
Create a client secret and save the value immediately.
3. Grant Graph Permissions
Add the application permissions listed above and grant admin consent.
4. Configure in Open-SSPM
- Go to Settings → Connectors
- Open the Microsoft Entra ID connector
- Enter:
- Tenant ID
- Client ID
- Client secret
- Discovery enabled if needed
- Save the configuration
- Trigger a sync
Sync Tuning
SYNC_ENTRA_INTERVAL=15mTroubleshooting
Invalid Client Secret
- Confirm the secret has not expired
- Recreate it if necessary
Insufficient Privileges
- Verify the Graph application permissions were granted
- Re-run admin consent if needed
Discovery Data Missing
- Enable discovery on the connector
- Confirm the extra discovery permissions were granted
- Make sure the discovery worker is running