Microsoft Entra ID Connector
The Microsoft Entra ID connector syncs users, groups, app registrations, service principals, and optional discovery data from Microsoft Graph.
What Gets Synced
- Users
- Groups
- App registrations
- Service principals
- Discovery evidence when enabled
Prerequisites
- A Microsoft Entra tenant
- An application registration
- Admin consent for the required Microsoft Graph application permissions
Known Working Graph Permissions
The in-app connector form currently calls out this working permission set for full sync:
User.Read.AllGroup.Read.AllApplication.Read.AllAppRoleAssignment.Read.AllRoleManagement.Read.Directory
For discovery, also grant:
AuditLog.Read.AllDirectory.Read.AllDelegatedPermissionGrant.Read.All
Setup Instructions
1. Register an Application
Create an Entra application registration for Open-SSPM and note:
- Application (client) ID
- Directory (tenant) ID
2. Create a Client Secret
Create a client secret and save the value immediately.
3. Grant Graph Permissions
Add the application permissions listed above and grant admin consent.
4. Configure in Open-SSPM
- Go to Settings → Connectors
- Open the Microsoft Entra ID connector
- Enter:
- Tenant ID
- Client ID
- Client secret
- Discovery enabled if needed
- Save the configuration
- Trigger a sync
Sync Tuning
bash
SYNC_ENTRA_INTERVAL=15mTroubleshooting
Invalid Client Secret
- Confirm the secret has not expired
- Recreate it if necessary
Insufficient Privileges
- Verify the Graph application permissions were granted
- Re-run admin consent if needed
Discovery Data Missing
- Enable discovery on the connector
- Confirm the extra discovery permissions were granted
- Make sure the discovery worker is running