Microsoft Entra ID (formerly Azure AD)
Microsoft·AE_HSc_MicrosoftEntraID_ConnectorGuide
Overview
The Microsoft Entra ID connector integrates AlertEnterprise Guardian with Microsoft Entra ID — Microsoft's cloud identity platform (rebranded from Azure Active Directory in 2023). Entra ID is the dominant cloud identity directory for Microsoft 365 / Azure customers and almost every Fortune 500 enterprise; supporting it is mandatory for AE in any large deployment.
Architecture: AE Guardian → ACF → Alert Microsoft Entra ID Connector → Microsoft Graph API → Microsoft Entra ID Platform. The connector calls the Graph API (graph.microsoft.com) for all operations — provisioning, reconciliation, group membership management, directory role assignment, license / service plan management.
Authentication uses OAuth 2.0 client credentials via an app registration in the customer's Entra tenant — the customer creates an app registration in Entra, generates a client secret, and grants admin consent for the required Graph API application permissions. The connector then exchanges client_id + client_secret for an access token on each session.
Capabilities: Create/Update/Lock/Unlock/Delete User, Change Password, plus Change Access as a composite operation that covers User Group membership, Directory Role assignment, and Service Plan License grants — meaningful for license-cost-conscious enterprises that need PIAM-driven license cleanup as part of off-boarding.
Note: the connector JAR retains the legacy name ALNTAzureADConnector-5.0-SNAPSHOT.jar and registers com.alnt.azuread.provisioning.services.AzureADConnectionInterface — both reflect the pre-rebrand naming.
Architecture
Composed from this connector's actors + edges. Trust zones are color-coded; trust crossings render as thicker lines.
Authentication
1 method supported
The connector authenticates via an app registration in the customer's Entra ID tenant. The customer must:
1. Register a new application in Entra → App Registrations
2. Create a client secret under Certificates & Secrets (note the secret value — it's only displayed once)
3. Configure API Permissions (see Prerequisites below) and grant admin consent
4. Configure the connector's System Parameters with the app's clientId, clientSecret, and tenant azureApiVersion
The connector exchanges these for an OAuth 2.0 access token at login.microsoftonline.com and uses the token on every Graph API call.
Endpoints
7 endpoints exercised by the connector
| Method | Path | Description | Category |
|---|---|---|---|
| POST | https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token | OAuth 2.0 token endpoint — exchanges client credentials for an access token. | auth |
| GET | https://graph.microsoft.com/v1.0/users | List users (full + incremental reconciliation). | query |
| POST | https://graph.microsoft.com/v1.0/users | Create user. | provisioning |
| PATCH | https://graph.microsoft.com/v1.0/users/{id} | Update user. | provisioning |
| GET | https://graph.microsoft.com/v1.0/groups | List groups (full reconciliation). | query |
| GET | https://graph.microsoft.com/v1.0/users/{id}/memberOf | Read directory role + group memberships for a user. | query |
| GET | https://graph.microsoft.com/v1.0/directoryRoles | Read all directory roles. | query |
Prerequisites
Everything that must be in place for this connector to work, with the owner who's responsible.
Microsoft Entra ID tenant with admin access
customerAn operational Microsoft Entra ID tenant. The customer's Entra admin must perform app registration and grant admin consent for the required application permissions.
Entra app registration with Graph API permissions
customerCreate an app registration and grant the following Microsoft Graph API Application permissions (admin consent required for each):
Read permissions (reconciliation):
- User.Read.All — read all user profiles
- Group.Read.All — read all groups
- GroupMember.Read.All — read group membership
- Directory.Read.All — read directory data including subscribed SKUs (license info)
- RoleManagement.Read.Directory — read directory roles
Write permissions (provisioning):
- User.ReadWrite.All — create/update users
- User-LifeCycleInfo.ReadWrite.All — manage employee lifecycle (hire/termination dates)
- User.EnableDisableAccount.All — lock/unlock accounts
- User.ManageIdentities.All — add/update/remove external identities
Note: Application permissions (not Delegated) — the connector runs as an application, not as a delegated user.
SSL certificate trust
aeStandard SSL trust for graph.microsoft.com — typically trusted by default in modern JVMs. Verify the AE host's JVM cacerts keystore includes the Microsoft / DigiCert certificate chain.
Known limitations
Documented constraints to set customer expectations before deployment.
On-prem AD `Description` attribute not reconciled
informationalThe connector does not reconcile the Description attribute when the source identity is hybrid-synced from on-prem Active Directory to Entra ID. For full description-attribute coverage, customers must also deploy the active-directory connector and reconcile from on-prem AD directly.
IAM specifics
- OIDC
- yes
- SAML
- yes
- SCIM
- yes · SCIM 2.0
- JIT provisioning
- configurable
- Group sync mode
- nested
- Source of record
- No
Entra ID enforces MFA via Conditional Access policies (Entra Premium P1+) or Security Defaults (free tier). MFA enforcement is owned by the customer's Entra admin — AE Guardian does not enforce or override.
Standard Graph user properties (id, userPrincipalName, displayName, givenName, surname, mail, jobTitle, department, manager, accountEnabled). Customers can extend via Entra's directory schema and map additional attributes through AE's Field Mapping configuration.
- src/connectors/microsoft-entra-id/source.pdf — Full connector guide — 25 pages, revision 2.0 dated 2025-07-03
- src/connectors/microsoft-entra-id/source.pdf — p6 — Supported Version
- src/connectors/microsoft-entra-id/source.pdf — p8 — Connector Architecture