Microsoft Entra

Connector Details

Connector AttributesDetails
NameMicrosoft Entra
DescriptionMicrosoft Entra is a comprehensive identity and access management (IAM) solution designed to securely manage access to resources across a range of environments, including on-premises, cloud, and hybrid setups. It combines Azure Active Directory (Azure AD) with advanced identity governance, entitlement management, and decentralized identity capabilities to provide a unified platform for managing identities and permissions. Entra enhances security by offering features like conditional access, multi-factor authentication (MFA), and identity protection, making it an essential tool for organizations looking to safeguard their digital assets while ensuring seamless user experiences.
Connector TypeClass B

Features

Feature NameFeature Details
Load StrategiesFull Load, Incremental Load
Metadata ExtractionSupported
Data AcquisitionSupported
Data PublishingNot Supported
Automated Schema Drift HandlingNot Supported

Source Connection Attributes

Connection ParametersData TypeExample
Client IDString (GUID)60a062ab-8f8b-401b-85a9-20ca617e3bc3
Tenant IDString (GUID)2bcd81c5-12cc-4a03-866f-831daedd6555
App SecretString
API VersionStringOptions are "v1.0" or "beta". Default and recommend value is "v1.0", as it is more stable. It is not recommended to use "beta" as that API version can change often.
Bronze Schema (Optional)String
Silver Schema (Optional)String

Connector Specific Configuration Details

The Empower Microsoft Entra ID connector uses the Microsoft Graph API to query the data.

  1. Microsoft Entra ID connector has optional values such as Bronze Schema and Silver Schema

  2. Register a new Application in Microsoft Entra Id called "Empower Entra Data Extraction Connector"

    1. Steps on how to register an application. Get access without a user - Microsoft Graph
    2. Leave Redirect URI blank for now.
  3. Assign App API permissions.

    1. For Instructions on how to assign Graph API permissions, see the following link Configure permissions for Microsoft Graph
    2. For specific permissions required for the Empower Entra ID Connector, see the section below Graph API Permissions Requirements .
  4. Request administrator consent—all of the API endpoints will require administrator consent to grant access to the app.

  5. Connection details are can be found in Entra ID App Registration for the app created in step#2:

  Client ID: This represents the Application (client) ID for your registered application in your Azure Tenant.
  
  Tenant ID: This represents the tenant ID for your Azure Tenant.
  
  App Secret: This is the Client Credentials Secret for the registered application in Azure Entra ID App Registration.
  
	API Version: Options are "v1.0" and "beta", it is recommended to use "v1.0" as it is more stable.
  1. Refer the public documentation for more details around this source: Public API documentation

Screenshot To Use Connector


Graph API Permissions Requirements

The registered app will need Graph API Read.All permissions for each endpoint for the type of data required to extract into Empower. Below are the minimum requirements.

ResourcePermissionShort DescriptionAdmin consent requiredDevelopment Access?
ApplicationApplication.Read.AllRead all applicationsYesYes
DeviceDevice.Read.AllRead all devicesYesYes
DirectoryDirectory.Read.AllRead directory dataYesYes
DomainDomain.Read.AllRead domainsYesYes
GroupGroup.Read.AllRead all groupsYesYes
GroupMemberGroupMember.Read.AllRead all group membershipsYesYes
OrganizationOrganization.Read.AllRead organization informationYesYes
RoleManagementRoleManagement.Read.AllRead role management data for all RBAC providersYesYes
UserUser.Read.AllRead all users' full profilesYesYes

IMPORTANT! You will be required to turn off any Objects in Empower Analytics UI Metadata Catalog page for the source that the register application does not have access to. An error message will be thrown to specify if an object does not have permissions during Data Extraction.

Depending on access and permissions, some fields that are available in a given Object may not have full access and those fields will be required to turned off in the Field Details.

Example: You may need to exclude the columns signInActivity,mailboxSettings,deviceEnrollmentLimit,print,aboutMe,birthday,hireDate,interests,mySite,pastProjects,preferredName,responsibilities,schools,skills from the users table


Advance Query Options

Empower Entra ID Connector does support the ability to add advanced query options by adding a Where Query Part for an object in the Empower Metadata Catalog.

Microsoft Graph supports the $filter OData query parameter to retrieve a subset of a collection.

The expression specified with $filter is evaluated for each resource in the collection, and only items where the expression evaluates to true are included in the response. Resources for which the expression evaluates to false or to null, or which reference properties that are unavailable due to permissions, are omitted from the response.

Helpful Links for Graph API Query Parameters

Note: You do not need to add $filter= into the Where Query Part, instead only include the logic for the filter.