Microsoft Entra
Connector Details
| Connector Attributes | Details |
|---|---|
| Name | Microsoft Entra |
| Description | Microsoft Entra is a comprehensive identity and access management (IAM) solution designed to securely manage access to resources across a range of environments, including on-premises, cloud, and hybrid setups. It combines Azure Active Directory (Azure AD) with advanced identity governance, entitlement management, and decentralized identity capabilities to provide a unified platform for managing identities and permissions. Entra enhances security by offering features like conditional access, multi-factor authentication (MFA), and identity protection, making it an essential tool for organizations looking to safeguard their digital assets while ensuring seamless user experiences. |
| Connector Type | Class B |
Features
| Feature Name | Feature Details |
|---|---|
| Load Strategies | Full Load, Incremental Load |
| Metadata Extraction | Supported |
| Data Acquisition | Supported |
| Data Publishing | Not Supported |
| Automated Schema Drift Handling | Not Supported |
Source Connection Attributes
| Connection Parameters | Data Type | Example |
|---|---|---|
| Client ID | String (GUID) | 60a062ab-8f8b-401b-85a9-20ca617e3bc3 |
| Tenant ID | String (GUID) | 2bcd81c5-12cc-4a03-866f-831daedd6555 |
| App Secret | String | |
| API Version | String | Options are "v1.0" or "beta". Default and recommend value is "v1.0", as it is more stable. It is not recommended to use "beta" as that API version can change often. |
| Bronze Schema (Optional) | String | |
| Silver Schema (Optional) | String |
Connector Specific Configuration Details
The Empower Microsoft Entra ID connector uses the Microsoft Graph API to query the data.
-
Microsoft Entra ID connector has optional values such as Bronze Schema and Silver Schema
-
Register a new Application in Microsoft Entra Id called "Empower Entra Data Extraction Connector"
- Steps on how to register an application. Get access without a user - Microsoft Graph
- Leave Redirect URI blank for now.
-
Assign App API permissions.
- For Instructions on how to assign Graph API permissions, see the following link Configure permissions for Microsoft Graph
- For specific permissions required for the Empower Entra ID Connector, see the section below Graph API Permissions Requirements .
-
Request administrator consent—all of the API endpoints will require administrator consent to grant access to the app.
-
Connection details are can be found in Entra ID App Registration for the app created in step#2:
Client ID: This represents the Application (client) ID for your registered application in your Azure Tenant.
Tenant ID: This represents the tenant ID for your Azure Tenant.
App Secret: This is the Client Credentials Secret for the registered application in Azure Entra ID App Registration.
API Version: Options are "v1.0" and "beta", it is recommended to use "v1.0" as it is more stable.
- Refer the public documentation for more details around this source: Public API documentation
More details around this connector
Screenshot To Use Connector
Graph API Permissions Requirements
The registered app will need Graph API Read.All permissions for each endpoint for the type of data required to extract into Empower. Below are the minimum requirements.
| Resource | Permission | Short Description | Admin consent required | Development Access? |
|---|---|---|---|---|
| Application | Application.Read.All | Read all applications | Yes | Yes |
| Device | Device.Read.All | Read all devices | Yes | Yes |
| Directory | Directory.Read.All | Read directory data | Yes | Yes |
| Domain | Domain.Read.All | Read domains | Yes | Yes |
| Group | Group.Read.All | Read all groups | Yes | Yes |
| GroupMember | GroupMember.Read.All | Read all group memberships | Yes | Yes |
| Organization | Organization.Read.All | Read organization information | Yes | Yes |
| RoleManagement | RoleManagement.Read.All | Read role management data for all RBAC providers | Yes | Yes |
| User | User.Read.All | Read all users' full profiles | Yes | Yes |
IMPORTANT! You will be required to turn off any Objects in Empower Analytics UI Metadata Catalog page for the source that the register application does not have access to. An error message will be thrown to specify if an object does not have permissions during Data Extraction.
Depending on access and permissions, some fields that are available in a given Object may not have full access and those fields will be required to turned off in the Field Details.
Example: You may need to exclude the columns
signInActivity,mailboxSettings,deviceEnrollmentLimit,print,aboutMe,birthday,hireDate,interests,mySite,pastProjects,preferredName,responsibilities,schools,skillsfrom theuserstable
Advance Query Options
Empower Entra ID Connector does support the ability to add advanced query options by adding a Where Query Part for an object in the Empower Metadata Catalog.
Microsoft Graph supports the $filter OData query parameter to retrieve a subset of a collection.
The expression specified with $filter is evaluated for each resource in the collection, and only items where the expression evaluates to true are included in the response. Resources for which the expression evaluates to false or to null, or which reference properties that are unavailable due to permissions, are omitted from the response.
Helpful Links for Graph API Query Parameters
Note: You do not need to add
$filter=into the Where Query Part, instead only include the logic for the filter.
Updated 3 months ago