Introduction
The Microsoft Entra ID integration enables organizations to synchronize user and device identity information from cloud-native Azure environments into the IdentityGraph. This connector is designed for enterprises that have migrated away from on-premises Active Directory and rely exclusively on Microsoft's cloud identity platform (formerly Azure Active Directory) for authentication and device management.
The integration continuously polls Microsoft Graph API to retrieve company data, device lists, user accounts, and group memberships. Device information is enriched with data from Microsoft Intune, which provides hostname details, management status, and device attributes sourced directly from the operating system. User and group changes are processed through audit log monitoring, enabling near real-time policy updates when identities are added, removed, or modified in your Entra ID tenant.
| Benefit | Description |
|---|---|
| Cloud-Native Identity | Purpose-built for organizations using Azure-only identity infrastructure without on-premises Active Directory dependencies. |
| Automatic User and Device Sync | Continuously synchronizes user accounts, group memberships, and device information from your Entra ID tenant to maintain accurate identity data. |
| Intune Integration | Leverages Microsoft Intune enrollment to enrich device records with accurate hostname data, management status, and OS-sourced attributes. |
| Group-Based Policy Enforcement | Enables policy decisions based on Entra ID group membership, allowing dynamic network access controls that align with your cloud identity structure. |
| Audit Log Processing | Monitors Entra ID audit logs to detect identity changes, ensuring policy updates reflect user additions, deletions, and group modifications within minutes. |
| Comprehensive Visibility | Provides unified view of cloud-managed identities across user accounts and enrolled devices, supporting zero-trust segmentation strategies. |
Prerequisites
- Microsoft Entra ID tenant with administrative access
- Microsoft Intune subscription with device enrollment configured
- API application registration in Entra ID with the following Microsoft Graph API permissions:
User.Read.All,Group.Read.All,Device.Read.All,DeviceManagementManagedDevices.Read.All,AuditLog.Read.All - Application (client) ID and client secret or certificate for API authentication
- Cloud Control Center version 16.14.0 or higher
- Network connectivity from Cloud Control Center to Microsoft Graph API endpoints (
graph.microsoft.com) - Devices enrolled in Microsoft Intune for full enrichment capabilities
Design Considerations
| Requirement | Constraint |
|---|---|
| Update Latency (Users/Groups) | Identity changes processed within approximately 1 minute through audit log monitoring. Not sub-second like on-premises Active Directory. |
| Update Latency (Devices) | Device data refreshes based on Intune sync schedule. Typical interval ranges from 10-60 minutes for idle devices. Active devices may sync more frequently. |
| Intune Dependency | Device enrichment requires active Intune enrollment. Devices not enrolled in Intune will have limited identity attributes available for policy matching. |
| Cache Time-to-Live | Stale device records remain in cache for 72 hours after removal from Intune. This matches standard connector cache behavior across all identity sources. |
| API Rate Limits | Microsoft Graph API enforces throttling limits. Large tenants with frequent changes may experience temporary delays during high-volume sync operations. |
| Permissions Scope | Application permissions must include read access to users, groups, devices, Intune managed devices, and audit logs. Insufficient permissions will cause sync failures. |
Identity Sync Timing: Organizations accustomed to on-premises Active Directory should understand that cloud identity synchronization operates differently. While user and group changes propagate quickly (approximately 1 minute), device updates follow Intune's sync schedule rather than occurring instantly. This timing model is inherent to cloud-based MDM platforms and should be communicated to stakeholders during deployment planning.
Intune Enrollment Requirements: Device enrichment relies on Microsoft Intune as the authoritative source for device attributes. Ensure all devices requiring policy enforcement are properly enrolled in Intune and maintain active management status. Devices removed from Intune will gradually lose enrichment data as cache expires.
API Permissions Verification: Before configuring the connector, verify that your Entra ID application registration includes all required Microsoft Graph API permissions with admin consent granted. Missing permissions will result in incomplete data synchronization or connector authentication failures.
Update Frequency Expectations: Set clear expectations with network operations and security teams regarding update timing. Unlike on-premises AD domain controller replication (sub-second), cloud identity changes require 1-60 minutes depending on change type. Plan policy testing workflows accordingly.
Before You Begin
Understanding Intune Integration: The connector retrieves device information through Microsoft Graph API by querying both Entra ID device records and Intune managed device data. Intune provides the most accurate hostname information because it sources this data directly from the device operating system during enrollment and check-in cycles. This approach yields more reliable hostname data than reverse DNS lookups, which may return incomplete or incorrect results.
Audit Log Processing: User and group changes are detected through continuous monitoring of Entra ID audit logs. When audit events indicate identity modifications (user added, user deleted, group membership changed), the connector creates delayed processing tasks to refresh affected identity records. This audit-driven approach enables near real-time policy updates without requiring constant polling of all user and group objects.
Sync Schedule and Manual Triggers: After initial configuration, the connector polls Microsoft Graph API on a regular schedule to retrieve updated device lists and company data. Manual sync operations can be triggered from the Cloud Control Center interface when immediate updates are required, such as after bulk enrollment of new devices or major organizational changes in your Entra ID tenant.
Configuration
Step 1: Create Entra ID Application Registration
Navigate to the Microsoft Azure Portal and access your Entra ID tenant. In the left navigation pane, select App registrations under the Manage section. Click New registration in the top toolbar to begin creating the application registration required for the Elisity connector.
On the Register an application page, provide a descriptive Name for the application such as "Elisity-CCC" or "Elisity IdentityGraph Connector". Under Supported account types, select Accounts in this organizational directory only (Single tenant). This restricts API access to your specific Entra ID tenant and prevents external authentication attempts. The Redirect URI field can be left blank as this integration uses application permissions rather than delegated user permissions. Click Register to create the application.
After registration completes, the application overview page displays critical identifiers required for connector configuration. Locate and copy the Application (client) ID and Directory (tenant) ID from the Essentials section. These values will be entered into Cloud Control Center during connector setup. Keep this browser window open as additional configuration steps reference this application registration.
Step 2: Configure API Permissions
In the left navigation pane of your application registration, select API permissions. Click Add a permission to open the permission selection interface. Select Microsoft Graph as the API type. Choose Application permissions rather than Delegated permissions, as the connector operates as a background service without user interaction.
The following Microsoft Graph API permissions are required for the Entra ID connector:
| Permission | Description |
|---|---|
User.Read.All |
Provides read access to all user accounts and their properties including display names, email addresses, and account status. |
Group.Read.All |
Enables the connector to retrieve all group memberships and group attributes from your tenant for group-based policy enforcement. |
Device.Read.All |
Grants access to device registrations in Entra ID including device identifiers and registration status. |
DeviceManagementManagedDevices.Read.All |
Allows retrieval of Intune-managed device information including hostnames, management status, and OS-sourced attributes from enrolled devices. |
AuditLog.Read.All |
Enables monitoring of identity changes through audit log processing for near real-time policy updates when users or groups are modified. |
Use the permission search field to locate and add each of the five required permissions listed above. After adding each permission, it will appear in the configured permissions list with "Not granted" status.
After adding all five required permissions, the configured permissions list displays each permission with its type and description. Note that all permissions show "Not granted" status in the Status column with warning indicators. Application permissions require explicit administrator consent before they can be used by the connector.
Click Grant admin consent for [Your Organization] to approve all permissions. A confirmation dialog appears warning that granting tenant-wide consent may revoke permissions that users have already granted on their own behalf. Click Yes to proceed with granting consent. This action requires Global Administrator or Privileged Role Administrator privileges in your Entra ID tenant.
After admin consent is granted successfully, the Status column updates to show green checkmarks with "Granted for [Your Organization]" text for all permissions. The API permissions are now active and the application registration can authenticate and access Microsoft Graph API endpoints. Verify that all five required permissions display granted status before proceeding to credential generation.
Step 3: Generate Client Secret
In the left navigation pane, select Certificates & secrets. Navigate to the Client secrets tab. Click New client secret to generate the authentication credential required by Cloud Control Center.
In the Add a client secret dialog, provide a descriptive name in the Description field such as "CCC-Secret" or "Elisity Connector Secret". Select an expiration period from the Expires dropdown that aligns with your organization's security policies and secret rotation practices. Microsoft recommends using certificate-based authentication for production environments, but client secrets are acceptable for most deployments. Click Add to generate the secret.
After the secret is created, the Value column displays the client secret string. Copy this value immediately as it will not be displayed again after you navigate away from this page. The client secret is used to authenticate API requests from Cloud Control Center to Microsoft Graph. Store this value securely in a password manager or secrets vault. The Secret ID column shows an identifier for management purposes but this ID is not used during connector configuration. If you lose the secret value, you must generate a new client secret and update the connector configuration.
Step 4: Configure Connector in Cloud Control Center
Log into Cloud Control Center and navigate to Settings using the left navigation menu. Select the CONNECTORS tab to display the list of configured identity integrations. If you have existing connectors, they appear in the table showing connector name, type, status, and configuration timestamps. Click Add Connector (or the plus icon) in the header to begin configuring a new integration.
The Add Connector modal displays available connector types. Locate and click the Entra ID tile to select Microsoft Entra ID as the integration type. The Entra ID connector card describes the integration as "a cloud-based identity and access management (IAM) solution that provides authentication and authorization services" and notes that it "secures access to Microsoft 365, Azure resources, and thousands of third-party SaaS applications using modern protocols like OAuth 2.0 and Conditional Access." Click CONFIGURE to proceed with connector setup.
Alternative Access Path: Clicking CONFIGURE redirects you to Settings → MICROSOFT ENTRA ID. You can also navigate directly to Settings → MICROSOFT ENTRA ID if you prefer to skip the Connectors page and begin configuration immediately.
In the MICROSOFT ENTRA ID tab, click ADD MICROSOFT ENTRA ID to open the connector configuration form. The empty state message indicates "No Microsoft Entra ID Configuration" and prompts you to get started by adding the configuration.
The Add Microsoft Entra ID configuration form collects the authentication credentials generated in Azure. Enter the Tenant ID (Directory ID) copied from the application registration overview page. This value uniquely identifies your Entra ID tenant. Enter the App ID (Application/Client ID) from the application registration. This identifies the specific application registration created for Elisity connector access. Enter the App Secret (client secret value) copied immediately after secret generation. The app secret field masks the entered value for security. Click ADD to validate and save the connector configuration.
After clicking ADD, Cloud Control Center validates the provided credentials by authenticating with Microsoft Graph API. The connector configuration page displays with initial status indicators. Sync Status shows "Not Performed" as the initial data synchronization has not yet occurred. Event Processing Status also shows "Not Performed" as audit log monitoring begins after the first sync completes. The Last Synced and Last Processed fields display "--" indicating no synchronization history exists yet. The Users count shows (0) as no identity data has been retrieved.
Step 5: Initiate Initial Sync
Click the SYNC button in the top-right corner of the Microsoft Entra ID configuration page to trigger the initial data synchronization. The sync operation retrieves all users, groups, devices, and Intune-managed device records from your Entra ID tenant through Microsoft Graph API.
During synchronization, the Sync Status indicator updates to show "Syncing" with a progress percentage (e.g., "Syncing (0.00%)"). The percentage increments as the connector retrieves and processes identity data from Microsoft Graph API. Initial sync duration depends on tenant size—small tenants with hundreds of users may complete in under a minute, while large tenants with thousands of users and devices may require several minutes. The Event Processing Status remains "Not Performed" during initial sync as audit log monitoring begins after the first complete data retrieval.
When synchronization completes successfully, both status indicators update to "Synced" with green checkmarks. The Last Synced field displays the timestamp of the completed sync operation. Event Processing Status also shows "Synced" indicating that audit log monitoring is now active and will detect identity changes in near real-time. The Users count displays the number of user accounts synchronized from Entra ID (e.g., "Users (19)"). The connector is now fully operational and will continue polling Microsoft Graph API on a regular schedule to detect changes. Audit log processing runs continuously to detect user and group modifications between scheduled polls.
Verify the Integration
After the initial sync completes, verify that identity data is flowing correctly into IdentityGraph and enriching device records.
Connector Status Active: Navigate to Settings → CONNECTORS and locate the Microsoft Entra ID connector in the list. Verify that the Status column shows Active with a green indicator. The connector configuration page should display "Synced" for both Sync Status and Event Processing Status with recent timestamps in the Last Synced and Last Processed fields.
User Data Synchronized: On the Microsoft Entra ID connector configuration page, verify that the Users count matches the expected number of users in your Entra ID tenant. The count should reflect all enabled user accounts that have been synchronized during the initial data retrieval. If the count appears significantly lower than expected, review connector logs for sync errors or permission issues.
Device Enrichment: Navigate to Devices in Cloud Control Center and select a device that should be Intune-enrolled. Click on the device to open the Device Details view. In the Identity Graph section, look for an Entra ID data block. This section displays Entra ID enrichment data including Hostname (sourced from Intune), User Member Of (Entra ID groups), Operating System and Operating System Version, Status (Up to date / Out of date), and User Email Address of the logged-in user.
The presence of the Entra ID section with populated fields confirms that the connector is successfully enriching device records with identity data from Microsoft Graph API and Intune. If the Entra ID section is missing or fields are empty, verify that the device is properly enrolled in Intune and has completed at least one sync cycle.
AD User Logon Events: Within the Device Details view, click on the AD User Logons tab in the left navigation. This page displays a table of user login events detected on the device, showing User Account ID, IP Address, and Logon Time. The presence of user login records confirms that the Entra ID connector is tracking user sessions and associating them with devices. If no logon events appear for a device that has active users, verify that audit log processing is enabled (Event Processing Status shows "Synced") and that users have logged in since the connector was configured.
| Verification Check | Expected Result |
|---|---|
| Connector Status | Active status with green indicator. Sync Status and Event Processing Status both show "Synced" with recent timestamps. |
| User Count Match | Users count on connector configuration page matches expected number of Entra ID accounts in your tenant. |
| Device Enrichment Present | Intune-enrolled devices display an Entra ID data block in Device Details with populated hostname, user groups, OS version, and status fields. |
| User Login Tracking | AD User Logons tab shows login events with user account IDs, IP addresses, and logon timestamps for devices with active users. |
| Group Membership Data | Entra ID section displays "User Member Of" field showing Entra ID group names associated with logged-in users (e.g., "All Users"). |
| Real-Time Update Test | Create a test user in Entra ID and add to a group. Within approximately 1 minute, verify the new user appears in Cloud Control Center with correct group membership. |
Integration Complete: If all verification checks pass, the Entra ID connector is fully operational and enriching IdentityGraph with cloud identity data. The connector will continue polling Microsoft Graph API on a regular schedule and monitoring audit logs for real-time identity changes. Device enrichment quality depends on active Intune enrollment—ensure all corporate devices maintain Intune management for optimal policy enforcement accuracy.
Integration Complete: If all verification checks pass, the Entra ID connector is fully operational and enriching IdentityGraph with cloud identity data. The connector will continue polling Microsoft Graph API on a regular schedule and monitoring audit logs for real-time identity changes. Device enrichment quality depends on active Intune enrollment—ensure all corporate devices maintain Intune management for optimal policy enforcement accuracy.
Understanding Update Timing
Update timing for Entra ID integration differs from on-premises Active Directory due to the cloud-based architecture and Intune synchronization model. Organizations migrating from domain controller-based identity sources should understand these timing characteristics to set appropriate expectations and design effective testing procedures.
User and group changes propagate quickly because the connector monitors Entra ID audit logs continuously. When a user is added, deleted, or their group membership changes, the audit log event triggers immediate processing. This typically results in policy updates within 1 minute of the change occurring in Entra ID. This timing is substantially faster than scheduled polling but still slower than the sub-second replication speed of on-premises AD.
Device updates follow a different timing model because they depend on Intune's sync schedule rather than audit log events. When a device checks in with Intune, updated device information becomes available to the connector during the next polling cycle. Idle devices typically sync with Intune every 10-60 minutes. Active devices may sync more frequently depending on user activity and device state. This variable timing means device attribute changes (hostname, management status, OS version) may take up to an hour to reflect in policy enforcement.
Policy enforcement timing depends on which identity attributes are being evaluated. Policies based on user identity or group membership update within minutes because these changes are audit-driven. Policies based on device attributes follow the Intune sync schedule. When designing access policies, consider whether time-sensitive decisions should rely on user-based criteria (fast updates) or device-based criteria (slower updates).
| Scenario | Expected Timing |
|---|---|
| Existing user deleted from Entra ID | Network access revocation occurs within approximately 1 minute based on group membership changes detected in audit logs. |
| New user added to Entra ID | User identity appears in IdentityGraph within approximately 1 minute. Policy enforcement begins when the user's device syncs with Intune. |
| Existing user added to new group | Group membership updates propagate within approximately 1 minute. Policies based on group membership take effect immediately after. |
| Existing user removed from group | Group membership removal detected within approximately 1 minute. Network access changes take effect based on updated group membership. |
| New user logs into Intune-enrolled device | Policy enforcement begins immediately after the device completes Intune onboarding for the new user. User identity is already available from previous sync. |
| User logs out, device remains powered on | No change to policy enforcement. The device remains Intune-managed and retains its last known user association until a new user logs in. |
| Intune management removed from device | Device enrichment data expires from cache after 72 hours. This matches standard connector cache TTL behavior across all identity sources. |
| Device deleted from Entra ID but not Intune | No immediate impact. The device continues to function normally as long as Intune management remains active. This scenario is rare in typical deployments. |
Troubleshooting
| Issue | Resolution |
|---|---|
| 401 Unauthorized Error | Verify that the client secret has not expired in your Entra ID application registration. Navigate to Certificates & secrets and check the expiration date. If expired, generate a new client secret and update the connector configuration with the new value. Ensure the correct Tenant ID and Client ID are configured in Cloud Control Center. |
| Connection Timeout | Verify network connectivity from Cloud Control Center to graph.microsoft.com on port 443. Check firewall rules and proxy configurations to ensure outbound HTTPS connections are permitted. Test connectivity using curl -v https://graph.microsoft.com from the Cloud Control Center management interface. If timeouts persist, contact Microsoft support to verify Graph API service health in your region. |
| Sync Failed Status | Review connector logs in Cloud Control Center for specific error messages. Common causes include insufficient API permissions (verify all required Graph API permissions have admin consent granted), API rate limiting (wait 15-30 minutes before retrying), or authentication failures (regenerate client secret and update connector). Click Sync Now to retry after addressing the underlying issue. |
| Devices Not Enriched with Intune Data | Verify that devices are properly enrolled in Microsoft Intune and show as Managed in the Intune admin center. Check that the application registration includes DeviceManagementManagedDevices.Read.All permission with admin consent granted. Devices must complete at least one successful Intune check-in before enrichment data becomes available. Trigger a manual device sync in Intune and wait for the next connector poll cycle. |
| User or Group Data Missing | Confirm that the application registration has User.Read.All and Group.Read.All permissions with admin consent granted. Verify that users and groups exist in Entra ID by checking the Microsoft Entra admin center. If recently created, wait approximately 1 minute for audit log processing to complete, then click Sync Now in the connector settings to force an immediate refresh of identity data. |
| Slow Update Times for Identity Changes | Verify that audit log monitoring is enabled in the connector configuration. Check that AuditLog.Read.All permission has admin consent granted. If audit logs are processing correctly but updates still seem slow, review whether the changes involve device attributes (which follow Intune sync schedule, 10-60 minutes) versus user/group changes (which update within 1 minute). Device attribute updates cannot be accelerated beyond Intune's sync schedule. |
| Audit Log Processing Errors | Review Cloud Control Center logs for audit log processing failures. Verify that the AuditLog.Read.All permission is granted with admin consent. Check Entra ID audit log retention settings to ensure logs are available for processing (default retention is 30 days for premium tenants). If errors persist, disable and re-enable audit log monitoring in the connector settings, then monitor for successful audit event processing. |
| Incomplete Device Hostnames | Hostname data sources from Intune, which retrieves this information from the device OS during enrollment and sync. If hostnames appear blank or incorrect, verify that devices have successfully enrolled in Intune and completed at least one full sync cycle. Check the device record in the Intune admin center to confirm hostname is populated there. If Intune shows correct hostname but IdentityGraph does not, trigger a manual connector sync and wait for enrichment processing to complete. |
Maintenance Tasks
Manual Sync Operations: Trigger manual sync from the connector configuration page when immediate identity updates are required outside the regular polling schedule. Manual sync is useful after bulk user imports, large-scale group membership changes, or when validating connector functionality after configuration changes. The connector will retrieve the latest user, group, device, and Intune data from Microsoft Graph API. Manual sync operations do not affect the regular polling schedule.
Client Secret Rotation: Microsoft recommends rotating client secrets periodically for security. Before the current secret expires, generate a new secret in the Entra ID application registration under Certificates & secrets. Update the connector configuration in Cloud Control Center with the new secret value. Test the connection using Validate Connection before the old secret expires. Best practice is to rotate secrets every 12-18 months or according to your organization's security policies.
Monitoring Sync Status: Regularly review connector health in Cloud Control Center to ensure continuous synchronization. Check the last sync timestamp and verify it updates according to the configured polling interval. Monitor connector logs for authentication errors, API throttling messages, or permission-related failures. Set up alerting if your monitoring platform supports it to notify administrators when sync operations fail or connector status changes from Active to Error state.
Permission Auditing: Periodically review the API permissions granted to your application registration in Entra ID. Verify that admin consent remains active for all required Graph API permissions. Changes to your Entra ID tenant (new administrator, conditional access policies, security defaults) may impact API authentication. If connector issues arise after tenant changes, re-validate permissions and re-grant admin consent if necessary.