Skip to main content

Integrate with Entra ID

Follow this step by step guide to allow SlashID to monitor and protect your Entra ID cloud environment. First, you will create an Entra ID App Registration, grant it the required permissions and generate a client secret which allows SlashID to interact with Entra ID on your behalf. Second, you will use the details of your new App Registration to configure the integration in the SlashID Console.

Step 1: Create Entra App Registration

  1. Log in to Microsoft Entra admin center.

  2. Search for or select Microsoft Entra ID (previously: Azure Active Directory) from the list of resources on the side menu.

  3. From the menu on the left, select 'Manage' > 'App registrations'.

  4. From the horizontal menu at the top of the page, choose 'New registration'.

  5. Enter a name for this app registration, select the appropriate account type, then press 'Register' to confirm. Going forward, we'll call this your SlashID App Registration.

Step 2: Grant permissions

  1. In your SlashID App Registration page, select 'Manage' > 'API permissions' from the side menu.

  2. Choose 'Add a permission' and then select 'Microsoft Graph' from the list of Microsoft APIs available.

  3. Choose 'Application permissions' for the permission type.

  4. Search for and select the following permissions:

Required permissions:

  • AuditLog.Read.All
  • Directory.Read.All
  • IdentityProvider.Read.All
  • IdentityRiskyUser.Read.All
  • User.Read.All

Optional permissions (recommended for extended features):

  • Files.Read.All - For OneDrive and SharePoint file access monitoring
  • Files.ReadWrite.All - For comprehensive file access analysis
  • Group.Read.All - For detailed group membership information
  • Policy.Read.All - For Conditional Access Policy monitoring
  • SharePointTenantSettings.Read.All - For SharePoint tenant configuration
  • Sites.Read.All - For SharePoint site access monitoring

Conditional Access permissions (for Conditional Access Policy visibility):

  • Policy.Read.All - Read all Conditional Access policies and configurations

Privileged Identity Management (PIM) permissions (for PIM visibility):

  • RoleManagement.Read.Directory - Read Azure AD role definitions, assignments, and policies
  • RoleManagement.Read.All - Read all role management settings
  • PrivilegedAccess.Read.AzureAD - Read PIM for Azure AD roles (eligible assignments, activation requests)
  • PrivilegedAccess.Read.AzureADGroup - Read PIM for Groups
  • PrivilegedEligibilitySchedule.Read.AzureADGroup - Read eligible assignment schedules for groups
  • PrivilegedAssignmentSchedule.Read.AzureADGroup - Read active assignment schedules for groups
  • RoleAssignmentSchedule.Read.Directory - Read scheduled role assignments
  • RoleEligibilitySchedule.Read.Directory - Read role eligibility schedules

Exchange Online permissions (for mailbox and email rule monitoring):

  • MailboxSettings.Read - Read user mailbox settings (auto-reply, forwarding configuration)
  • Mail.Read - Read inbox rules including mail forwarding rules (detects data exfiltration via email)
info

The optional permissions enable monitoring of SharePoint, OneDrive, and Conditional Access Policies. The PIM permissions enable visibility into Privileged Identity Management configurations, including eligible role assignments, activation requests, and scheduled assignments. The Exchange Online permissions enable detection of email-based data exfiltration through mailbox forwarding rules and inbox rules that forward or redirect mail to external addresses. Without these permissions, SlashID will still monitor your core Entra identities, roles, and applications, but will not have visibility into file access, SharePoint sites, Conditional Access configurations, PIM settings, or Exchange mailbox configurations.

Click the 'Add permissions' button to confirm.

  1. In your 'SlashID App Registration | API permissions' page, click on the 'Grant admin consent for [Your Organization Name]' and confirm the permission grant.

Step 2b: Grant Azure RBAC permissions (for automatic log streaming)

SlashID can automatically provision the Azure infrastructure needed for real-time event streaming. This eliminates the need for manual setup of Event Hub, Logic App, Event Grid, and Diagnostic Settings.

To enable automatic provisioning, the service principal needs Azure RBAC permissions at the subscription level.

  1. Go to your Azure subscription in the Azure Portal.

  2. Navigate to 'Access control (IAM)' > 'Add role assignment'.

  3. Assign the following role to your SlashID App Registration:

RoleScopePurpose
ContributorSubscriptionCreate and manage Event Hub, Event Grid, Logic App, and Resource Groups

Alternatively, for more granular control, you can create a custom role with these specific permissions:

Required resource provider permissions:

  • Microsoft.Resources/subscriptions/resourceGroups/* - Create and manage resource groups
  • Microsoft.EventHub/namespaces/* - Create and manage Event Hub namespaces and hubs
  • Microsoft.EventGrid/topics/* - Create and manage Event Grid topics
  • Microsoft.EventGrid/eventSubscriptions/* - Create and manage Event Grid subscriptions
  • Microsoft.Logic/workflows/* - Create and manage Logic Apps
  • Microsoft.Insights/diagnosticSettings/* - Create and manage diagnostic settings
  • Microsoft.Web/connections/* - Create and manage API connections for Logic Apps
What happens if these permissions are missing?

If the RBAC permissions are not granted, SlashID will still create your connection successfully, but log streaming infrastructure will not be automatically provisioned. You will need to set up event streaming manually by following the Event Streaming guide.

The SlashID Console will indicate when manual setup is required, and you can complete it at any time after the initial connection is established.

Step 2c: Grant remediation permissions (optional)

To enable SlashID to take remediation actions (quarantine users, disable service principals, enforce MFA, etc.), grant these additional Application permissions in Microsoft Graph:

Identity management:

  • Application.ReadWrite.All - Disable, delete, and restore service principals
  • User.ReadWrite.All - Disable, delete, and restore users; revoke sign-in sessions

Role management:

  • RoleManagement.ReadWrite.Directory - Add or remove directory role assignments

Policy management:

  • Policy.ReadWrite.ConditionalAccess - Create Conditional Access policies for MFA enforcement

Key Vault access (for secret rotation, requires Azure RBAC):

If you want SlashID to rotate or delete secrets in Azure Key Vault, assign the following role to your SlashID App Registration on each Key Vault:

RoleScopePurpose
Key Vault Secrets OfficerKey VaultRotate and delete secrets
What happens if these permissions are missing?

If remediation permissions are not granted, SlashID will still monitor your Entra environment and detect security issues, but automated remediation actions will fail. You can grant these permissions at any time to enable remediation capabilities.

Step 3: Generate client secret

  1. In your SlashID App Registration page, select 'Manage' > 'Certificates & secrets' from the side menu.

  2. Under 'Client secrets', choose 'New client secret'

  3. Enter a description and a duration for the new client secret and press the 'Add' button. We recommend 365 days as the expiry period.

  4. Copy the secret Value and keep it safe, you will need to enter it in the SlashID Console later.

Step 4: Obtain client and tenant ID

  1. In your SlashID App Registration page, select 'Overview' from the side menu.

  2. Copy the 'Application (client) ID' and the 'Directory (tenant) ID'. You will need to enter them in the SlashID Console later.

Step 5: Generate a certificate

Generate a new certificate for your Entra app following the same process of steps 3 and 4. Copy and store the client certificate and certificate key. You will need to enter them in the SlashID Console later.

Step 6: SlashID Console configuration

  1. Go to the SlashID Console > 'Identity Protection' > 'Configuration' > 'Data sources'. Click on 'Add data source' on the right.

  2. Select 'Entra' from the list of providers in the drop-down menu.

  3. Fill in the connection details:

SlashID Console fieldDescription
Name of the connectionArbitrary name you give to this connection
Directory (tenant) IDThe tenant ID obtained in step 4
Application (client) IDThe application ID obtained in step 4
Authoritative statusDecide whether Entra identities are the primary (or secondary) source of truth when reconciling identities across providers
Client secretThe client secret obtained in step 3
Client certificateThe client certificate obtained in step 5
Certificate keyThe client certificate key obtained in step 5

Click on the Connect button.

The initial data sync may take a couple of minutes, after which you can start exploring security events in the 'Identity Protection Dashboard' of the SlashID Console.