Versions Compared

Version Old Version 3 New Version Current
Changes made by

Pio

Pio

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

...

...

...

Microsoft Graph API Connection Configuration

To integrate with Microsoft Entra ID (previously Azure AD), an application must be registered with an Entra ID tenant. Once you register the application, you can fill in the Application ID, Directory (tenant) ID, and Application Secret values for the Entra ID Connection Configuration.

Info

You will need help from the Azure Admin in your organization for the following configuration.

1-

  1. Login to Azure Portal (portal.azure.com)

...

  1. Select Microsoft Entra ID.

Image Removed
Image Added

...

  1. Click "Add", then choose "App registration" from the options.

Image Modified

4- Add the “Name” and click the “Register” button.

...

5- Note down “Application (client) ID” and “Directory (tenant) ID” and click “Add a certificate or a secret” on the right side.

...

6- Add the description “Azure AD Importer for JSM Assets”, set the expiration date as you wish, and click the “Add” button below.

...

7- Copy the “Value” of the new client secret.

...

...

  1. Enter the Name, then click "Register"

Image Added

  1. After registration, go to Overview:

  • Copy Application (Client) ID.

  • Copy Directory (Tenant) ID.

To generate an Application Secret:

  • Navigate to Add a certificates or secret.

  • Click New Client Secret → Set expiration → Copy the generated secret.

Image Added

  1. Enter the description e.g. "Azure AD Importer for JSM Assets", choose the desired expiration date, and click "Add".

Image Added

  1. Copy the "Value" of the newly created client secret.

Note

Important: Ensure you copy the Value, not the Secret ID. The Value is required for authentication and will be hidden once you leave the page.

Image Added

  1. Select the "API Permissions" menu on the left side, then click "Add a permission".

Image Added

9- Select “Microsoft Graph” and add Directory.Read.All for the “Application” type.

Image Added

Info

Pro Tip:

To grant the minimum permissions, you may use:

  • User.Read.All

  • GroupMember.Read.All

You may encounter permission errors if your environment has nested groups, where a parent group has sufficient access but a child group does not. In that case, you may use:

  • User.Read.All

  • Group.Read.All

If you need to collect the licenses, you need permission to read the directory.

  • Directory.Read.All

The table below explains the different levels of permissions and their capabilities.

Permissions and their capabilities

  • User.Read.All

  • GroupMember.Read.All

  • User.Read.All

  • Group.Read.All

  • Directory.Read.All

Collects Users and Groups

(tick)

(tick)

(tick)

Collects nested groups (parent-child relationship)

(error)

(tick)

(tick)

Collects the Licenses

(error)

(error)

(tick)

  1. Ask your Azure Admin to provide consent for the required permission. The settings should be as follows:

  • Permission: Directory.Read.All

  • Type: Application

  • Admin Consent Requested: Yes

  • Status: Granted for <your organization>

See the example screenshot below:

Image Added
Note

This step is crucial, as we frequently receive customer tickets related to permission errors. The most common mistake Azure Admins make is selecting "Delegated" (the default) instead of "Application" as the permission type.

  1. Fill in the required fields under Azure Connection Settings in the Source tab of Azure AD Importer for JSM Assets. Then, click "Save & Check Connection" to confirm the configuration is successful.

...

  1. (Optional) You can apply filters for Users and Groups to reduce the number of imported records and focus on relevant data. For more details, visit: Filter

  2. Next configure the Destination settings.