title: Connecting to Entra ID (Azure AD) category: Connections tags: entra-id, azure-ad, cloud, connection, app-registration priority: Normal
Connecting to Entra ID (Azure AD)
This guide walks you through creating a connection between IdentityCenter and Microsoft Entra ID (formerly Azure Active Directory). Entra ID connections use the Microsoft Graph API instead of LDAP, so the setup process differs from on-premises Active Directory.
Prerequisites
Before you begin, ensure you have:
- An Azure subscription with an Entra ID tenant
- Global Administrator or Application Administrator role in Entra ID
- Administrator access to IdentityCenter
- Outbound HTTPS (port 443) connectivity from the IdentityCenter server to the internet
Step 1: Register an Application in Entra ID
- Sign in to the Azure Portal
- Navigate to Microsoft Entra ID > App registrations
- Click New registration
- Configure the registration:
| Field | Value |
|---|---|
| Name | IdentityCenter Sync |
| Supported account types | Accounts in this organizational directory only (Single tenant) |
| Redirect URI | Leave blank (not needed for service-to-service) |
- Click Register
- On the overview page, note the Application (client) ID and Directory (tenant) ID -- you will need both values later
Step 2: Configure API Permissions
The app registration needs Microsoft Graph permissions to read directory data.
- In your app registration, go to API permissions
- Click Add a permission
- Select Microsoft Graph
- Choose Application permissions (not Delegated)
- Search for and add the following permissions:
| Permission | Type | Purpose |
|---|---|---|
User.Read.All |
Application | Read all user profiles |
Group.Read.All |
Application | Read all group memberships |
Directory.Read.All |
Application | Read directory data (OUs, contacts, devices) |
- Click Add permissions
- Click Grant admin consent for [your tenant]
- Confirm that all permissions show a green check mark under "Status"
Tip: If you plan to use IdentityCenter for write-back operations to Entra ID in the future, you may also want to add
User.ReadWrite.AllandGroup.ReadWrite.All. However, start with read-only permissions for initial synchronization.
Optional: Additional Permissions
| Permission | Purpose |
|---|---|
AuditLog.Read.All |
Read sign-in and audit logs for intelligence features |
RoleManagement.Read.Directory |
Read Entra ID role assignments |
Application.Read.All |
Read app registrations and service principals |
Step 3: Create a Client Secret
- In your app registration, go to Certificates & secrets
- Click New client secret
- Configure:
| Field | Recommended Value |
|---|---|
| Description | IdentityCenter Sync Secret |
| Expires | 24 months (set a calendar reminder to rotate) |
- Click Add
- Copy the secret value immediately -- it will not be displayed again after you leave this page
Important: Store the client secret securely. If you lose it, you will need to create a new one and update the connection in IdentityCenter.
Alternative: Certificate Authentication
For higher security, you can use a certificate instead of a client secret:
- Generate or obtain an X.509 certificate
- Upload the public key (.cer) to the app registration under Certificates & secrets > Certificates
- Install the private key (.pfx) on the IdentityCenter server
- When creating the connection in IdentityCenter, select Certificate as the authentication method and provide the certificate thumbprint
Step 4: Gather Connection Details
You should now have three values ready:
| Value | Where to Find It |
|---|---|
| Tenant ID | App registration > Overview > Directory (tenant) ID |
| Client ID | App registration > Overview > Application (client) ID |
| Client Secret | The value you copied in Step 3 |
Step 5: Create the Connection in IdentityCenter
- Log in to IdentityCenter as an administrator
- Navigate to Administration > Connections
- Click New Connection
- Select Entra ID (Azure AD) as the connection type
- Fill in the connection details:
| Field | Value |
|---|---|
| Name | A descriptive name (e.g., "Corporate Entra ID") |
| Description | Optional description of this tenant |
| Tenant ID | Paste from Step 4 |
| Client ID | Paste from Step 4 |
| Client Secret | Paste from Step 4 |
| Enabled | Yes |
Step 6: Test the Connection
- Click Test Connection
- IdentityCenter will attempt to:
- Authenticate with the Microsoft Graph API using your credentials
- Query a small set of users to verify permissions
- Confirm that the tenant ID is valid
- Review the test results and resolve any issues before saving
Common test failures:
| Error | Cause | Fix |
|---|---|---|
| "Unauthorized" | Client secret is wrong or expired | Verify the secret value; create a new one if needed |
| "Insufficient privileges" | Admin consent not granted | Go back to Azure Portal and grant admin consent |
| "Tenant not found" | Wrong Tenant ID | Double-check the Directory (tenant) ID |
| "Connection timeout" | Firewall blocking HTTPS | Ensure port 443 outbound is open to graph.microsoft.com |
Step 7: Save and Create Sync Projects
- Click Save to create the connection
- The connection will appear in your connection list with an Active status
- Navigate to Synchronization > Sync Projects and create projects for Entra ID users and groups
Differences from On-Premises Active Directory
Entra ID uses the Microsoft Graph API, not LDAP. This means several things work differently:
| Aspect | On-Premises AD | Entra ID |
|---|---|---|
| Protocol | LDAP / LDAPS | HTTPS (Graph API) |
| Port | 389 / 636 | 443 |
| Authentication | Service account + password | OAuth 2.0 client credentials |
| Object identifiers | objectGUID, DN | Object ID (GUID), UPN |
| Attribute names | sAMAccountName, distinguishedName | displayName, userPrincipalName, mail |
| Group membership | member / memberOf (DN-based) | members / memberOf (ID-based) |
| OUs | organizationalUnit objects | Administrative Units (limited) |
| Password attributes | pwdLastSet, accountExpires (FILETIME) | passwordProfile, passwordPolicies |
| Paging | LDAP paged search | OData $top / $skipToken |
| Change detection | whenChanged, USN | Delta queries with delta tokens |
Attribute Mapping for Entra ID
When creating sync projects for Entra ID objects, the attribute mappings differ from AD:
| IdentityCenter Field | Entra ID Attribute | AD Equivalent |
|---|---|---|
| DisplayName | displayName | displayName |
| Username | mailNickname | sAMAccountName |
| UserPrincipalName | userPrincipalName | userPrincipalName |
| Department | department | department |
| Title | jobTitle | title |
| Manager | manager (object reference) | manager (DN) |
| Phone | businessPhones[0] | telephoneNumber |
| Mobile | mobilePhone | mobile |
Hybrid Environments
Many organizations run both on-premises Active Directory and Entra ID, synchronized via Entra Connect (formerly Azure AD Connect). In these hybrid environments:
Syncing Both Sources
- Create an Active Directory connection for your on-premises forest
- Create an Entra ID connection for your cloud tenant
- Create separate sync projects for each source
- IdentityCenter's person-centric model will match users from both sources to a single Person record, using email address as the primary correlation key
Avoiding Duplicates
When an object exists in both on-prem AD and Entra ID (which is common with Entra Connect), IdentityCenter distinguishes them by their SourceConnectionId. Each connection produces its own set of Objects, and the Person matching layer links them together.
Choosing an Authoritative Source
Decide which source is authoritative for each attribute:
| Attribute | Typical Authority | Reason |
|---|---|---|
| Name, Title, Department | HR system or on-prem AD | Updated by HR processes |
| Email, UPN | On-prem AD | Flows to Entra ID via Entra Connect |
| License assignments | Entra ID | Cloud-only property |
| MFA status | Entra ID | Cloud-only property |
Security Recommendations
- Use certificate authentication for production deployments instead of client secrets
- Set secret expiration reminders if using client secrets -- expired secrets will silently break sync
- Apply least-privilege permissions -- only grant the Graph permissions you actually need
- Monitor the app registration -- review sign-in logs in Entra ID to detect unusual activity
- Restrict the app to specific IPs if your Azure subscription supports conditional access for workload identities
Next Steps
- Creating a Connection -- General connection creation guide
- Multi-Forest & Multi-Domain Setup -- Complex environment configurations
- Connection Troubleshooting -- Diagnose connectivity issues
- Creating a Sync Project -- Set up synchronization for Entra ID objects
- Custom Attribute Mapping -- Map Entra ID attributes to IdentityCenter fields