Ctrlk
Help centerAPI referenceChangelogWebsiteLoginBook a demo

Microsoft Entra ID

Connect Microsoft Entra ID to Siit to sync your users, groups, and application assignments, and expose Entra actions directly inside Siit workflows, request side panels, and the IT Agent.

What you get

  • Live directory — Entra users, groups, and Enterprise Applications sync into Siit with full attribute coverage.

  • One-click actions from any request — add to group, remove from group, revoke sessions, and more, from the request side panel.

  • Workflow-driven provisioning — use Entra actions in any workflow: access requests, Day-1 onboarding, offboarding, and more.

  • Microsoft 365 context — pairs well with the Microsoft Teams integration so you get a fully unified employee experience across chat, identity, and requests.

What syncs from Entra ID

Fields

Display name, user principal name (UPN), work email, object ID

Job title, department, manager, office location, usage location

Security groups and Microsoft 365 groups, memberships, ownership

Enterprise Applications assigned to users

Active / blocked / deleted

Work email (mail attribute or UPN) is the canonical identifier.

Actions available

  • Add user to group

  • Remove user from group

  • Assign application to user

  • Remove application from user

  • Revoke user sessions

  • Block / unblock sign-in

  • Reset password (temporary password, must be changed on next sign-in)

  • Delete user (soft delete — recoverable for 30 days in Entra)

Actions are available from the request side panel, in workflows, and in IT Agent playbooks. Sensitive actions can be gated behind approvals.

Before you connect

  • You'll need an Entra ID Global Administrator (or Privileged Role Administrator) to grant admin consent for the required permissions.

  • Siit is installed as an Enterprise Application in your Entra tenant via OAuth consent — no certificates, manifests, or manual app registrations required.

  • If your tenant blocks user consent for third-party apps, admin consent must be granted explicitly during the install flow.

Connect Entra ID

  1. In Siit, go to Settings → Integrations.

  2. Find Microsoft Entra ID in the IAM section and click Connect. You'll be redirected to Microsoft.

  3. Sign in with a Global Administrator account.

  4. Review and grant admin consent for the requested Microsoft Graph permissions:

    • User.Read.All — read user profiles

    • Group.Read.All + GroupMember.ReadWrite.All — read groups, manage memberships

    • Directory.Read.All — read org structure

    • Application.Read.All — read Enterprise Applications

    • User.ReadWrite.All — for user management actions (activate/suspend, reset password)

    • UserAuthenticationMethod.ReadWrite.All — for MFA / password actions

  5. Once consent is granted, Microsoft redirects you back to Siit.

  6. Siit runs an initial import of users, groups, and applications.

  7. Review the imported data and click Finish setup.

Tip — Install with a dedicated service / break-glass Global Admin account if your security policy prefers it. The OAuth grant is tenant-wide and survives the installing admin leaving the company.

After the connection

  • Check your People list — confirm the user count matches your Entra active users.

  • Scope the groups — by default all groups are synced. In Settings → Integrations → Microsoft Entra ID, you can scope to specific groups or OUs.

  • Try an action from a request — open any request and use the side panel to add/remove the requester from an Entra group.

  • Build a workflow — a classic starter: manager approval → Entra add to group → DM confirmation.

Sync frequency

Entra data refreshes automatically every few hours. Trigger an immediate refresh from Settings → Integrations → Microsoft Entra ID → Sync now. Actions run on demand, immediately, when triggered.

Common workflows

Access request. Trigger: Request submitted (service = "Request app access"). Actions: manager approval → Entra assign application → DM requester.

Group membership request. Trigger: Request submitted. Actions: approval → Entra add to group → confirmation message.

Day-1 onboarding (with HRIS). Trigger: Start date. Actions: Entra add to baseline groups → assign department app bundle → notify manager.

Offboarding on end date. Trigger: End date. Actions: Entra revoke sessions → remove app assignments → block sign-in → equipment pickup request.

Session revoke on suspicious activity. Trigger: Request submitted (service = "Report lost device"). Action: Entra revoke user sessions immediately → create follow-up incident.

SSO is separate

Connecting Entra here is about using it as a directory and action source. If you only want to let users sign in to Siit with their Microsoft account, see SAML - SSO. Most customers do both.

Troubleshooting

Admin consent error during install. You signed in with an account that doesn't have Global Admin rights — or your tenant requires explicit admin consent. Retry with a Global Admin account.

"Insufficient privileges" when running an action. The corresponding Graph permission was not granted at install time (e.g., UserAuthenticationMethod.ReadWrite.All is missing for password reset). Reconnect Entra and re-grant the full permission set.

Users missing from Siit. Check whether guest accounts and deactivated users are excluded (they are, by default). Adjust the filter in Settings → Integrations → Microsoft Entra ID if needed.

Group not available as a target. The group may be out of scope, or it's a distribution group that doesn't support programmatic membership management via Graph. Check group type in Entra.

Connection shows as "needs reauthorization". An admin revoked the Siit Enterprise Application's consent, or a conditional access policy is blocking the token refresh. Reconnect the integration.

PreviousGoogle WorkspaceNextOkta

Last updated