# Microsoft Entra ID

<figure><img src="/files/KDyixhIeudPFPJSUN40N" alt=""><figcaption></figcaption></figure>

### What you get

* **Live directory** — Entra users, groups, and Enterprise Applications sync into Siit with full attribute coverage.
* **One-click actions from any request** — add to group, remove from group, revoke sessions, and more, from the request side panel.
* **Workflow-driven provisioning** — use Entra actions in any workflow: access requests, Day-1 onboarding, offboarding, and more.
* **Microsoft 365 context** — pairs well with the Microsoft Teams integration so you get a fully unified employee experience across chat, identity, and requests.

### What syncs from Entra ID

| Fields                                                           |
| ---------------------------------------------------------------- |
| Display name, user principal name (UPN), work email, object ID   |
| Job title, department, manager, office location, usage location  |
| Security groups and Microsoft 365 groups, memberships, ownership |
| Enterprise Applications assigned to users                        |
| Active / blocked / deleted                                       |

Work email (mail attribute or UPN) is the canonical identifier.

### Actions available

* **Add user to group**
* **Remove user from group**
* **Assign application to user**
* **Remove application from user**
* **Revoke user sessions**
* **Block / unblock sign-in**
* **Reset password** (temporary password, must be changed on next sign-in)
* **Delete user** (soft delete — recoverable for 30 days in Entra)

Actions are available from the request side panel, in workflows, and in IT Agent playbooks. Sensitive actions can be gated behind approvals.

### Before you connect

* You'll need an **Entra ID Global Administrator** (or Privileged Role Administrator) to grant admin consent for the required permissions.
* Siit is installed as an Enterprise Application in your Entra tenant via OAuth consent — no certificates, manifests, or manual app registrations required.
* If your tenant blocks user consent for third-party apps, admin consent must be granted explicitly during the install flow.

### Connect Entra ID

1. In Siit, go to **Settings → Integrations**.
2. Find **Microsoft Entra ID** in the IAM section and click **Connect**. You'll be redirected to Microsoft.
3. Sign in with a Global Administrator account.
4. Review and grant admin consent for the requested Microsoft Graph permissions:
   * `User.Read.All` — read user profiles
   * `Group.Read.All` + `GroupMember.ReadWrite.All` — read groups, manage memberships
   * `Directory.Read.All` — read org structure
   * `Application.Read.All` — read Enterprise Applications
   * `User.ReadWrite.All` — for user management actions (activate/suspend, reset password)
   * `UserAuthenticationMethod.ReadWrite.All` — for MFA / password actions
5. Once consent is granted, Microsoft redirects you back to Siit.
6. Siit runs an initial import of users, groups, and applications.
7. Review the imported data and click **Finish setup**.

> **Tip** — Install with a dedicated service / break-glass Global Admin account if your security policy prefers it. The OAuth grant is tenant-wide and survives the installing admin leaving the company.

### After the connection

* **Check your People list** — confirm the user count matches your Entra active users.
* **Scope the groups** — by default all groups are synced. In **Settings → Integrations → Microsoft Entra ID**, you can scope to specific groups or OUs.
* **Try an action from a request** — open any request and use the side panel to add/remove the requester from an Entra group.
* **Build a workflow** — a classic starter: manager approval → Entra add to group → DM confirmation.

### Sync frequency

Entra data refreshes automatically every few hours. Trigger an immediate refresh from **Settings → Integrations → Microsoft Entra ID → Sync now**. Actions run on demand, immediately, when triggered.

### Common workflows

**Access request.** *Trigger: Request submitted (service = "Request app access"). Actions: manager approval → Entra assign application → DM requester.*

**Group membership request.** *Trigger: Request submitted. Actions: approval → Entra add to group → confirmation message.*

**Day-1 onboarding (with HRIS).** *Trigger: Start date. Actions: Entra add to baseline groups → assign department app bundle → notify manager.*

**Offboarding on end date.** *Trigger: End date. Actions: Entra revoke sessions → remove app assignments → block sign-in → equipment pickup request.*

**Session revoke on suspicious activity.** *Trigger: Request submitted (service = "Report lost device"). Action: Entra revoke user sessions immediately → create follow-up incident.*

### SSO is separate

Connecting Entra here is about using it as a **directory and action source**. If you only want to let users sign in to Siit with their Microsoft account, see SAML - SSO. Most customers do both.

### Troubleshooting

**Admin consent error during install.** You signed in with an account that doesn't have Global Admin rights — or your tenant requires explicit admin consent. Retry with a Global Admin account.

**"Insufficient privileges" when running an action.** The corresponding Graph permission was not granted at install time (e.g., `UserAuthenticationMethod.ReadWrite.All` is missing for password reset). Reconnect Entra and re-grant the full permission set.

**Users missing from Siit.** Check whether guest accounts and deactivated users are excluded (they are, by default). Adjust the filter in **Settings → Integrations → Microsoft Entra ID** if needed.

**Group not available as a target.** The group may be out of scope, or it's a distribution group that doesn't support programmatic membership management via Graph. Check group type in Entra.

**Connection shows as "needs reauthorization".** An admin revoked the Siit Enterprise Application's consent, or a conditional access policy is blocking the token refresh. Reconnect the integration.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.siit.io/integrations/iam/microsoft-entra-id.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.