This guide walks you through creating an Entra ID application and service principal, and gathering the configuration needed to create an Entra ID integration.
Before you begin, please make sure your Entra ID tenant has a P1 or P2 premium subscription. If your tenant does not support advanced query capabilities (i.e. Azure AD B2C tenants), filtering related functionality may not work correctly.
The Query Risk Events and Query Risky Users operations surface Microsoft Entra ID Protection data, which requires an Entra ID P2 license on the tenant. Tenants without P2 can still use the rest of this integration; only Query Risk Events and Query Risky Users will return no data.
Follow the microsoft documentation to create a Microsoft Entra application and service principal that can access resources. Since there is no need for users to sign in to this application directly, you can choose ‘Single-page application (SPA)’ for the redirect URI and leave it blank.
Once your Entra ID Application is created you will see your ‘Application (client) ID’ and the ‘Directory (tenant) ID’ on the Overview tab. Copy these values to a safe location.
Navigate to Manage > Certificates and secrets and add a new client secret.
Copy the secret to a safe location beside your client ID and tenant ID. You will not have access the secret value again.
Follow the Microsoft documentation to assign app roles to the application. You will need to grant admin consent before these roles are fully available for use.
Assign these ‘Application’ roles in the ‘Microsoft Graph API’ section:
AuditLog.Read.AllDirectory.Read.AllGroup.ReadWrite.AllGroupMember.ReadWrite.AllRoleManagementPolicy.ReadUser.ReadUser.ReadWrite.AllUserAuthenticationMethod.ReadWrite.AllIdentityRiskEvent.Read.All(required only for Query Risk Events; Entra ID P2 tenant required)IdentityRiskyUser.Read.All(required only for Query Risky Users; Entra ID P2 tenant required)
Create your integration by supplying all of the required and any desired optional values.
URL (Optional) Leave this blank to use the default graph URL. If you are using an alternate or special deployment of the Microsoft Graph API, find the correct URL for your deployment. This is the root URL without any paths included. For example 'https://graph.microsoft.com/'.
Tenant ID This is the 'Directory (tenant) ID' gathered in step 1
Token URL (Optional) Leave this blank to use the default login URL. If you are using an alternate or special deployment of the Microsoft Graph API, find the correct URL for your deployment. This is the full token endpoint URL with your tenant ID included. For example 'https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000/oauth2/v2.0/token'.
Client ID This is the 'Application (client) ID' gathered in step 1
Client Secret This is the client secret gathered in step 2