This guide walks you through creating an Entra ID application and service principal, and gathering the configuration needed to create an Entra ID integration.

## Create an Entra ID Application and Service Principal

Before you begin, please make sure your [Entra ID tenant](https://learn.microsoft.com/en-us/entra/fundamentals/create-new-tenant) has a [P1 or P2 premium subscription](https://learn.microsoft.com/en-us/entra/fundamentals/get-started-premium). If your tenant does not support [advanced query capabilities](https://learn.microsoft.com/en-us/graph/aad-advanced-queries?tabs=http#query-scenarios-that-require-advanced-query-capabilities) (i.e. Azure AD B2C tenants), filtering related functionality may not work correctly.

### 1. Create an application and service principal

Follow the microsoft documentation to [create a Microsoft Entra application and service principal that can access resources](https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal). Since there is no need for users to sign in to this application directly, you can choose ‘Single-page application (SPA)’ for the redirect URI and leave it blank.

Once your Entra ID Application is created you will see your ‘Application (client) ID’ and the ‘Directory (tenant) ID’ on the Overview tab. Copy these values to a safe location.

### 2. Create an application client secret

Navigate to **Manage** > **Certificates and secrets** and [add a new client secret](https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal#option-3-create-a-new-client-secret).

Copy the secret to a safe location beside your client ID and tenant ID. You will not have access the secret value again.

### 3. Assign application permissions

Follow the Microsoft documentation to [assign app roles to the application](https://learn.microsoft.com/en-us/entra/identity-platform/howto-add-app-roles-in-apps#assign-app-roles-to-applications). You will need to grant admin consent before these roles are fully available for use.

Assign these ‘Application’ roles in the ‘Microsoft Graph API’ section:

- `AuditLog.Read.All`
- `Directory.Read.All`
- `Group.ReadWrite.All`
- `GroupMember.ReadWrite.All`
- `RoleManagementPolicy.Read`
- `User.Read`
- `User.ReadWrite.All`
- `UserAuthenticationMethod.ReadWrite.All`


## Configure the Integration

Create your integration by supplying all of the required and any desired optional values.

**URL (Optional)**
Leave this blank to use the default graph URL. If you are using an alternate or [special deployment of the Microsoft Graph API](https://learn.microsoft.com/en-us/graph/deployments), find the correct URL for your deployment. This is the root URL without any paths included. For example 'https://graph.microsoft.com/'.

**Tenant ID**
This is the 'Directory (tenant) ID' gathered in step 1

**Token URL (Optional)**
Leave this blank to use the default login URL. If you are using an alternate or [special deployment of the Microsoft Graph API](https://learn.microsoft.com/en-us/graph/deployments), find the correct URL for your deployment. This is the full token endpoint URL with your tenant ID included. For example 'https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000/oauth2/v2.0/token'.

**Client ID**
This is the 'Application (client) ID' gathered in step 1

**Client Secret**
This is the client secret gathered in step 2