Connect Microsoft Entra ID¶
Step-by-step guide to connecting Microsoft Entra ID (formerly Azure AD) to Thalian for identity and access intelligence.
Prerequisites¶
- Microsoft 365 tenant with an Entra ID directory
- Global Reader or Global Administrator role to authorize the OAuth consent
Connect via OAuth¶
- Go to Integrations → Browse
- Find Microsoft Entra ID and click Connect
- Click Authorize with Microsoft
- Sign in with your Microsoft admin account
- Review the requested permissions — Thalian requests read-only scopes for directory data and sign-in logs
- Click Accept to grant consent
- You'll be redirected back to Thalian — the integration is now connected
Scope Warnings¶
If your tenant policies restrict certain consent scopes, Thalian detects this and shows which features are degraded. You can reconnect at any time to grant additional permissions.
Requested Permissions¶
A single Microsoft OAuth consent covers Entra ID and all other Microsoft integrations (Intune, Outlook, SharePoint, Teams). Thalian requests the following scopes:
| Scope | Used by | Justification |
|---|---|---|
User.Read.All |
Entra ID | Enumerates all tenant users — names, departments, MFA status, account enabled/disabled — to build the identity inventory and risk scores |
Directory.Read.All |
Entra ID | Reads directory role assignments to classify admin vs. standard accounts and detect privilege escalation |
AuditLog.Read.All |
Entra ID | Ingests sign-in logs and directory audit events to detect risky sign-ins, impossible travel, MFA bypass, and privilege changes |
Application.Read.All |
Entra ID | Discovers enterprise app registrations and their role assignments to identify overprivileged or risky third-party OAuth apps |
Policy.Read.All |
Entra ID | Reads Conditional Access policies to detect report-only, disabled, or MFA-gap policies. CA rules stay silent until this scope is granted |
DeviceManagementManagedDevices.Read.All |
Intune | Pulls Intune-managed device inventory — OS version, compliance state, encryption status — for endpoint posture checks |
Mail.Read |
Outlook | Detects suspicious mailbox forwarding rules (a common exfiltration vector). Does not read email body/content |
MailboxSettings.Read |
Outlook | Reserved for future mailbox configuration analysis |
Sites.Read.All |
SharePoint | Reads SharePoint site metadata and external sharing settings to flag overshared or publicly accessible sites |
ChannelMessage.Send |
Teams | Reserved for future Teams alert delivery |
Team.ReadBasic.All |
Teams | Reserved for future Teams workspace enumeration |
offline_access |
All | Standard OAuth — allows token refresh without re-prompting the admin |
openid |
All | Standard OIDC — required to receive an id_token for tenant ID extraction |
profile |
All | Standard OIDC — returns admin's display name during initial connect |
email |
All | Standard OIDC — returns admin's email address during initial connect |
Alternative: API Credentials¶
If your organization restricts OAuth consent flows, you can connect using application credentials instead:
- Register an application in Entra ID → App registrations
- Grant the application the
Directory.Read.AllandAuditLog.Read.Allpermissions (application type) - Create a client secret
- In Thalian, select the API connection method
- Enter your Tenant ID, Client ID, and Client Secret
- Click Save
What Thalian Syncs¶
- Users — full directory including status, last sign-in, and license assignments
- Groups — group memberships, dynamic groups, and role assignments
- Sign-in logs — successful and failed sign-ins with location and device details
- Enterprise apps — registered and consented applications
- Conditional access — policies and their current state (requires
Policy.Read.All) - Identity Protection — risky users list with risk level and last risk event details
- PIM role assignments — Privileged Identity Management permanent role assignments (vs. time-limited eligible assignments)
- Admin authentication methods — which authentication methods each admin account has registered, used to detect weak or absent MFA factors
- Guest invitation policy — org-level settings for who can invite external guests and whether guest accounts require MFA
No reconnection required for existing connections
All Phase 2 data (Identity Protection, PIM, admin auth methods, guest policy) is accessible with the scopes granted during initial OAuth setup. Existing Entra connections do not need to be reconnected.
For a full list of supported platforms, see Integrations Guide.