Connecting Microsoft 365, a type of IdP connection, to Drata enables the synchronization and provisioning of accounts for all your company's personnel. This can be the first integration you complete to ensure compliance monitoring of your personnel.
Key Capabilities
Identity synchronization: Automatically imports user accounts and group memberships from Microsoft 365.
Automated access monitoring: Enables Drata to validate identity, MFA, and email uniqueness requirements.
Compliance readiness: Gathers identity evidence to support access control and identity management testing.
Prerequisites & Data Access
Admin Access:
Ensure your company’s Microsoft 365 Global Admin account’s email domain matches the domain used during the initial Drata tenant setup.
Ensure you have access to your company's Microsoft 365 Global Admin account.
Domain Matching
If your organization uses multiple email domains, contact Drata Support to have multi-domain syncing enabled.
Group-based sync:
If syncing only specific groups, you must have one or more Microsoft 365 groups created in Azure Entra ID.
You will need the Group Object ID for each group you want to sync.
To find this, go to the Azure portal → Entra ID → Groups → Select a group → Copy the Object ID.
Permissions & Data Table
Permission/Scope | Why It’s Needed | Data Accessed (Read Only) |
Directory.Read.All | Reads directory objects for personnel sync | User and group metadata |
Reports.Read.All | Retrieves audit and activity reports | Login and access reports |
User.Read.All | Reads user profiles and basic information | Personnel records and identity details |
User.Read | Reads user profiles and basic information | Personnel records and identity details |
Policy.Read.All | Reads policy settings applied to users | Security and compliance policy configurations |
AuditLog.Read.All | Reads audit logs for compliance events | Access and authentication activity |
Step-by-Step Setup
Step 1: Find Group Object ID in Azure Entra ID
To sync only specific groups, you’ll need the Group Object ID from Microsoft 365:
Go to the Azure portal.
Navigate to Entra ID → Groups.
Select the group you want to sync.
Copy the Object ID from the group’s overview page.
Paste this value into the Only people from specific groups field in Drata.
Step 2: Prepare Microsoft 365
Ensure you are logged in as a Global Admin in your Microsoft 365 tenant.
Confirm that the email domain used for the Global Admin matches the one used for your Drata tenant setup.
Step 3: Connect Microsoft 365 to Drata
In Drata, go to the Connections page
Search for and select Microsoft 365 within your available connections.
Start the connection process.
Choose which Microsoft 365 field Drata should use to match user accounts for sync and authentication:
UPN (User Principal Name): Recommended for most organizations. Uses the directory’s unique user identifier, which is often the same as the email address.
Email Address: Maps users by their primary email address. Use this when email is the preferred identity value, especially in multi-domain environments.
Choose which personnel to sync:
Everyone: Sync all users from your Microsoft 365 directory.
Only people from specific groups: Enter the Group Object ID for selective sync. For complex conditions, use Microsoft’s Dynamic Groups feature.
Drata will prompt you to authenticate and grant permissions through Microsoft Graph.
Step 4: Review Required Permissions
Drata will create the Enterprise Application in your Microsoft environment upon authenticating with the following scopes and permissions. Ensure you have the Microsoft Global Admin role and are a Drata Admin.
When connecting, Drata requests the following read-only Microsoft Graph scopes:
Directory.Read.AllReports.Read.AllUser.Read.AllPolicy.Read.AllAuditLog.Read.All
These scopes provide the necessary read-access for user synchronization and compliance evidence collection without granting write or modification capabilities.
Update Identity Mapping After Connection
Users can now update an existing Microsoft 365 connection to change whether Drata syncs identities using UPN or Email Address directly from the Drata interface.
To update the identity mapping:
In Drata, navigate to Connections.
Select your Microsoft 365 connection and edit the setup details.
Update the User Identity Mapping field to either UPN or Email Address.
Save your changes to apply the updated mapping.
Grant Microsoft 365 Organization Consent (Required)
If personnel encounter an “Approval required” message when signing in, your Microsoft 365 admin must complete the organization consent step. Refer to the Microsoft document to learn more.
If the consent screen does not appear, the admin should:
Log out of Drata and log back in using the same Microsoft 365 admin account, or
Open Drata in an incognito/private window and restart the connection flow.
This creates a fresh Microsoft 365 session, which ensures the “Consent on behalf of your organization” screen appears as expected. Once the consent is approved, the Microsoft 365 connection will complete successfully and users will be able to log in.
Government Support for Microsoft 365 GCC High
Note: The Microsoft 365 GCC High integration supports Identity Provider sync, Authentication, and User Access Reviews (UAR), including Enterprise Applications, with the same functionality as the commercial Microsoft 365 integration.
Drata supports Microsoft 365 GCC High for your Identity Provider Connection. See image below to better understand standards for usage of the varied Microsoft 365 Identity solutions.
Monitoring tests covered
Test 86: MFA on Identity Provider
Test 96: Employees have Unique Email Accounts
Test 97: Verifying Azure Permission Configurations