Connecting Microsoft 365, a type of IdP connection, to Drata enables the synchronization and provisioning of accounts for all your company's personnel. This can be the first integration you complete to ensure compliance monitoring of your personnel.
Key Capabilities
Identity synchronization: Automatically imports user accounts and group memberships from Microsoft 365.
Automated access monitoring: Enables Drata to validate identity, MFA, and email uniqueness requirements.
Compliance readiness: Gathers identity evidence to support access control and identity management testing.
Prerequisites & Data Access
Admin Access:
Ensure that your company's Microsoft 365 Global Admin account 's email domain matches email domain that was used during the initial tenant setup for Drata.
Ensure you have access to your company's Microsoft 365 Global Admin account.
Domain Requirements:
Personnel with the same email domain as the domain used to connect the IdP are synced.
Personnel with different domains will not be synced. If you need to sync multiple email domains, please contact our Technical Support team.
Permissions & Data Table
Permission/Scope | Why It’s Needed | Data Accessed (Read Only) |
Directory.Read.All | Reads directory objects for personnel sync | User and group metadata |
Reports.Read.All | Retrieves audit and activity reports | Login and access reports |
User.Read.All | Reads user profiles and basic information | Personnel records and identity details |
Policy.Read.All | Reads policy settings applied to users | Security and compliance policy configurations |
AuditLog.Read.All | Reads audit logs for compliance events | Access and authentication activity |
Step-by-Step Setup
Step 1: Prepare Microsoft 365
Ensure you are logged in as a Global Admin in your Microsoft 365 tenant.
Confirm that the email domain used for the Global Admin matches the one used for your Drata tenant setup.
Step 2: Connect Microsoft 365 to Drata
In Drata, go to Connections from the side navigation menu.
Select the Available Connections tab.
Search for Microsoft 365 and click Connect.
In the connection drawer, choose which personnel to sync:
Everyone: Sync all users from your Microsoft 365 directory.
Only people from specific groups: Enter the Group Object ID for selective sync.
For complex conditions, use Microsoft’s Dynamic Groups feature.
Click Connect your Microsoft 365 account.
Drata will prompt you to authenticate and grant permissions through Microsoft Graph.
Step 3: Review Required Permissions
Drata will create the enterprise application in your Microsoft environment upon authenticating with the below scopes and permissions. Ensure you have the Microsoft Global Admin role and are a Drata Admin.
When connecting, Drata requests the following read-only Microsoft Graph scopes:
Directory.Read.AllReports.Read.AllUser.Read.AllPolicy.Read.AllAuditLog.Read.All
These scopes provide the necessary read-access for user synchronization and compliance evidence collection without granting write or modification capabilities.
Complete the Connection
In Drata’s Connections page, confirm the following configuration details:
Drata Field | Microsoft 365 Value |
Sync Scope |
|
For steps on accessing and using the Connections page in Drata, refer to The Connections Page in Drata.
Government Support for Microsoft 365 GCC High
Note: The Microsoft 365 GCC High integration supports Identity Provider sync, Authentication, and User Access Reviews (UAR), including Enterprise Applications, with the same functionality as the commercial Microsoft 365 integration.
Drata supports Microsoft 365 GCC High for your Identity Provider Connection. See image below to better understand standards for usage of the varied Microsoft 365 Identity solutions.
Monitoring tests covered
Test 86: MFA on Identity Provider
Test 96: Employees have Unique Email Accounts
Test 97: Verifying Azure Permission Configurations