Skip to main content
Azure Connection

Connect Azure (Microsoft Entra) to perform streamlined access reviews and automate evidence collection for infrastructure security controls.

Updated over 2 months ago

Note: Microsoft Azure Active Directory was renamed to Microsoft Entra. To learn more, go to Microsoft’s documentation, New name for Azure Active Directory.

This integration allows Drata to import personnel from Azure to perform streamlined access reviews and automate evidence collection for your infrastructure security controls.

The next few sections cover how to configure and how to verify a successful connection.

Prerequisites

  • Make sure you are logged into your company’s Microsoft Entra tenant with the Global Administrator Microsoft Entra role.

  • If you want to connect multiple Microsoft subscriptions, you’ll need to set up an integration for each one.

    • To find your subscription ID, go to Microsoft's documentation about Azure subscription.

    • The same member can be synced through multiple connections.

  • You can limit or customize who is synced into Drata.

    • To learn more about Microsoft's group settings and group object ID, go to Microsoft's Edit group settings.

    • Each member within the top level of a group is synced. Nested groups are synced as one individual. Individual members of any nested group are not synced.

    • For more complex group membership, refer to Microsoft's dynamic group feature.

Enable Azure integration in Drata

  1. In Drata, go to the Connections page.

  2. Search for Azure and select Connect to access the connection drawer.

    • Azure is listed under User access review connection type or the Infrastructure connection type.

  3. On the connection drawer, you can enable Infrastructure or User Access Review, enter the required fields: Tenant ID, Application ID, Application Secret (Value), and Subscription ID, and configure who you would like to sync into Drata from Azure.

Within this article, the following sections correlates to each instruction on the drawer and goes in depth, aiding you in external resources and configuration requirements.

  1. Register a new Drata App

  2. Create a client secret for your new Drata App

  3. Add four ReadOnly permissions to your new Drata App

  4. Add a role to your company’s Entra subscription


Step 1: Register a new Drata App

You must connect a registered application with the specific configurations to Drata. To learn how to register an app on Microsoft with the required configurations and how to connect that application to Drata, continue on.

In Microsoft, register a new application

  1. Go to Microsoft’s Entra portal and log in.

  2. Refer to Microsoft’s documentation on how to register an application. When registering the application, ensure that the fields have the following values.

    • Application name: Enter "Drata Entra App".

    • Supported account types: Select "Accounts in this organizational directory only".

    • Redirect URL: Leave blank.

  3. Copy the Application (client) ID and Directory (tenant) ID.

Connect the application to Drata

After completing registration in Microsoft, enter the following fields that you copied into Drata

  • Tenant ID: Enter the Entra’s Directory (tenant) ID.

  • Application ID: Enter the Entra’s Application (client) ID.

Step 2: Create a client secret for your new Drata App

When creating the client secret, in the final steps, ensure you copy the secret value and not the secret ID.

Next, you’ll need to create a client secret for your new app in Microsoft to use as an identity for your app:

  1. Follow Microsoft’s documentation on how to add a client secret.

    • Description: Enter "Drata application secret".

    • Expiration: Select 24 Months.

      • Note: The integration gets disconnected when the secret expires, so we recommend setting a reminder to ensure it stays active.

  2. After adding your client secret, copy the secret’s Value.

    • Ensure that you did not copy the Secret ID.

  3. Refresh the Microsoft's Azure Certificates and Secrets page.

    • Note: Microsoft holds the client secret in a pending state until the page is refreshed.

Connect the client secret to Drata

Back in Drata, paste the secret value you copied into the Application Secret field.

Ensure that you refreshed Microsoft's Azure Certificates and Secrets page. The client secret is in pending until the page is refreshed.


Step 3: Add five read-only permissions to your new Drata App

To learn more about Microsoft's read-only permissions, refer to Microsoft’s documentation: Application permission to Microsoft Graph.

  1. Access the Microsoft’s API Permissions page.

    • To access the API permission page: On your newly registered app overview page, in the left sidebar, under Manage and select API permissions.

  2. Select + Add a permission.

  3. Select Microsoft graph API and then Application permissions.

  4. Add the five permissions:

    • In the search box, search for the following permissions:

    • User.Read.All, then expand down User and select the User.Read.All option.

    • Reports.Read.all, then expand down Reports and select the Reports.Read.all option.

    • Directory.Read.All, then expand down Directory and select the Directory.Read.All option.

    • Policy.Read.All, then expand down Policy and select the Policy.Read.All option.

    • AuditLog.Read.All, then expand down AuditLog and select the AuditLog.Read.All option.

  5. Select the Add permissions button.

  6. Grant admin consent to the newly added permissions. To grant admin consent, select Grant admin consent.

Microsoft includes the User.Read permission by default when you register an application in Azure Active Directory, but it is not required for Drata. To learn more about API permission refer to Microsoft Graph permissions reference - Microsoft Graph

Step 4: Add a role to your company’s Entra subscription

Learn how to add a role to your company's Entra subscription and how to connect that subscription to Drata.

Connect your company's Entra subscription to Drata

  1. Go to the Subscriptions page, select your company’s Entra subscription, and copy the Subscription ID.

  2. Paste the Subscription ID into the Subscription ID field in Drata.

Add a role to your company's Entra subscription

You will add a role and then configure who can access the role.

  1. Go to the Add role assignment page and add the Reader role.

  2. Allow members from Drata Entra App to have access to the created role. Refer to Microsoft’s documentation to learn how to select who needs access ( Skip steps 5-9 since Drata does not manage identities). ​

    • Assign access to: select User, group, or service principal.

    • Members: Select + Select Members and enter “Drata Entra App”.

Choose who you want to bring into Drata from this infrastructure provider

In Drata, you can select who you would like to sync from Azure.

Select Everyone if you would like to sync members in Azure.

Select Only people from specific groups if you would like to select the members you want to sync. Enter the group's object ID. To learn more about Microsoft's group settings and group object ID, go to Microsoft's Edit group settings.

  • Note: Each member within the top level of a group is synced. Nested groups are synced as one individual. Individual members of any nested group are not synced. For more complex group membership, refer to Microsoft's dynamic group feature.

Monitoring tests covered

Did this answer your question?