At-a-Glance
What it does: Connects Microsoft Entra (Azure) with Drata to streamline access reviews and automate evidence collection.
Who it’s for: Security, compliance, and IT administrators managing user access and infrastructure security.
Directionality: Data is read-only and flows from Azure into Drata.
Note: Microsoft Azure Active Directory was renamed to Microsoft Entra. To learn more, go to Microsoft’s documentation, New name for Azure Active Directory.
Prerequisites & Data Access
Account / Role Needed:
Microsoft Entra tenant with the Global Administrator role
To register the Drata app, create client secrets, and grant Graph API permissions.
Access to Azure subscription(s) to assign the Reader role (and Key Vault Reader role for GCC High).
To assign the Reader role (and Key Vault Reader role in GCC High) to the Drata app.
Additional Notes:
If you want to connect multiple Microsoft subscriptions, set up an integration for each one.
To find your subscription ID, refer to Microsoft’s documentation.
The same member can be synced through multiple connections.
You can limit or customize who is synced into Drata by specifying group object IDs. To learn more, go to Microsoft's Edit group settings.
Each member within the top level of a group is synced.
Nested groups sync as one individual; members of nested groups are not pulled individually. For complex scenarios, use Microsoft's dynamic group feature.
Permissions & Data Table
Drata requires the following Microsoft Graph API application permissions and Azure RBAC role assignments.
Permission / Scope | Why It’s Needed | Data Accessed (Read Only) |
User.Read.All | Used in access reviews to import personnel. | User directory data |
Reports.Read.All | Used in evidence collection (e.g., MFA checks). | Audit & usage reports |
Directory.Read.All | Used when syncing groups into Drata. | Group memberships, directory info |
Policy.Read.All | Used in monitoring to confirm policy configurations. | Policy objects |
AuditLog.Read.All | Used in infrastructure monitoring to detect changes (e.g., role or policy updates). | Audit log data |
Reader role | Provides subscription-wide read-only visibility. | Infrastructure configuration data |
Key Vault Reader role (GCC High) | Required only in Azure GCC High environments. Grants read-only access to Key Vault properties and metadata (not secrets/keys). | Key Vault metadata (properties only) |
Step-by-Step Setup
Step 1: Register a new Drata App in Microsoft
Log into the Microsoft Entra portal with Global Administrator role.
Application name:
Drata Entra AppSupported account types: Accounts in this organizational directory only
Redirect URL: Leave blank.
Copy the Application (client) ID and Directory (tenant) ID.
Enter these values in Drata:
Tenant ID: Entra’s Directory (tenant) ID.
Application ID: Entra’s Application (client) ID.
Step 2: Create a Client Secret
Follow Microsoft’s documentation on how to add a client secret.
Description: Drata application secret
Expiration: 24 months
Note: The integration gets disconnected when the secret expires, so we recommend setting a reminder to ensure it stays active.
(❗Important Step) Copy the secret value (not the secret ID).
(❗Important Step) Refresh the Certificates & Secrets page to confirm activation.
Note: Microsoft holds the client secret in a pending state until the page is refreshed.
Paste the secret value into Drata’s Application Secret field.
Step 3: Add Permissions
To learn more about Microsoft's read-only permissions, refer to Microsoft’s documentation: Application permission to Microsoft Graph.
On your newly registered app overview page, in the left sidebar, under Manage and select API permissions.
Select + Add a permission.
Select Microsoft Graph API → Application permissions.
Add the following 5 permissions:
User.Read.AllReports.Read.AllDirectory.Read.AllPolicy.Read.AllAuditLog.Read.All
Select Add permissions, then Grant admin consent.
Note about User.Read permission:
When you register a new application in Microsoft Entra, Microsoft automatically assigns the delegated permission User.Read. This only allows a signed-in user to read their own profile. Drata does not use this permission.
Instead, Drata requires the application permission User.Read.All, which provides directory-wide read access needed for access reviews. You do not need to remove User.Read; it can remain in place but is unused by Drata.
Step 4: Assign Azure Roles
Find subscription ID:
In Azure Subscriptions, copy your Subscription ID and enter it into Drata. Refer to Microsoft’s documentation to find your Azure subscription ID.
Assign the Reader role to the Drata App:
In the Azure portal, go to your subscription → Access control (IAM).
Select + Add → Add role assignment. For more information, refer to Step 2: Open the Add role assignment page.
Choose the Reader role (built-in). For more information, refer to Step 3: Select the appropriate role.
Important (Azure GCC High only): In addition to the Reader role, you must also assign the Key Vault Reader role to the Drata Entra App in your subscription.
Under Assign access to, select User, group, or service principal.
Select + Select Members and choose your service principal Drata Entra App.
Save the assignment. Refer to Microsoft’s documentation to learn how to select who needs access ( Skip steps 5-9 since Drata does not manage identities).
Choose Who to Sync into Drata
In Drata, you can select who you would like to sync from Azure. Choose who you want to bring into Drata from this infrastructure provider
Everyone → Sync all members.
Specific Groups → Enter group object IDs.
To learn more about Microsoft's group settings and group object ID, go to Microsoft's Edit group settings.
Nested groups sync as one entity.
For complex scenarios, use dynamic groups.
Note: Each member within the top level of a group is synced. Nested groups are synced as one individual. Individual members of any nested group are not synced. For more complex group membership, refer to Microsoft's dynamic group feature.
Complete the Connection: Azure
When connecting, enter the following values from Azure:
Drata Field | Azure Value (Where to Find It) |
Tenant ID | Directory (tenant) ID from the app’s Overview page in Entra. |
Application ID | Application (client) ID from the app’s Overview page in Entra. |
Client Secret Value | Secret Value generated in Certificates & Secrets (not Secret ID). |
Subscription ID | Subscription ID from the Subscriptions page in the Azure portal. |
For steps on accessing and using the Connections page in Drata, refer to The Connections Page in Drata.
Important Notes
Expired secrets disconnect the integration — refresh regularly.
Integration enforces the principle of least privilege (read-only).
Edge Cases:
Nested groups sync as one entity only.
Expired/missing secrets cause failures.
Duplicates may appear if a user is synced from multiple connections.