All Collections
Integrations
Entra Connection Details
Entra Connection Details

This article walks through the details of configuring Entra to connect to Drata.

Ashley Hyman avatar
Written by Ashley Hyman
Updated this week

HERE'S WHY

Connecting Microsoft Entra (formerly Azure) to Drata allows for the automated, continuous monitoring and evidence collection of the dozens of infrastructure security controls required for compliance.

BEFORE DIVING IN

  1. Make sure you have Global Administrator access to your company's Entra tenant.

  2. Each connection monitors the assets within the connected Entra subscription (based on subscription ID). If the overall tenant contains multiple subscriptions that need to be compliant, one connection per subscription must be made.

  3. You can specify an Entra group (the group's object ID) to limit the infrastructure users who sync to Drata. Note that Drata does not support nested groups. We will sync members at the specified group's top level, but not members in the second-level or further groups. If you need more complex group membership, use Microsoft's dynamic group feature.

Overview of what we're going to set up

  • Register a new Drata App

  • Create a client secret for your new Drata App

  • Add four ReadOnly permissions to your new Drata App

  • Add a role to your company’s Entra subscription

Register a new Drata App

  1. Log in to the Entra portal with an account that has Global Administrator access.

  2. Go to the App Registrations page.

3. Click the + New registration tab.

4. Register a new application, filling out the form with the following data.

Name:

Drata Entra App

Supported Account Types:

Accounts in this organizational directory only (single tenant)

(Note: Leave Redirect URI empty)

5. Click Register to create the app. Once done, this will take you to the app overview page.

6. Copy the Application ID and the Tenant ID from the App overview page and paste them into the text fields on the Drata slide-out panel.

Create a client secret for your new Drata App

  1. On your newly registered App overview page, in the sidebar on the left, go to Certificates and Secrets page via "Manage → Certificates and Secrets".

  2. Near the bottom of the page, click on + New client secret.

  3. Fill out the Add a client secret form with the following values, then click on the Add button.

Description:

Drata application secret

Expires:

24 Months

4. Take note of this expiration date so you can come back and update the expiration date to ensure your Entra connection remains active in Drata.

5. Copy the Value (not the Secret ID) of the new secret and paste it into the Application Secret text field on the Drata slide-out panel (Note: this will be the only time you can copy this secret key). Be sure to refresh the Azure Certificates and Secrets screen to make the secret Value useable (Microsoft holds it in a pending state until the screen is refreshed).

Add four Read-Only permissions to your new Drata App

  1. On your newly registered App overview page, in the sidebar on the left, go to API Permissions page via "Manage → API Permissions".

  2. Click on + Add a permission.

  3. Click on Microsoft graph API then click on Application permissions.

  4. Let's add the four permissions:

    1. In the search box, search for User.Read.All, then expand down User and select the User.Read.All option.

    2. Next, search for Reports.Read.all, then expand down Reports and select the Reports.Read.all option.

    3. Next, search for Directory.Read.All, then expand down Directory and select the Directory.Read.All option.

    4. Next, search for Policy.Read.All, then expand down Policy and select the Policy.Read.All option.

  5. Finally, click on the Add permissions button.

  6. Now that the new permissions are added to the app, you need to grant admin consent to the newly added permissions. Click on the Grant admin consent button.

Add a role to your company’s Entra subscription

  1. Go to the Subscriptions page.

  2. Find your company’s Entra subscription and click on it.

  3. Copy the Subscription ID and paste it into the Subscription ID field in the Drata slide-out panel.

4. On that same Entra subscription overview page, click Access control (IAM) in the sidebar.

5. Click the + Add tab and select Add role assignment.

6. Select the Reader role and then click 'Next' to assign access and choose members.


7. Keep the radio button for Assign access to on the choice for 'User, group or service principal'

8. Click the '+ Select Members' button.

9. Search for the "Drata Entra App" app, and select it.

9. Confirm by clicking the 'Select' button.

10. Click the 'Review + assign' button at the bottom once to view the selected App and confirm it is correct, and then a second time to assign the role.

11. Once all four values have been entered into the Drata connection slide-out panel, click Save & Test Connection.

🎉 You have just successfully set up proper read-only access for Drata! 🎉

Did this answer your question?