Azure Entra ID
Discover users, groups, apps, service principals and assignable roles. Govern non-human identities and their effective permissions across Azure and Microsoft 365.
What the connector discovers
- Users & Groups
User objects, group membership (direct & transitive), guest users, dynamic groups.
- Apps & Service Principals
Enterprise applications, multi-tenant apps, service principals, owners, secrets & cert expiry.
- Directory Roles & Assignments
Privileged role assignments (PIM, permanent & eligible), custom roles, app roles & resource access.
- Effective Permissions
Scope-normalized view across Azure/M365: what each agent can do on which resources, at the moment of action.
Entra ID is the **source of truth** for identities and access. ClarioSec turns directory data into runtime governance: drift-aware risk scoring, pre-execution enforcement, and audit-grade explanations.
Drift-aware risk scoring
Baselines per app/agent, peer groups by team/function, scope expansion, privilege creep, and risky sequence detection (who → what → where → sensitivity).
Pre-execution enforcement
Allow / Alert / Block / Approve with governed overrides. Auto minimization of scopes and rotation of secrets when thresholds are hit.
Audit-grade narratives
For each action, a narrative ties **rule → reason → proof → control map** (SOC 2, GDPR, ISO/IEC 27001 & 42001, AI Act).
Connect Azure Entra ID
ClarioSec uses the Microsoft Graph API via an Azure App registration with the minimum directory scopes required for read-only discovery.
- 1) Create an App Registration
In Azure Portal → Entra ID → App registrations → New registration. Record Application (client) ID and Directory (tenant) ID.
- 2) Client secret
Certificates & secrets → New client secret. Store the value securely (used once).
- 3) API Permissions (Microsoft Graph)
Directory.Read.All, Application.Read.All, AppRoleAssignment.Read.All, RoleManagement.Read.Directory, Group.Read.All, User.Read.All.
- 4) Grant admin consent
Grant admin consent for these read scopes.
- 5) Add credentials in ClarioSec
In ClarioSec, open Azure Entra ID connector and paste Tenant ID, Client ID, Client Secret (stored per-tenant).
High-value objects pulled through Graph:
- Users, Groups, Owners, Guests
- Applications, Service Principals, App Roles
- Role Definitions, Directory Role Assignments (PIM eligible & active)
- App Role Assignments (who/what/resource)
- Secrets & Certificates metadata (expiry windows)
Endpoint family: Microsoft Graph (`/users`, `/groups`, `/applications`, `/servicePrincipals`, `/directoryRoles`, `/roleManagement`…)
Ready to govern Azure Entra ID agents at runtime?
Move from directory posture to **provable behavior** — identity → permission → action → narrative.