Skip to content

Azure / Entra / M365

The Azure / Entra / M365 Integration enables SailPoint Entro to continuously monitor and scan your Microsoft Entra environments, Azure subscriptions for Non-Human Identities (NHIs), secrets, and AI Agents. It connects securely through App Registration via Graph APIs and Azure Resource Manager (ARM) APIs, providing deep visibility into service principals, managed identities, key vault configurations and AI Agents.


Architecture Diagram

+-----------------------+
|     Entro Security    |
|  Cloud (EU / US SaaS) |
+----------+------------+
           |
        HTTPS/TLS
           |
+----------v------------+
|   Microsoft Azure     |
|  (Entra ID, ARM, KV)  |
+-----------------------+

Onboarding Options

  1. Automated PowerShell Onboarding (recommended)

    Creates an App Registration automatically and applies the required roles, permissions, and Log Analytics settings.

  2. Manual Portal Onboarding

    Create an App Registration, create a role, and assign it directly in the Entra ID portal.

  3. Extra: Continuous Permissions Assignment for Key Vaults, Subscriptions - Following Manual or Automated onboarding

    Continuously grants read permissions for SailPoint Entro's app on all new Azure Key Vaults, Subscriptions


Integration Highlights

  • Discover and manage Microsoft NHIs and AI agents

    • App registrations

    • SAML certificates

    • Entra users (hybrid AD and cloud)

    • Copilot chats

    • Copilot Studio agents

    • MS Defender Endpoints

  • Continuously scan for exposed secrets

    • SharePoint

    • Teams

    • Azure Functions

  • Detect posture issues and anomalous behavior in service principals

  • Get contextual metadata from Microsoft Defender

  • Discover secrets stored in Azure Key Vault

  • Support Automated PowerShell Onboarding, Manual Portal Onboarding, and Continuous Key Vaults Onboarding


In the SailPoint Entro Dashboard, navigate to: Management → Accounts & Integrations → Add New Account (top right) → Microsoft Ecosystem


Prerequisites

Before onboarding Azure to SailPoint Entro, ensure the following:

  • You have Global Administrator or Application Administrator rights in Azure Entra ID

  • Azure CLI or Azure Portal access is available

  • Self hosted connector only: Outbound network egress to https://api.entro.security is allowed from the connector


Data Flow Summary

  1. Azure API credentials provided

    client_id, client_secret, and tenant_id are supplied securely to SailPoint Entro.

  2. Credentials validated and stored

    SailPoint Entro validates and encrypts credentials using AES-256 encryption.

  3. Querying Azure APIs

    SailPoint Entro queries Entra ID and ARM APIs for identity and resource metadata.

  4. Normalization and analysis

    Results are normalized, classified, and analyzed by SailPoint Entro's NHI Engine.


Security & Compliance

  • SailPoint Entro follows a least-privilege and read-only principle across all integrations.

    • Write only required for Teams (sending risk messages from SailPoint Entro)
  • Access tokens are encrypted in-transit and at-rest (TLS 1.2+, AES-256).

  • SailPoint Entro complies with SOC 2 Type II, ISO 27001, and GDPR standards.