Azure / Entra / M365
The Azure / Entra / M365 Integration enables SailPoint Entro to continuously monitor and scan your Microsoft Entra environments, Azure subscriptions for Non-Human Identities (NHIs), secrets, and AI Agents. It connects securely through App Registration via Graph APIs and Azure Resource Manager (ARM) APIs, providing deep visibility into service principals, managed identities, key vault configurations and AI Agents.
Architecture Diagram
+-----------------------+
| Entro Security |
| Cloud (EU / US SaaS) |
+----------+------------+
|
HTTPS/TLS
|
+----------v------------+
| Microsoft Azure |
| (Entra ID, ARM, KV) |
+-----------------------+
Onboarding Options
-
Automated PowerShell Onboarding (recommended)
Creates an App Registration automatically and applies the required roles, permissions, and Log Analytics settings.
-
Create an App Registration, create a role, and assign it directly in the Entra ID portal.
-
Extra: Continuous Permissions Assignment for Key Vaults, Subscriptions - Following Manual or Automated onboarding
Continuously grants read permissions for SailPoint Entro's app on all new Azure Key Vaults, Subscriptions
Integration Highlights
-
Discover and manage Microsoft NHIs and AI agents
-
App registrations
-
SAML certificates
-
Entra users (hybrid AD and cloud)
-
Copilot chats
-
Copilot Studio agents
-
MS Defender Endpoints
-
-
Continuously scan for exposed secrets
-
SharePoint
-
Teams
-
Azure Functions
-
-
Detect posture issues and anomalous behavior in service principals
-
Get contextual metadata from Microsoft Defender
-
Discover secrets stored in Azure Key Vault
-
Support Automated PowerShell Onboarding, Manual Portal Onboarding, and Continuous Key Vaults Onboarding
Navigation Path
In the SailPoint Entro Dashboard, navigate to: Management → Accounts & Integrations → Add New Account (top right) → Microsoft Ecosystem
Prerequisites
Before onboarding Azure to SailPoint Entro, ensure the following:
-
You have Global Administrator or Application Administrator rights in Azure Entra ID
-
Azure CLI or Azure Portal access is available
-
Self hosted connector only: Outbound network egress to
https://api.entro.securityis allowed from the connector
Data Flow Summary
-
Azure API credentials provided
client_id,client_secret, andtenant_idare supplied securely to SailPoint Entro. -
Credentials validated and stored
SailPoint Entro validates and encrypts credentials using AES-256 encryption.
-
Querying Azure APIs
SailPoint Entro queries Entra ID and ARM APIs for identity and resource metadata.
-
Normalization and analysis
Results are normalized, classified, and analyzed by SailPoint Entro's NHI Engine.
Security & Compliance
-
SailPoint Entro follows a least-privilege and read-only principle across all integrations.
- Write only required for Teams (sending risk messages from SailPoint Entro)
-
Access tokens are encrypted in-transit and at-rest (TLS 1.2+, AES-256).
-
SailPoint Entro complies with SOC 2 Type II, ISO 27001, and GDPR standards.