Activity Insights - Microsoft Entra ID

Important

Microsoft Entra ID is the new name for Azure Active Directory. We refer to it as Microsoft Entra ID except where Azure Active Directory is still utilized, such as in some user interface configurations. When configuring a new connector, it will still be displayed as Azure Active Directory in the source type list.

To display activity data from Microsoft Entra ID, you can set up a single SaaS connector or configure both a virtual appliance (VA) and Activity Insights - Microsoft Entra ID source.

Configuring Activity Insights Using the Microsoft Entra ID SaaS Connector

If you are using the Microsoft Entra ID SaaS connector, follow the connector guide to enable Activity Insights.

After a successful test connection, you must correlate accounts and run an aggregation for the Microsoft Entra SaaS source. Your activity data will begin syncing immediately but may take up to 24 hours to display. Data will then update daily.

Note

If you previously configured both the Microsoft Entra ID identity governance and Activity Insights - Microsoft Entra ID sources, you do not have to take additional action to continue receiving your data.

Configuring Activity Insights Using a VA-Based Source

If you are setting up Activity Insights using a VA-based source, you must first create an app registration and grant it the required Microsoft Graph API permissions. You'll then configure both the Microsoft Entra ID VA-based source and Activity Insights - Microsoft Entra ID source so that Identity Security Cloud can gather your account information and display activity data.

Creating an App Registration in Microsoft Entra ID

To authenticate the Activity Insights - Microsoft Entra ID source, you must register an application in the Microsoft Entra ID tenant and create credentials (a client secret or a client certificate) if one doesn't already exist.

1. Register the app.

   • Leave Redirect URI empty. It's not required for these flows.

2. Add a Client Secret.

3. Add a Client Certificate.

   • Upload the X.509 certificate.

   • Keep the matching private key as PEM PKCS#1 format (BEGIN RSA PRIVATE KEY). PKCS#8-encrypted keys may fail with 'decryption uses OpenSSL'.

   • Provide a privateKeyPassword only if the PEM is encrypted.

4. Specify the following API permissions:

   Important

   All grant types require a Microsoft Entra ID P1 or P2 license for sign-in logs; without it /auditLogs/signIns returns a 403 error even with AuditLog.Read.All.

   • Client Credentials and Certificate Credentials:

   Permission	Type	Used for
   User.Read.All	Application	/users
   LicenseAssignment.Read.All, or Organization.Read.All, or Directory.Read.All	Application	/subscribedSkus (license data)
   AuditLog.Read.All	Application	/auditLogs/signIns(requires P1/P2 license)
   Application.Read.All	Application	/servicePrincipals and role assignments

   • Refresh Token:

   Permission	Type	Used for
   User.Read.All	Delegated	/users
   LicenseAssignment.Read.All, or Organization.Read.All, or Directory.Read.All	Delegated	/subscribedSkus
   AuditLog.Read.All	Delegated	/auditLogs/signIns(requires P1/P2 license)
   Application.Read.All	Delegated	/servicePrincipals

5. Grant admin consent.

Configuring the Microsoft Entra ID VA-based Source

Follow the directions to configure a Microsoft Entra ID source in Identity Security Cloud. You can also edit an existing source.

Configuring the Activity Insights - Microsoft Entra ID Source

To display activity data from Activity Insights, you must configure the Activity Insights - Microsoft Entra ID source in Identity Security Cloud.

1. Go to Admin > Connections > Sources.
2. Select Create New to create a new source.
3. Search for and select Activity Insights - Microsoft Entra ID.
4. Enter a name and description for the source.
5. In the Source Owner field, begin typing the name of an owner. Matches appear after you type two letters.
6. (Optional) Select a governance group for source management.
7. Select the checkbox if the source is an authoritative source.
8. Select Continue to create the source.
9. From the left panel, select Configuration in the Source Setup section.

10. Select the Grant Type, then complete the required fields below.

    Client Credentials:

    • In Application (client) ID and Client Secret, enter the Microsoft Entra ID API details from the app registration you created.

    • In Domain Name, enter the Directory (tenant) ID of the Microsoft Entra ID domain to be managed. For example, contoso.onmicrosoft.com.

    • In Identity Governance Source Name, enter the name of the source you created for the VA-based source. If no matching source is found, the test connection will fail.

    Refresh Token:

    • In Application (client) ID and Client Secret, enter the Microsoft Entra ID API details from the app registration you created.

    • Enter the valid Refresh Token.

    • In Domain Name, enter the Directory (tenant) ID of the Microsoft Entra ID domain to be managed. For example, contoso.onmicrosoft.com.

    • In Identity Governance Source Name, enter the name of the source you created for the VA-based source. If no matching source is found, the test connection will fail.

    Certificate Credentials:

    • In Application (client) ID enter the Microsoft Entra ID API details from the Microsoft Entra ID app registration you created.

    • In Client Certificate, provide the unique alpha-numeric value of the certificate.

    • Enter the PEM-encoded Private Key and Private Key Password.

    • In Domain Name, enter the Directory (tenant) ID of the Microsoft Entra ID domain to be managed. For example, contoso.onmicrosoft.com.

    • In Identity Governance Source Name, enter the name of the source you created for the VA-based source. If no matching source is found, the test connection will fail.

11. Select Save to save these settings.

12. From the left panel, select Review and Test in the Source Setup section.
13. On the Configuration Summary page, select Test Connection to test the connection between the applications. You must have a successful connection for Identity Security Cloud to gather activity data.

To gather account data, you must correlate accounts and run an aggregation for the Entra ID source. Your activity data will begin syncing immediately but may take up to 24 hours to display. Data will then update daily.

Verifying the Test Connection

The test connection probes Microsoft Graph to confirm permissions and licensing:

• Users - GET /users?$top=1 checks User.Read.All.
• Subscribed SKUs - GET /subscribedSkus checks LicenseAssignment.Read.All.
• Sign-in Logs - GET /auditLogs/signIns?$top=1 checks AuditLog.Read.All and the Microsoft Entra ID P1 or P2 license.
• Service Principals - GET /servicePrincipals?$top=1 checks Application.Read.All.

If a check fails, the error message will indicate which permission is missing. For example:

• requires User.Read.All - Grant User.Read.All (application or delegated) to match your flow.
• requires AuditLog.Read.All and Microsoft Entra ID P1/P2 license - Grant AuditLog.Read.All and ensure the tenant has a Microsoft Entra ID P1 or P2 license.

If the test is unsuccessful, retry your credentials, permissions, and license, or contact SailPoint Support.

Documentation Feedback

Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.