Skip to main content

Microsoft Entra ID Connector

Microsoft Entra ID Microsoft Entra ID (formerly Azure Active Directory) is a cloud-based identity and access management service from Microsoft that helps employees sign in and access resources.

Use the Microsoft Entra ID component to manage users, groups, and applications.

API Documentation

This component was built using the Microsoft Graph REST API v1.0.

Connections

OAuth 2.0

Authenticate using OAuth 2.0

This authentication method may be used when an App requires granting admin consent to API permissions, in addition to authorizing the integration with the App's configured client credentials.

The Microsoft Entra ID component authenticates requests through the Microsoft Graph API.

Prerequisites

Setup Steps

  1. Navigate to App Registrations.
  2. When creating the application, select Supported account types.
  3. Select Accounts in any organizational directory (Any Azure AD directory - Multitenant).
  4. Navigate to Redirect URI and add the Web platform. Enter the redirect URI as https://oauth2.integrations.acme.com/callback.
  5. Select Register to complete.
  6. In the App, navigate to Certificates & Secrets and select New client secret. Copy and save the Value for use in the connection configuration of the integration (the value will not be shown again).
  7. Next, navigate to the Overview section and copy the Application (client) ID.
  8. Navigate to the API Permissions section to assign the proper permissions for the integration. Select Add Permission and select all permissions that are required for the desired integration. A full list of scopes can be found on the Microsoft Graph API documentation.
    • Recommended scopes for Active Directory can be found in Microsoft Graph > Delegated permissions:
    • Group.ReadWrite.All GroupMember.ReadWrite.All Application.ReadWrite.All User.Read.All offline_access

Configure the Connection

Supply the following values to the OAuth 2.0 connection:

  • Client ID: The Application (client) ID from the App Registration.
  • Client Secret: The Value provided from Certificates & Secrets (not the Secret ID).
  • Scopes: The assigned API permissions. The default value is set to: Group.ReadWrite.All GroupMember.ReadWrite.All Application.ReadWrite.All User.Read.All offline_access
  • Authorize URL: The OAuth 2.0 authorization endpoint. Defaults to https://login.microsoftonline.com/common/oauth2/v2.0/authorize. If Multitenant was not selected when creating the App, replace with a tenant-specific URL.
  • Token URL: The OAuth 2.0 token endpoint. Defaults to https://login.microsoftonline.com/common/oauth2/v2.0/token. If Multitenant was not selected, replace with a tenant-specific URL.

Microsoft requires Azure AD app registrations used in multi-tenant deployments to complete a publisher verification process. This review confirms the app developer's identity, giving end users confidence that they are authorizing a legitimate, verified application.

Azure AD app registrations have two distinct verification concepts that affect how users experience the authentication flow.

Publisher Verification

Complete publisher verification before deploying to end users. Without it, the Microsoft consent screen displays "Unverified" next to the app name. This reduces user trust and may prevent users in organizations with strict Azure AD policies from being able to authorize the app at all.

To verify the publisher:

  1. Ensure the organization has a Microsoft Partner Network (MPN) account
  2. In the Microsoft Entra Admin Center, open the app registration
  3. Under Branding & properties, click Add a verified publisher
  4. Enter the MPN ID and confirm

Once verified, the consent screen displays the organization name with a verified badge instead of "Unverified."

Apps requesting application permissions (permissions that act without a signed-in user) or high-privilege delegated permissions require admin consent before any user in a Microsoft 365 tenant can authenticate. Without admin consent, users see a "Need admin approval" error.

A tenant administrator can grant consent using either method:

Method 1 — Admin Consent URL:

Navigate to the following URL, replacing {tenant} with the Directory tenant ID and {client_id} with the Application client ID:

https://login.microsoftonline.com/{tenant}/adminconsent?client_id={client_id}

Method 2 — Microsoft Entra Admin Center:

  1. Navigate to Microsoft Entra Admin CenterEnterprise applications
  2. Select the app registration
  3. Under Permissions, click Grant admin consent for [organization name]
Delegated vs. Application Permissions

Delegated permissions (user-level) typically do not require admin consent unless they are classified as high privilege. Application permissions always require admin consent. Review the Microsoft Graph permissions reference to identify which permissions require consent.

This connection uses OAuth 2.0, a common authentication mechanism for integrations. Read about how OAuth 2.0 works here.

InputCommentsDefault
Authorize URLThe OAuth 2.0 authorization endpoint for Microsoft Entra ID.https://login.microsoftonline.com/common/oauth2/v2.0/authorize
Token URLThe OAuth 2.0 token endpoint for Microsoft Entra ID.https://login.microsoftonline.com/common/oauth2/v2.0/token
ScopesSpace-separated list of OAuth permission scopes to request.Group.ReadWrite.All GroupMember.ReadWrite.All Application.ReadWrite.All User.Read.All offline_access
Client IDThe Client ID from the App Registration in the Azure Portal.
Client SecretThe Client Secret from the App Registration in the Azure Portal.

OAuth 2.0 Client Credentials

Authenticates actions in all Microsoft's Graph API services.

To connect to Microsoft Entra ID using the OAuth 2.0 Client Credentials flow, create an app registration in Microsoft Entra. The client credentials flow is used for server-to-server authentication where the application acts on its own behalf rather than on behalf of a specific user.

The Microsoft Entra ID component authenticates requests through the Microsoft Graph API. For more information on the Client Credentials flow, refer to the Microsoft documentation.

Prerequisites

  • A Microsoft Azure account with administrative access to the Microsoft Entra Admin Center
  • Permissions to create App Registrations in the tenant
  • Admin consent privileges to grant application-level permissions

Setup Steps

  1. Navigate to the Microsoft Entra admin center and go to Identity > Applications > App registrations, then select New registration.
  2. Configure the app registration:
    • Set Supported account types to Accounts in any organizational directory (Any Azure AD directory - Multitenant) to allow authentication across different organizations, or to a single-tenant option for tenant-specific access.
    • Select Register to complete the initial setup.
  3. Navigate to Certificates & Secrets and create a new Client Secret. Copy the Value immediately (it will not be shown again).
  4. Navigate to the Overview page and copy the Application (client) ID.
  5. Navigate to the Overview page and copy the Directory (tenant) ID. This value is required, as the client credentials flow cannot use the common endpoint.
  6. Navigate to API Permissions and select Add a permission:
    • Select Microsoft Graph
    • Select Application permissions
    • Add all permissions required for the intended use case
  7. After adding all required permissions, select Grant admin consent to authorize the application to use these permissions. This step is required for the client credentials flow to function properly.

For more information on application versus delegated permissions, refer to the Microsoft Graph permissions reference.

Configure the Connection

Supply the following values to the OAuth 2.0 Client Credentials connection:

  • Client ID: The Application (client) ID from the App Registration.
  • Client Secret: The Value provided from Certificates & Secrets (not the Secret ID).
  • Tenant: The Directory (tenant) ID or name from the Overview page. The client credentials flow requires a tenant-specific value and cannot use common.
  • Microsoft Entra ID Endpoint: The Microsoft Entra ID login endpoint. Defaults to https://login.microsoftonline.com. Adjust this value for sovereign or national cloud environments.
  • Base URL: The Microsoft Graph API base URL. Defaults to https://graph.microsoft.com. Adjust this value for sovereign or national cloud environments.
  • Scopes: The Microsoft Graph API scope. Defaults to https://graph.microsoft.com/.default, which requests all application permissions configured on the App Registration.
Client Credentials Flow Requirement

The client credentials flow requires a tenant-specific token endpoint and application-level permissions granted through admin consent. Actions performed using this connection execute under the application's identity rather than on behalf of a specific user.

This connection uses OAuth 2.0, a common authentication mechanism for integrations. Read about how OAuth 2.0 works here.

InputCommentsDefault
Base URLThe base URL for the Microsoft Graph API. Depending on your cloud environment, you can choose the correct one here.https://graph.microsoft.com
Microsoft Entra ID EndpointThe Microsoft Entra ID endpoint for the Microsoft Graph API. You can find this in the Azure portal or here.https://login.microsoftonline.com
TenantThe tenant ID or name for the Microsoft Graph API. This is the ID or name of the tenant that you are connecting to.
Client IDClient Id of your Azure application.
Client SecretClient Secret generated under 'Certificates & Secrets' in your Azure application.
ScopesMicrosoft Graph API Scopes.https://graph.microsoft.com/.default

Triggers

Group Changes

Receive group change notifications from Microsoft Entra ID. Automatically creates and manages a webhook subscription for groups when the instance is deployed, and removes the subscription when the instance is deleted.

InputCommentsDefault
ConnectionThe Microsoft Entra ID connection to use.
Change TypeThe type of change on the subscribed resource that triggers a notification. 'Created / Updated / Soft Deleted' covers created, updated, and soft-deleted events. 'Permanently Deleted' covers permanent deletion.
Expiration Date TimeThe date and time when the trigger subscription expires. If not specified, the subscription defaults to 29 days from the current date and time. This trigger must be reactivated after expiration.

User Changes

Receive user change notifications from Microsoft Entra ID. Automatically creates and manages a webhook subscription for users when the instance is deployed, and removes the subscription when the instance is deleted.

InputCommentsDefault
ConnectionThe Microsoft Entra ID connection to use.
Change TypeThe type of change on the subscribed resource that triggers a notification. 'Created / Updated / Soft Deleted' covers created, updated, and soft-deleted events. 'Permanently Deleted' covers permanent deletion.
Expiration Date TimeThe date and time when the trigger subscription expires. If not specified, the subscription defaults to 29 days from the current date and time. This trigger must be reactivated after expiration.

Webhook

Receive and validate webhook requests from Microsoft Entra ID for manually configured webhook subscriptions.

Actions

Add Member to Group

Add a member to a group.

InputCommentsDefault
ConnectionThe Microsoft Entra ID connection to use.
Group IDThe ID of the group to add the member to.
Group Member OData IDThe @odata.id property with a reference by ID to a supported group member object type.

Create Application

Creates (registers) a new application.

InputCommentsDefault
ConnectionThe Microsoft Entra ID connection to use.
Display NameThe display name of the application.
Additional PropertiesAdditional properties that are not covered by the other inputs. This should be a JSON object and will be merged with the other inputs. See Create Application API.

Create Group

Create a new group. It can be a Microsoft 365 group, dynamic group, or security group.

InputCommentsDefault
ConnectionThe Microsoft Entra ID connection to use.
Display NameThe name to display in the address book for the group.
Mail EnabledWhen true, the group is mail-enabled.true
Mail NicknameThe mail alias for the group, unique for Microsoft 365 groups in the organization. This property can contain only characters in the ASCII character set 0 - 127 except the following: @ () \ [] " ; : <> , SPACE.
Security EnabledWhen true, the group is security-enabled, including Microsoft 365 groups. Groups created using the Microsoft Entra admin center or the Azure portal always have securityEnabled initially set to true.true
Group TypesThe type of group and its membership.
Additional PropertiesAdditional properties that are not covered by the other inputs. This should be a JSON object and will be merged with the other inputs. See Create Group API.

Create Subscription

Create a subscription to receive notifications when changes occur in the specified object.

InputCommentsDefault
ConnectionThe Microsoft Entra ID connection to use.
Change TypeIndicates the type of change in the subscribed resource that raises a change notification. The supported values are: created, updated, deleted. Multiple values can be combined using a comma-separated list.
Notification URLThe URL of the endpoint that receives the change notifications.
ResourceThe resource that will be monitored for changes. See supported resources for a full list.
Expiration Date TimeSpecifies the date and time when the webhook subscription expires. The time is in UTC, and can be an amount of time from subscription creation that varies for the resource subscribed to. Format: ISO 8601 (e.g., 2016-11-20T18:23:45.9356913Z).
Additional PropertiesAdditional properties that are not covered by the other inputs. This should be a JSON object and will be merged with the other inputs. See Create Subscription API.
HeaderA list of headers to send with the request.

Create User

Create a new user.

InputCommentsDefault
ConnectionThe Microsoft Entra ID connection to use.
Account EnabledWhen true, the account is enabled.true
Display NameThe display name of the user.
Force Change Password Next Sign InWhen true, the user is required to change their password on the next sign-in.true
PasswordThe initial password for the user account. Must meet the tenant's password complexity requirements.
User Principal NameThe user principal name (UPN) for the account, in the format alias@domain. The domain must be a verified domain in the tenant.
DomainThe domain for the user, this must be an existing domain in the tenant.
Additional PropertiesAdditional properties that are not covered by the other inputs. This should be a JSON object and will be merged with the other inputs. See Create User API.

Delete Application

Deletes an application object.

InputCommentsDefault
ConnectionThe Microsoft Entra ID connection to use.
Application Object IDThe ID of the application to delete.

Delete Group

Deletes a group object.

InputCommentsDefault
ConnectionThe Microsoft Entra ID connection to use.
Group IDThe ID of the group to delete.

Delete Instanced Subscriptions

Delete all webhooks that point to a flow in this instance.

InputCommentsDefault
ConnectionThe Microsoft Entra ID connection to use.

Delete Subscription

Deletes a subscription object.

InputCommentsDefault
ConnectionThe Microsoft Entra ID connection to use.
Subscription IDThe ID of the subscription to delete.

Delete User

Deletes a user.

InputCommentsDefault
ConnectionThe Microsoft Entra ID connection to use.
User IDUnique Identifier for the user to delete. This can be the user's id or userPrincipalName.

Get Application

Read properties of an application object.

InputCommentsDefault
ConnectionThe Microsoft Entra ID connection to use.
Application Object IDThe ID of the application to read.

Get Group

Read properties of a group object.

InputCommentsDefault
ConnectionThe Microsoft Entra ID connection to use.
Group IDThe unique identifier of the group.
SelectA comma-separated list of OData properties to include in the response, reducing payload size.

Get Subscription

Read properties of a subscription object.

InputCommentsDefault
ConnectionThe Microsoft Entra ID connection to use.
Subscription IDThe ID of the subscription to read.

Get User

Reads the properties and relationships of a user object.

InputCommentsDefault
ConnectionThe Microsoft Entra ID connection to use.
User IDUnique Identifier for the user to get. This can be the user's id or userPrincipalName.
SelectA comma-separated list of OData properties to include in the response, reducing payload size.

List Applications

Retrieve the list of applications in the organization.

InputCommentsDefault
ConnectionThe Microsoft Entra ID connection to use.
CountWhen true, retrieves the total count of matching resources. Requires 'Eventual Consistency Level Header' to be enabled.false
ExpandA comma-separated list of OData relationships to expand and include in the response.
FilterAn OData filter expression to narrow results. For example: startswith(givenName,'J').
Order ByAn OData expression to sort results, such as 'displayName desc' or 'createdDateTime asc'.
SearchAn OData search expression to return results matching the criteria. Requires Eventual Consistency Level Header.
SelectA comma-separated list of OData properties to include in the response, reducing payload size.
TopThe maximum number of items to return in the result set (OData $top).
Get All Paginated ResultsWhen true, automatically fetches all pages of results using pagination. Ignores the 'Top' input.false
Eventual Consistency Level HeaderWhen true, adds the ConsistencyLevel: eventual header to the request. Required for some OData query parameters such as $count and $search.false

List Changes

Retrieves a list of changes in an object and its children over time.

InputCommentsDefault
ConnectionThe Microsoft Entra ID connection to use.
Delta URLThe URL to track changes in an object and its children over time. Use @odata.nextLink or @odata.deltaLink to get the next set of changes.
Skip TokenA state token returned in the @odata.nextLink URL of the previous delta function call, indicating there are further changes to be tracked in the same user collection.
Delta TokenA state token returned in the @odata.deltaLink URL of the previous delta function call for the same user collection, indicating the completion of that round of change tracking.
SelectA comma-separated list of OData properties to include in the response, reducing payload size.
FilterAn OData filter expression to narrow results. For example: startswith(givenName,'J').
Return MinimalWhen true, returns only the object properties that have changed since the last round when using @odata.deltaLink.false

List Group Members

Retrieves the direct members of a group.

InputCommentsDefault
ConnectionThe Microsoft Entra ID connection to use.
Group IDThe unique identifier of the group.
FilterAn OData filter expression to narrow results. For example: startswith(givenName,'J').
CountWhen true, retrieves the total count of matching resources. Requires 'Eventual Consistency Level Header' to be enabled.false
SelectA comma-separated list of OData properties to include in the response, reducing payload size.
SearchAn OData search expression to return results matching the criteria. Requires Eventual Consistency Level Header.
TopThe maximum number of items to return in the result set (OData $top).
Get All Paginated ResultsWhen true, automatically fetches all pages of results using pagination. Ignores the 'Top' input.false
ExpandA comma-separated list of OData relationships to expand and include in the response.
Eventual Consistency Level HeaderWhen true, adds the ConsistencyLevel: eventual header to the request. Required for some OData query parameters such as $count and $search.false

List Groups

List group objects and their properties.

InputCommentsDefault
ConnectionThe Microsoft Entra ID connection to use.
CountWhen true, retrieves the total count of matching resources. Requires 'Eventual Consistency Level Header' to be enabled.false
ExpandA comma-separated list of OData relationships to expand and include in the response.
FilterAn OData filter expression to narrow results. For example: startswith(givenName,'J').
Order ByAn OData expression to sort results, such as 'displayName desc' or 'createdDateTime asc'.
SearchAn OData search expression to return results matching the criteria. Requires Eventual Consistency Level Header.
SelectA comma-separated list of OData properties to include in the response, reducing payload size.
TopThe maximum number of items to return in the result set (OData $top).
Get All Paginated ResultsWhen true, automatically fetches all pages of results using pagination. Ignores the 'Top' input.false
Eventual Consistency Level HeaderWhen true, adds the ConsistencyLevel: eventual header to the request. Required for some OData query parameters such as $count and $search.false

List Subscriptions

Retrieves a list of active subscriptions.

InputCommentsDefault
ConnectionThe Microsoft Entra ID connection to use.
Get All Paginated ResultsWhen true, automatically fetches all pages of subscriptions.false

List Users

Retrieve a list of user objects.

InputCommentsDefault
ConnectionThe Microsoft Entra ID connection to use.
CountWhen true, retrieves the total count of matching resources. Requires 'Eventual Consistency Level Header' to be enabled.false
ExpandA comma-separated list of OData relationships to expand and include in the response.
FilterAn OData filter expression to narrow results. For example: startswith(givenName,'J').
Order ByAn OData expression to sort results, such as 'displayName desc' or 'createdDateTime asc'.
SearchAn OData search expression to return results matching the criteria. Requires Eventual Consistency Level Header.
SelectA comma-separated list of OData properties to include in the response, reducing payload size.
TopThe maximum number of items to return in the result set (OData $top).
Get All Paginated ResultsWhen true, automatically fetches all pages of results using pagination. Ignores the 'Top' input.false
Eventual Consistency Level HeaderWhen true, adds the ConsistencyLevel: eventual header to the request. Required for some OData query parameters such as $count and $search.false

Raw Request

Send raw HTTP request to Microsoft Entra ID.

InputCommentsDefault
ConnectionThe Microsoft Entra ID connection to use.
URLInput the path only (/users), The base URL is already included (https://graph.microsoft.com/v1.0). For example, to connect to https://graph.microsoft.com/v1.0/users, only /users is entered in this field.
MethodThe HTTP method to use.
DataThe HTTP body payload to send to the URL.
Form DataThe Form Data to be sent as a multipart form upload.
File DataFile Data to be sent as a multipart form upload.
File Data File NamesFile names to apply to the file data inputs. Keys must match the file data keys above.
Query ParameterA list of query parameters to send with the request. This is the portion at the end of the URL similar to ?key1=value1&key2=value2.
HeaderA list of headers to send with the request.
Response TypeThe type of data you expect in the response. You can request json, text, or binary data.json
TimeoutThe maximum time that a client will await a response to its request
Debug RequestEnabling this flag will log out the current request.false
Retry Delay (ms)The delay in milliseconds between retries. This is used when 'Use Exponential Backoff' is disabled.0
Retry On All ErrorsIf true, retries on all erroneous responses regardless of type. This is helpful when retrying after HTTP 429 or other 3xx or 4xx errors. Otherwise, only retries on HTTP 5xx and network errors.false
Max Retry CountThe maximum number of retries to attempt. Specify 0 for no retries.0
Use Exponential BackoffSpecifies whether to use a pre-defined exponential backoff strategy for retries. When enabled, 'Retry Delay (ms)' is ignored.false

Remove Member From Group

Removes a member from a Microsoft 365 group or a security group.

InputCommentsDefault
ConnectionThe Microsoft Entra ID connection to use.
Group IDThe ID of the group to remove the member from.
Member IDThe ID of the member to remove from the group.

Update Subscription

Updates a subscription expiration time for renewal and/or updates the notificationUrl for delivery.

InputCommentsDefault
ConnectionThe Microsoft Entra ID connection to use.
Subscription IDThe ID of the subscription to update.
Notification URLThe URL of the endpoint that receives the change notifications.
Expiration Date TimeSpecifies the date and time when the webhook subscription expires. The time is in UTC, and can be an amount of time from subscription creation that varies for the resource subscribed to. Format: ISO 8601 (e.g., 2016-11-20T18:23:45.9356913Z).

Update User

Update the properties of a User object.

InputCommentsDefault
ConnectionThe Microsoft Entra ID connection to use.
User IDUnique Identifier for the user to update. This can be the user's id or userPrincipalName.
Account EnabledWhen true, the account is enabled.
Display NameThe display name of the user.
User Principal NameThe updated user principal name of the user. Required if 'Domain' input is provided.
DomainThe updated domain for the user, this must be an existing domain in the tenant. Required if 'User Principal Name' input is provided.
First NameThe updated first name of the user.
Last NameThe updated last name of the user.
Job TitleThe updated job title of the user.
Additional PropertiesAdditional properties that are not covered by the other inputs. This should be a JSON object and will be merged with the other inputs. See Update User API.

Upsert Application

Create a new application if it doesn't exist, or update the properties of an existing application.

InputCommentsDefault
ConnectionThe Microsoft Entra ID connection to use.
Unique NameThe unique name of the application to update or create.
Use as UpsertWhen true, creates a new application if it does not exist. When false, only updates an existing application.true
Display NameThe display name of the application.
Additional PropertiesAdditional properties that are not covered by the other inputs. This should be a JSON object and will be merged with the other inputs. See Upsert Application API.

Upsert Group

Create a new group if it doesn't exist, or update the properties of an existing group.

InputCommentsDefault
ConnectionThe Microsoft Entra ID connection to use.
Unique NameThe unique name of the group to update or create.
Use as UpsertWhen true, creates a new group if it does not exist. When false, only updates an existing group.true
Display NameThe name to display in the address book for the group.
Mail EnabledWhen true, the group is mail-enabled.
Mail NicknameThe mail alias for the group, unique for Microsoft 365 groups in the organization. This property can contain only characters in the ASCII character set 0 - 127 except the following: @ () \ [] " ; : <> , SPACE.
Security EnabledWhen true, the group is security-enabled, including Microsoft 365 groups. Groups created using the Microsoft Entra admin center or the Azure portal always have securityEnabled initially set to true.
Group TypesThe type of group and its membership.
Additional PropertiesAdditional properties that are not covered by the other inputs. This should be a JSON object and will be merged with the other inputs. See Upsert Group API.