Azure AD Sign-in

Prev Next

Azure AD Sign-in is an identity and access management solution from Microsoft that helps organizations secure and manage identities for hybrid and multi-cloud environments. For more information, refer to Azure's official documentation.

Integration Method: API

Tables: Authentication (3002)

This integration supports the following events.

Event

Description

Authentication

Retrieve a list of users sign-in and authentication data objects.

This integration supports the following versions.

Microsoft Graph REST API

v1.0

Prerequisites

  • The user should ensure scopes are properly assigned to the API token for successful data retrieval.

  • The user should have access to the DataBee console.

Configuration Overview

  1. Generate client credentials with the required scopes.

  2. Add the Azure Ad Sign-In data feed in the DataBee console with the below parameters.

    DataBee Parameter

    Azure Parameter

    Client Key

    Application (client) ID

    Client Secret

    Client Secret Value

    Token URL(<tenant_id>)

    Directory (Tenant) ID

Azure Configuration

Create an application

  1. Log on to Azure with a user account that has the Global Administrator role.

  2. In the search bar, search for App Registrations and select it.
     

  3. On the “App registrations” page, select New registration, theRegister an application window will appear.
     

  4. On the “Register an application” window:

    1. Under Name enter your Application Name then click on Register to create the application.

       

  5. On the app Overview page, copy the Application (client) ID and Directory (tenant) ID for later use.
     

Add Endpoint Access

Once the application is created, permissions should be provided to get data. The appropriate permissions for the application are needed to configure these endpoints. The following section details how to configure and add permissions to the sign-in endpoint.

Endpoint needed for Microsoft Entra - Microsoft Entra Endpoint.

Add Permissions

From the Azure Active Directory portal:

  1. Select the application registered in the previous step.

  2. Under Manage, click “API permissions” and then click Add a permission, the “Request API permissions” window will appear.
     

  3. On “Request API permissions” window, Click on Microsoft APIs then on Microsoft Graph.
     

  4. Click on Application permissions.
     

  5. The following permissions need to be granted for the one endpoint to function properly:

    Endpoint

    Permission

    /v1.0/auditLogs/signIns

    AuditLog.Read.All

    /v1.0/auditLogs/signIns

    Directory.Read.All

  6. In the Select permissions search bar, enter the permission shown above, and check the box to include it. If you run into any problems, check Microsoft's official document. Click the Add permissions button after selecting all required permissions.
     

  7. On the API permissions page, click Grant admin consent for <tenant>

  8. Click the Yes button on the consent confirmation.
     

  9. The required permissions are now added for the endpoints.
     

Create the Client Secret

The final step in configuring the Graph API is creating a Client ID and Client Secret. To create these items, from the Azure Portal:

  1. Select the application created above.

  2. Under Manage, Click Certificates and Secrets, and then Client Secrets.
     

  3. Click on New client secret. Then “Add a client secret” window appears.
     

  4. In the “Add a client secret” window:

    1. Enter a ‘Description’ for this client secret and select the desired expiry period from the ‘Expires’ drop-list.

    2. Then click on Add to create the client secret.
       

      Note:

      The user needs to re-create the client secret when it expires.

  5. Click Add. Copy the Value fields for later use.
     Inserting image...

DataBee Configuration

  1. Login to the DataBee UI, navigate to Data > Data Feeds and click the Add New Data Feed button.
     

  2. Search for the Azure AD Sign-in and click it as shown below.
     

  3. Click on the API Ingest option for collection method.
     

  4. Enter feed contact information and click Next.
     A screenshot of a computer  AI-generated content may be incorrect.

  5. In the configuration page, confirm the following:

    • Authorization Method: OAuth2

    • Client key: paste Application (client) ID.

    • Client secret: paste Application (client) secret.

    • Token URL: replace < tenant_id> placeholder with the Directory (Tenant) ID generated earlier.

    • Event Types: preselected for all the event types that integration pulls.
       A screenshot of a computer  AI-generated content may be incorrect.

  6. Click Submit.

Troubleshooting Tips

  • If you are facing an invalid client or unauthorized client error this might be possibly due to incorrect credentials. Ensure the client key, client secret and Tenant ID are pasted correctly. Since you cannot view the client secret after the 1st time, re-create it, paste it on a text editor to ensure no spaces or unexpected characters are included and reconfigure the DataBee feed.

  • If you are facing a 403-response code this might be possibly due to missing permission. Ensure that all the required permissions are granted correctly as per the above-mentioned steps.