Microsoft Entra Role Members

  • Published on Apr 2, 2026
  • 3 minute(s) read
Prev Next

Microsoft Entra tracks user activity and generate reports that help to understand how users access and use Entra services. 

Integration Method: API Ingest

Tables: User Access Management (3005), Group Management (3006)

This integration supports the following events.

Event

Description

Role Members

Fetches members (users and groups) for specified Microsoft Entra directory roles.

This integration supports the following versions

Microsoft Entra API version

V 1.0

Note:

Microsoft Entra is a continuously updated cloud service. As of this document preparation, latest release was on Dec 2025. 

Prerequisites 

  • The user should have access to the Azure portal with an account that has the Global Administrator privileges

  • The user should have access to the DataBee console.

Configuration Overview

  1. Create an application with required permissions to fetch the data. 

  2. Create Microsoft Entra Role Members Data Feed in the DataBee console with the required Client credentials. 

    DataBee Parameter

    Azure Parameter

    Client Key

    Application (client) ID

    Client Secret

    Client Secret Value

    Token URL(<tenant_id>)

    Directory (Tenant) ID

Azure Configuration

Create an application

  1. Log on to Azure portal with an account that has the Global Administrator privileges.   

  2. In the search bar, search for App registrations and select it.
     A screenshot of a computer AI-generated content may be incorrect. 

  3. On the “App registrations” page, select New registration, thenRegister an application” window will appear. 
     A screenshot of a computer AI-generated content may be incorrect. 

  4. On the “Register an application” window, enter your application name in the Name field, then click Register to create the application. 
     A screenshot of a computer AI-generated content may be incorrect.  

  5. On the app Overview page, copy the Application (client) ID and Directory (tenant) ID for later use.  

Add Endpoint Access

Once the application is created, two permissions should be provided to fetch data. The appropriate permissions for the application are needed to access these endpoints. The following section details how to configure and add permissions to the required endpoints.   

Add Permissions

From the Azure Active Directory portal:   

  1. Select the application registered in the previous step. 

  2. Under Manage, click API permissions and then click Add a permission, the “Request API permissions” window will appear.  
     A screenshot of a computer AI-generated content may be incorrect. 

  3. On “Request API permissions” window, click on Microsoft APIs then on Microsoft Graph.
     A screenshot of a computer AI-generated content may be incorrect. 

  4. Click on Application permissions.
     A screenshot of a computer AI-generated content may be incorrect. 

  5. The following permission need to be granted for the endpoint to function properly: 

     Event  

    Type

     Permission  

    Role Members

    Application

    Directory.Read.All

    In the Select permissions search bar, enter the permission shown above, and check the box to include them.


  6. Click the Add permissions button after selecting the required permission. 
      

  7. On the “API permissions” page, click Grant admin consent for <tenant>.
     

  8. Click the Yes button on the consent confirmation.  
     

  9. The required permission is now added for the endpoints.  
     

Create the Client Secret

The final step in accessing the APIs is creating a Client Secret. To create it from the Azure Portal:   

  1. Select the application created above. 

  2. Under Manage, click Certificates & secrets, and then Client secrets.  
     A screenshot of a computer AI-generated content may be incorrect. 

  3. Click New client secret. Then “Add a client secret” window appears.  
     A screenshot of a computer AI-generated content may be incorrect. 

  4. On “Add a client secret” window: 

    • Enter a ‘Description’ for this client secret and select the desired expiry period from the ‘Expires’ drop-list. 

    • Then click on Add to create the client secret.
       A screenshot of a computer AI-generated content may be incorrect.

      Note:

      The user needs to re-create the client secret when it expires.

  5. Copy the Value field to use it as Client Secret while configuring the Data Feed Auth Configurations.
     

DataBee Configuration

  1. Login to the DataBee UI, navigate to Data > Data Feeds and click the Add New Data Feed button.
     

  2. Search for the Microsoft Entra Role Members and click it as shown below.
     

  3. Click on the API Ingest option for collection method
     

  4. Enter feed contact information.
     

  5. In the configuration page, enter the following: 

    • Authorization Method: OAuth2 

    • Client Key: Paste the Application (Client) ID generated earlier in the Azure portal. 

    • Client Secret: Paste the Client Secret value generated earlier in the Azure portal. 

    • Token URL: Replace <tenant_id> with your Directory (Tenant) ID.

    • Role Names: Comma separated list of directory roles for which members will be fetched.
       

  6. Click Submit.

Troubleshooting Tips

  • If you are facing an invalid client or unauthorized client error this might be possibly due to incorrect credentials. Ensure the client key, client secret and Tenant ID are pasted correctly. Since you cannot view the client secret after the 1st time, re-create it, paste it on a text editor to ensure no spaces or unexpected characters are included and reconfigure the DataBee feed. 

  • If you are facing a 403-response code this might be possibly due to missing permission. Ensure that the required permission is granted correctly as per the above-mentioned steps. 

  • Ensure that the requested directory role names are correctly entered and separated by commas.

Copyright © 2026 DataBee®, A Comcast Company.
DataBee® is a registered trademark of Comcast.