Documentation Index

Fetch the complete documentation index at: https://docs.databee.buzz/llms.txt

Use this file to discover all available pages before exploring further.

Microsoft Entra App Role Inventory

  • Published on Jun 17, 2026
  • 3 minute(s) read
Prev Next

Microsoft Entra App Role Inventory provides visibility into application access and permissions by retrieving app role assignments for service principals. It helps track which users, groups, or principals have access to applications, enforce the principle of least privilege, and audit role-based access controls (RBAC) within Microsoft Entra ID. For more information refer to the Microsoft Entra App Role Inventory Documentation.

Integration Method: API
Tables: User Access Management (3005)

This integration supports the following events.

Event

Description

App Role Inventory

Retrieves app role assignments for a service principal, showing which users, groups, or principals have access to an application.


This integration supports the following versions.

Microsoft Entra App Role Inventory API Version

v1

Note:

Microsoft Entra App Role Inventory is a continuously updated cloud service. As for this document preparation, the latest release was in March 24, 2026.

Prerequisites

  • The user should have access to the Azure portal with an account that has the Global Administrator privileges.

  • The user should have access to the DataBee console.

Configuration Overview

  1. Create an application with required permissions to fetch the data.

  2. Add the Microsoft Entra App Role Inventory in the DataBee console with the below parameters.

    DataBee Feed Parameter

    Azure Parameter

    Client Key

    Application (client) ID

    Client Secret

    Client Secret Value

    Token URL(<tenant_id>)

    Directory (Tenant) ID

Azure Configuration

Create an application

  1. Log on to Azure portal with an account that has the Global Administrator privileges.  

  2. In the search bar, search for App registrations and select it.
     Inserting image...

  3. On the “App registrations” page, select New registration, thenRegister an application” window will appear.
     Inserting image...

  4. On the “Register an application” window:

    • Under Name enter your Application Name then click on Register to create the application.
       Inserting image... 

  5. On the app Overview page, copy the Application (client) ID and Directory (tenant) ID for later use.
     Inserting image...

Add Endpoint Access

Once the application is created, permission should be provided to fetch the data. The following section details how to configure and add permissions to the required endpoints.  

Add Permissions

To add permissions for the endpoints outlined above, from the Azure Active Directory portal:  

  1. Select the application registered in the previous step.

  2. Under Manage, click API permissions and then click Add a permission, the “Request API permissions” window will appear.

      

  3. On “Request API permissions” window, click on Microsoft APIs then on Microsoft Graph.
      

  4. Click on Application permissions.
     

  5. The following permissions need to be granted for the endpoint to function properly:

    Event

    Type

    Permission  

    App Role Inventory

    Application

    Application.Read.All

  6. In the Select permissions search bar, enter the permission shown above, and check the box to include it.

  7. Click the Add permissions button after selecting the required permission.


  8. On the “API permissions” page,

    1. Click Grant Admin Consent for <tenant>

    2. Click the Yes button on the consent confirmation.

Create the Client Secret

The final step to accessing the APIs is creating a Client Secret. To create it from the Azure Portal:  

  1. Select the application created above.

  2. Under Manage, click Certificates & secrets, and then Client secrets
     Inserting image...

  3. Click New client secret. Then “Add a client secret” window appears. 
     Inserting image... 

  4. On “Add a client secret” window:

    1. Enter a Description for this client secret and select the desired expiry period from the Expires drop-list.

    2. Then click on Add to create the client secret.
       Inserting image...

  5. Copy client secrets Value fields for later use.
     Inserting image...

    Note:

    The user needs to re-create the client secret when it expires.

DataBee Configuration

  1. Login to the DataBee UI, navigate to Data > Data Feeds and click the Add New Data Feed button.
     

  2. Search for the Microsoft Entra App Role Inventory and click it as shown below.
     

  3. Click on the API Ingest option for collection method.
     

  4. Enter feed contact information.
     

  5. In the configuration page, enter the following

    • Authorization Method: OAuth2

    • Client Key: Paste the Application (client) ID generated earlier

    • Client Secret: Paste the Client Secret value generated earlier

    • Token URL: Replace <tenant_id> with your Tenant ID.

    • Event Types: Preselected for all the event types that integration pulls.
       

  6. Click Submit.
     

Troubleshooting Tips

  • Ensure the token is pasted correctly. Since you cannot view the token after the 1st time, re-create the token, paste it on a text editor to ensure no spaces or unexpected characters are included and reconfigure the DataBee feed.

  • Ensure the Microsoft Entra App Role Inventory permissions are correct.

Copyright © 2026 DataBee®, A Comcast Company.
DataBee® is a registered trademark of Comcast.