Microsoft Entra MFA

Microsoft Entra MFA (Multi-Factor Authentication) enhances security by requiring users to verify their identity using multiple authentication methods, such as passwords, biometrics, or one-time passcodes. It helps protect against unauthorized access, phishing, and identity theft by adding an extra layer of security beyond just passwords. It integrates with Microsoft Entra ID (formerly Azure AD) and supports various authentication methods, including push notifications, SMS, voice calls, and security keys. More information can be found at Microsoft Entra MFA.

Integration Method: API
Tables: Device Inventory Info (5001), User Inventory Info (5003) , Base Class(0)

This integration supports the following events.

This integration supports the following versions.

Note:

Microsoft Entra MFA is a continuously updated cloud service. As for this document preparation, the latest release was in January 2025.

Prerequisites

• The user should have access to the Azure portal with an account that has the Global Administrator privileges.

• The user should have access to the DataBee console.

Configuration Overview

1. Create an application with required permissions to fetch the data.

2. Add the Microsoft Entra MFA data feed in the DataBee console with the below parameters

Azure Configuration

Create an application

1. Log on to Azure portal with an account that has the Global Administrator privileges.  

2. In the search bar, search for App registrations and select it.
    
   

3. On the “App registrations” page, select New registration, then “Register an application” window will appear.
    

4. On the “Register an application” window:

   1. Under ‘Name’ enter your Application Name then click on Register to create the application.
        

5. On the app Overview page, copy the Application (client) ID and Directory (tenant) ID for later use.
     

Add Endpoint Access  

Once the application is created, three permissions should be provided in order to fetch data. The appropriate permissions for the application are needed to access these endpoints. The following section details how to configure and add permissions to the required endpoints.  

Add Permissions  

To add permissions for the six endpoints outlined above, from the Azure Active Directory portal:  

1. Select the application registered in the previous step.

2. Under Manage, click API permissions and then click Add a permission, the “Request API permissions” window will appear.   

3. On “Request API permissions” window, Click on Microsoft APIs then on Microsoft Graph.
     

4. Click on Application permissions.
    
   

5. The following permissions need to be granted for the six endpoints to function properly:

   Event	Type	Permission
   User Registration Details	Application	AuditLog.Read.All
   User Registration By Feature	Application	AuditLog.Read.All
   User Registration By Method	Application	AuditLog.Read.All
   User Credential Usage Details	Application	Reports.Read.All
   Credential User Registration Count	Application	Reports.Read.All
   Credential Usage Summary	Application	Reports.Read.All
   Devices	Application	Device.Read.All

In the Select permissions search bar, enter the permissions shown above one by one, and check the box for each to include it.

6. Click the Add permissions button after selecting all required permissions.

7. On the API permissions page,

   1. Click Grant Admin Consent for <tenant>. 

   2. Click the Yes button on the consent confirmation.

8. The required permissions are now added for the endpoints. The overall permissions are shown below. Ensure ‘Type’ is Application for all.
    

Create the Client Secret

The final step to accessing the APIs is creating a Client Secret. To create it from the Azure Portal:  

1. Select the application created above.

2. Under Manage, click Certificates & secrets, and then Client secrets. 
    

3. Click New client secret. Then “Add a client secret” window appears. 
     

4. On “Add a client secret” window:

   1. Enter a ‘Description’ for this client secret and select the desired expiry period from the ‘Expires’ drop-list.

   2. Then click on Add to create the client secret.
       

5. Copy client secrets Value fields for later use.
    

   Note:

   The user needs to re-create the client secret when it expires.

DataBee Configuration

1. Login to the DataBee UI, navigate to Data > Data Feeds and click the Add New Data Feed button.
    

2. Search for the Microsoft Entra MFA and click it as shown below
    

3. Click on the API Ingest option for collection method.
    

4. Enter feed contact information and click Next.
    
   

5. In the configuration page, enter the following

   • Authorization Method: OAuth2

   • Client Key: paste the Application (client) ID generated earlier.

   • Client Secret: paste the Client Secret value generated earlier.

   • Token URL: replace <application_id> with your Application ID.

   • Event Types: preselected for all the event types that integration pulls.

6. Click Submit.

Troubleshooting Tips

• Ensure the token is pasted correctly. Since you cannot view the token after the 1st time, re-create the token, paste it on a text editor to ensure no spaces or unexpected characters are included and reconfigure the DataBee feed.

• Ensure the Microsoft Entra MFA scopes/ permissions are correct.