Configure API Permissions¶
For Connect to use Microsoft Entra as an Identity Provider (IDP), permission must be given from the Azure tenant for access to the directory via the Microsoft Graph API.
This allows Connect to retrieve user group information from Entra.
Prerequisites¶
- An Azure account with an active Microsoft subscription
- The Azure account must be at least a Cloud Application Administrator
- An app registration must exist in Entra; this should have been set up in the previous step
Adding API permissions¶
If you still have the summary of your new application open in the Microsoft Entra admin center from the previous step, go to that page and select API permissions
from the side menu.
Alternatively, go to: Applications -> App registrations -> All applications -> (Registration Name) -> API permissions
.
Now you can add the required permissions for Connect to communicate with your Microsoft Entra tenant:
-
Select "Add a permission"
-
Select "Microsoft Graph"
-
Select "Application permissions"
-
Scroll or filter to "Group"
-
Select Group.Read.All
-
Scroll or filter to "GroupMember"
-
Select GroupMember.Read.All
-
Scroll or filter to "User"
-
Select User.Read.All
-
Now click "Add permissions" to add the selected permissions to the application
Grant admin consent¶
Next, you will need to grant admin consent for these permissions.
To do this, select "Grant admin consent..." and then select "Yes":
Info
Other permissions beyond those selected during this process may be shown in the list.
Confirm that the configured permissions now include the following:
The Entra tenant is now ready to be added in the Identity Providers tab of your Connect Organisation in the next step.