Skip to content

Configure API Permissions

For Connect to use Microsoft Entra as an Identity Provider (IDP), permission must be given from the Azure tenant for access to the directory via the Microsoft Graph API.

This allows Connect to retrieve user group information from Entra.


  • An Azure account with an active Microsoft subscription
  • The Azure account must be at least a Cloud Application Administrator
  • An app registration must exist in Entra; this should have been set up in the previous step

Adding API permissions

If you still have the summary of your new application open in the Microsoft Entra admin center from the previous step, go to that page and select API permissions from the side menu.

Alternatively, go to: Applications -> App registrations -> All applications -> (Registration Name) -> API permissions.

Now you can add the required permissions for Connect to communicate with your Microsoft Entra tenant:

  • Select "Add a permission"

    Add A Permission

  • Select "Microsoft Graph"

    Select API Permissions

  • Select "Application permissions"

    Select Application Permissions

  • Scroll or filter to "Group"

  • Select Group.Read.All

    Select Permissions Group

  • Scroll or filter to "GroupMember"

  • Select GroupMember.Read.All

    Select Permissions GroupMember

  • Scroll or filter to "User"

  • Select User.Read.All

    Select Permissions User Read

  • Now click "Add permissions" to add the selected permissions to the application

Next, you will need to grant admin consent for these permissions.

To do this, select "Grant admin consent..." and then select "Yes":


Other permissions beyond those selected during this process may be shown in the list.

Grant Admin Consent

Confirm Admin Consent

Confirm that the configured permissions now include the following:

Permissions Configured

The Entra tenant is now ready to be added in the Identity Providers tab of your Connect Organisation in the next step.

Previous Next