# Microsoft Azure and Entra ID Integration Setup ## Getting Started BalkanID recommends creating a separate service account for the purposes of this integration, instead of using personal or employee named accounts. ## Requirements: * ***Application (client) ID*** * ***BalkanID Secret Key*** * ***Directory (tenant) ID*** *Note: The organization should possess an Entra ID Premium P1/P2 license and assign it to the user responsible for setting up the configuration. It is recommended for this user to have the Global Administrator Role.* ## Getting the configuration ### **Register the BalkanID application within Azure** 1. Within your Azure portal, from the Dashboard search and navigate to *App Registrations*.
2. Click **New Registration**.
3. Fill in the details to register the application as mentioned in the screenshot.
4. Copy the *Application (client) ID* and *Directory (tenant) ID* after app registration. You will need these values to configure Azure within BalkanID.
### Configure API permissions for the BalkanID application 1. Within your Azure portal, navigate to *API Permissions* and select **Add a permission**. Select **Microsoft Graph**.
2. Within Microsoft Graph section, you will see a choice between Delegated or Application permissions. Select **Application permissions**.
3. As shown in the screenshots below: * From the *RoleManagement* section, select *RoleManagement.Read.All*
* From the *AuditLog* section, select *AuditLog.Read.All*.
* From the *AdministrativeUnit* section, select *AdministrativeUnit.Read.All*.
* From the *Application* section, select *Application.Read.All*. * From the *Directory* section, select *Directory.Read.All*.
* From the *Group* section, select *Group.Read.All*. * From the *User* section, select *User.Read.All*. 4. Click *Grant admin consent..* link for whatever permissions were assigned recently in the above steps (in example below, the directory is named “Default Directory”) as shown in the screenshot below.
5. Once granted, you will see status of each permission change from *Not granted* for your directory to *Granted* for your directory. The final list of permissions should match what is shown below.
### Generate a secret for the BalkanID application to use 1. Navigate to Certificates & secrets. Select New client secret. For description, use “BalkanID Secret Key”. For expiration, select your preferred expiration. Please note that you will need to reissue and update the client secret once this secret expires.
2. Copy the Value of the newly created BalkanID Secret Key. You will need this value to configure Azure within BalkanID.\ \ \&#xNAN;***CAUTION:** Please note that the entire Value may not be visible. You should use the copy to clipboard action next to the Value field to copy the entire value.*
## Configure Azure integration within your BalkanID tenant 1. Login to the BalkanID application and switch to the tenant you would like to add your integration to. 2. Head to *Integrations* > **Add Integration**, select **Azure.**
3. Set up the *Primary Application owner (mandatory)* and the *Description*, if any. Set up Secondary Application Owner(s), if any.
Select the Extraction Type. From here, you can configure your application using one of the following methods: 1. **Direct integration** - Provide your Application (Client) ID, Client Secret and Azure Directory ID obtained above to set up a direct connection with BalkanID. 2. **SCIM integration** - Provide SCIM server credentials to set up a SCIM connection with BalkanID. 3. **Manual file upload** - Upload Entity and Entity Relations through a .CSV file upload. Contact the team for assistance with this. 4. **Automated upload using API -** You can upload data using our [Bulk APIs](https://developer.balkan.id/) with the help of an API key which will be provided to you. Please refer to the [entity](https://developer.balkan.id/bulk-entities-upload-api-early-access-12828095e0) and [entity relation](https://developer.balkan.id/bulk-entity-relations-upload-api-early-access-12828102e0) upload docs for specific instructions on uploading your data through the API.
4. Click on next to move onto *Optional Configuration.* 5. Fill **Optional configuration,** if required.
6. Once you filled in the information, click **Save**. Your integration is now configured and you will see the status of the integration displayed alongside other integrations on the *Integrations* page. When data is available, the integration Status will read **Connected** and the integration Message will read **Data available**. ## Integration Scopes | **Read Only (Access Review) Scopes** | **Lifecycle Management Scopes** | | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | RoleManagement.Read.All | RoleManagement.ReadWrite.Directory | | AuditLog.Read.All | AuditLog.Read.All | | AdministrativeUnit.Read.All | AdministrativeUnit.ReadWrite.All | | Application.Read.All | Application.ReadWrite.All and AppRoleAssignment.ReadWrite.All | | Directory.Read.All | Directory.ReadWrite.All | | Group.Read.All | Group.ReadWrite.All | | GroupMember.Read.All | GroupMember.ReadWrite.All | | User.Read | User.ReadWrite.All | | User.Read.All |

Additionally, the Privileged Authentication Administrator Role must be assigned to the BalkanID Application's Service Principal to allow the following -
1. Deletion of Users and Groups with Privileged Roles (like User Administrator Role).
2. Creation of Role assignable Groups.

This needs to be done from the "Roles and administrators" menu in Entra ID.

| | IdentityRiskEvent.Read.All | | |

User-LifeCycleInfo.ReadWrite.All

Note: This scope is required only for pulling HRIS data from Azure, specifically to retrieve the termination date of an employee.

| | --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.balkan.id/getting-started/setting-up-your-tenant/application-integrations/direct-application-integration/microsoft-azure-and-entra-id-integration-setup.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.