Overview
The Microsoft Entra ID integration (formerly Azure Active Directory) monitors your organization’s user directory, MFA registration, conditional access policies, application assignments, and sign-in logs. LowerPlane uses read-only Microsoft Graph API access.Authentication
Microsoft Entra ID uses OAuth 2.0 via the Microsoft identity platform. You can connect using either:- OAuth (Recommended)
- App Registration (Manual)
Click Connect in LowerPlane and authorize with a Global Administrator or Security Reader account. LowerPlane handles the app registration automatically.
Required Permissions (Microsoft Graph)
| Permission | Type | Why LowerPlane Needs It |
|---|---|---|
User.Read.All | Application | Read all user profiles, status, and MFA registration methods |
Group.Read.All | Application | Read group memberships for access review campaigns |
Directory.Read.All | Application | Read directory data including organizational structure |
AuditLog.Read.All | Application | Read sign-in and audit logs for compliance evidence |
SecurityEvents.Read.All | Application | Read security alerts and risk detections |
Device.Read.All | Application | Read managed device inventory and compliance status |
Application.Read.All | Application | Read enterprise application assignments |
All permissions are read-only (
.Read.All). LowerPlane never modifies users, groups, policies, or any other directory data.What LowerPlane Collects
User Directory
All Entra ID users with profile data: name, email, department, job title, account status, creation date, and last sign-in.
MFA Registration
Per-user authentication method registration: Microsoft Authenticator, FIDO2 keys, phone, email, and Windows Hello.
Conditional Access
Conditional access policies including MFA requirements, location-based access, device compliance, and risk-based policies.
Sign-In Logs
Sign-in activity including successful and failed authentications, locations, device info, and risk levels.
Groups & Roles
Security groups, Microsoft 365 groups, and directory role assignments for access certification.
Enterprise Applications
Registered enterprise applications and service principals with user assignments.
Security Tests
LowerPlane runs automated tests against your Entra ID tenant:| Test | Severity | Applies To | Description |
|---|---|---|---|
| MFA Registered for All Users | Critical | Each user | Verifies every active user has at least one strong authentication method registered |
| Inactive User Accounts | Medium | Each user | Flags accounts with no sign-in activity in the last 90 days |
| Offboarded User Access Removed | Critical | Each user | Confirms disabled/deleted accounts match terminated employees |
Cross-IdP MFA Passthrough
When Entra ID enforces MFA via conditional access policies, LowerPlane automatically passes MFA-related tests for downstream services authenticated via Microsoft SSO (e.g., GitHub Enterprise, Slack, Salesforce).Connecting
Navigate to Integrations
Go to Settings > Integrations and find Microsoft Entra ID under Identity Providers.
Authorize
Sign in with a Global Administrator or Security Reader account. Review the requested permissions and click Accept.
Evidence Artifacts
| Artifact | Description | Frameworks |
|---|---|---|
| User Directory | Complete user inventory with account status and last sign-in | SOC 2, ISO 27001, HIPAA, GDPR |
| MFA Registration Methods | Per-user authentication method enrollment | SOC 2, ISO 27001, HIPAA, PCI-DSS |
| Conditional Access Policies | MFA enforcement and access control policies | SOC 2, ISO 27001, HIPAA |
| Sign-In Logs | Authentication events with risk levels | SOC 2, ISO 27001, HIPAA |
| Group Memberships | User-to-group mapping for access certification | SOC 2, ISO 27001 |
| Enterprise Applications | App inventory with user assignments | SOC 2, ISO 27001 |
Compliance Mapping
| Framework | Controls | What Entra ID Evidence Satisfies |
|---|---|---|
| SOC 2 | CC6.1, CC6.2, CC6.3 | Logical access controls, user provisioning, MFA enforcement |
| ISO 27001 | A.9.2, A.9.4 | User access management, system access control |
| HIPAA | 164.312(d) | Person or entity authentication |
| GDPR | Art. 32 | Security of processing (access controls) |
| NIST CSF | PR.AC-1, PR.AC-7 | Identity management and access control |
Data Access
| Data Type | Access |
|---|---|
| User profiles and account status | Read |
| MFA registration methods | Read |
| Group and role memberships | Read |
| Conditional access policies | Read |
| Sign-in and audit logs | Read |
| Enterprise application assignments | Read |
| Email contents (Exchange) | No access |
| OneDrive / SharePoint files | No access |
| Teams messages | No access |
| User passwords or secrets | No access |
Troubleshooting
Authorization fails with 'need admin approval'
Authorization fails with 'need admin approval'
MFA status shows unregistered but users have MFA
MFA status shows unregistered but users have MFA
Entra ID distinguishes between MFA registration (the user has set up a factor) and MFA enforcement (a conditional access policy requires it). LowerPlane checks registration status via the
authenticationMethods API. If users authenticate via a federated IdP (e.g., Okta SSO into M365), their Entra ID MFA registration may be empty because MFA is handled by the federated IdP.Sign-in logs are empty or incomplete
Sign-in logs are empty or incomplete
Sign-in logs require Microsoft Entra ID P1 or P2 (Premium). Free and Office 365 tiers only retain sign-in logs for 7 days and may not expose them via the API.
Sync fails with 'insufficient privileges'
Sync fails with 'insufficient privileges'
Verify the app registration has the correct API permissions and that admin consent has been granted. Check API permissions in the app registration — the status column should show “Granted for [tenant]”.