Entra Connector – Network
The Azure Entra ID Connector enables GrantFlow to manage privileged identities in your Microsoft Entra tenant (Azure AD).
It is implemented as an Enterprise Application using Microsoft Graph API with delegated or application permissions.
The Entra Connector does not require opening any ports in your environment. All connectivity is handled by the GrantFlow infrastructure running in Azure and remains on Microsoft’s trusted backbone.
Communication Overview
All data flows occur within Microsoft's trusted Azure backbone using TLS 1.2+ encryption.
No customer‑side firewall rules or inbound connectivity are required.
Authentication and Security
- Uses OAuth 2.0 and Microsoft Graph API for secure interaction with Entra ID.
- Requires only delegated or application permissions granted during setup.
- Operates without any standing global admin accounts — all actions are just‑in‑time and time‑bound.
- Logs and audit data are stored securely within the EU.
License Requirements
No Microsoft E5 license is required for using the Entra Connector.
All functionality works with standard Microsoft Entra or Microsoft 365 subscriptions.
Data Residency
GrantFlow is developed and hosted in Vienna, Austria, and all data processing occurs within EU-based Azure regions.
No audit or operational data leaves the European Union.
Entra‑Only (No AD) Scenario
If your environment does not use on‑premises Active Directory, no on‑prem agents are required. GrantFlow integrates with your tenant purely via a Microsoft Entra Enterprise Application.
- A multi‑tenant Enterprise Application is consented in your customer tenant; this creates a service principal with the configured Microsoft Graph permissions (app‑only or delegated, as required by your policies).
- All operations (role assignments, group updates, access lifecycles) are executed against Microsoft Graph; no VPN, inbound ports, or domain connectivity are needed.
- You can restrict access with Conditional Access and cross‑tenant access settings as per your compliance rules.
No Microsoft E5 license is required; standard Microsoft Entra or Microsoft 365 plans are sufficient.