Entra Connector – API Permissions
GrantFlow’s Entra Connector accesses Microsoft Entra ID (Azure AD) via Microsoft Graph using an app registration you control. This page lists the required permissions and guidance to keep access least‑privilege and auditable.
Principles
- Least privilege: grant only the scopes needed for the features you use
- App‑only access with tenant admin consent (recommended)
- Rotate client secrets before expiry and monitor usage
Required Microsoft Graph permissions
These permissions cover user/group sync, group management, and directory role assignment.
Application permissions (app‑only):
Directory.Read.All— Read directory data (baseline for discovery)User.Read.All— Read all users’ full profilesUser.EnableDisableAccount.All— Enable/disable user accounts (if you use account enable/disable)Group.Read.All— Read all groupsGroup.ReadWrite.All— Create/update group properties and membershipsRoleManagement.ReadWrite.Directory— Manage directory role assignments (JIT role activations)
Delegated vs application permissions
GrantFlow operates server‑to‑server. Use application permissions with admin consent unless your organization mandates delegated flows with Conditional Access. The required scopes are the same, but consent and enforcement differ.
Admin consent and propagation
- Azure Portal → Microsoft Entra ID → App registrations → your app → API permissions
- Add permissions above under Microsoft Graph → Application permissions
- Click “Grant admin consent for your tenant”
- Wait 5–10 minutes for propagation
If you change scopes later, re‑grant admin consent and retry the connector test.
Secrets and endpoints
- Use a strong client secret; set reminders to rotate before expiry
- Optionally prefer certificates if your standards require them
- Graph endpoints:
- Global:
https://graph.microsoft.com - US Gov:
https://graph.microsoft.us - China:
https://microsoftgraph.chinacloudapi.cn
- Global: