Creating and Configuring an Entra ID System of Record

Prerequisites

  • Entra ID Account with Administrative privileges to Register Apps and Consent to User/Group Read Access in the Microsoft Graph
  • SGNL User Account with Admin privileges

Permissions Required

  • SGNL firmly believes in the principle of least privilege, as such - only the access required to achieve your authorization use-cases should be granted.
  • SGNL requires an App to be registered in the Entra ID Tenant to be synchronized that has read permissions. Depending on the objects needing to be synchronized, these permissions will vary:
    • Users: Requires the User.Read.All Permission (see below for configuration)
    • Groups: Requires the Group.Read.All Permission (see below for configuration)
    • Applications: Requires the Application.Read.All Permission (see below for configuration)
    • Devices: Requires the Device.Read.All Permission (see below for configuration)

Configuring Entra ID

  1. Login to the Microsoft Azure Portal and launch the Entra ID Console

  2. From the left navigation pane, select App Registrations

  3. Create a New Registration

    Entra ID - App registration

  4. Specify a Name for the App and choose Register

    Entra ID - Register an application

  5. Within the App Registration, note the:

    • Application (client) Id (SGNL: AuthClientId)
    • Directory (tenant) Id (SGNL: AuthTenantId)

    Entra ID - App registration overview

  6. From the API permissions page in the left menu, choose to Add a permission

  7. Select Microsoft Graph

    Entra ID - Select an API

  8. Select “Application Permissions”

    Entra ID - Microsoft Graph

  9. Select the below and Add permissions:

    • User.Read.All
    • Group.Read.All
    • Application.Read.All
    • Device.Read.All

    Entra ID - Add API permissions

  10. If asked to do so, grant “admin consent”

    Entra ID - Grant admin consent

  11. Select Certificates and Secrets from the left menu, select Client secrets, and + New Client Secret

    Entra ID - Client secrets

  12. Give the secret a description and expiry (the length of time until a new secret will need to be generated for SGNL to communicate with Entra ID), and select Add

    Entra ID - Add a client secret

  13. Copy the Value of the secret, this will be required for the SGNL Console (SGNL: AuthClientSecret)

    Entra ID - Copy secret value

Configuring SGNL

  1. Login to the SGNL Console
  2. From the left menu, select Systems of Record
  3. Click “Add System of Record” or “Add”.
  4. The SGNL SoR Catalog will show up on the screen.

SGNL - Catalog

  1. Click on “Entra ID” which will open up the New System of Record screen with some configuration options pre-populated from the Entra ID SoR template.

SGNL - Click on Entra ID

  1. Choose the correct adapter that matches the AzureAD System of Record Type.
  2. Replace all fields that have the {{Input Required:}} placeholder with relevant information. For Entra ID, the following fields are required:
  • Client ID: The Application (Client) ID you copied from Entra ID
  • Client Secret: The Client Secret value you copied from Entra ID
  • Tenant ID in the Token URL: The Directory (tenant) ID you copied from Entra ID
  1. Click “Continue” to save your Entra ID System of Record. You will be taken to Entra ID System of Record page.

SGNL - Entra ID entities

  1. All entities and relationships are created as defined in the Entra ID template. If applicable, you can edit an entity and modify any properties of the entity or the associated attributes. Hover over the entity on the screen above to see the Edit button as shown below:

SGNL - Edit entity

  1. You can check the relationships created through the Relationships tab. However, relationships cannot be modified. You will need to delete an existing one, and create a new relationship.
  2. (If applicable) You can also create relationships joining entities and attributes in Entra ID to entities and attributes in other Systems of Record configured in SGNL. For example, if User Employee IDs in your Entra ID are consistent with the Employee IDs in your HRIS system, you can create a relationship between the Employee ID attribute in Entra ID instance and the Employee ID attribute in your HRIS System of Record. For more information on relationships, please refer to our Help Page.
  3. Note that synchronization is disabled by default when a new System of Record is created. You can choose to enable synchronization on Entities individually. Hover over the entity to see the Enable Sync button, and click on it.

SGNL - Enable sync on entity

  1. Repeat for all Entities you want to synchronize to SGNL. Finally, Enable synchronization for the System of Record.

SGNL - Enable sync on Entra ID SoR

  1. After some time, SGNL should complete ingesting the data from your Entra ID instance into the SGNL graph. The number of objects ingested per entity are displayed on the Entra ID screen. You should then be able to construct policies based on your Entra ID data and make access evaluation calls to SGNL.

SGNL - Enable sync on Entra ID SoR

  1. Once ingestion is complete and Entra ID data is in the SGNL graph, you can use Data Lens to explore the SGNL graph.

Synchronization Filters

In most cases, you will want to reduce the data coming from Entra ID to only the entities, attributes, and objects that you need to sucessfully evaluate your policies or take action within SGNL. Given that, it’s likely that you will want to make use of filters to reduce that data.

As with other SoRs, you can apply the native filtering syntax from the SoR, in this case Entra ID, to the Adapter Config for the System. Filters are configured per Entity and are passed directly to the System of Record at Synchronization time to be evaluated and have only the right data made available to SGNL.

Microsoft provides quality documentation and samples for their filtering syntax, but under the covers uses the odata specification which provides other useful examples.

To use Entra ID filters, simply add the appropriate filter (i.e. the text you would include after filter= on the Graph API) to the relevant entity in the Adapter config.

Sample Adapter Config

{
  "requestTimeoutSeconds": 10,
  "apiVersion": "v1.0",
  "applyFiltersToMembers": true,
  "filters": {
    "User": "department eq 'Product Management'",
    "Group": "id in ('1a902e2d-76ec-4341-b351-2ad18978ae2c','52e20194-dca1-489b-8ebc-c836d8ea871e')",
  }
}

Adapter Config Fields

  • requestTimeoutSeconds - how long to wait for a request to AAD to complete before failing and retrying, default 10
  • apiVersion - the version of the Microsoft Graph API, default "v1.0"
  • applyFiltersToMembers - whether to apply any filter applied to the Group entity to GroupMember entities, default true
  • filters - the Entra ID filters to apply to each of the entities in Entra ID.
    • The Field Name (e.g. User, Group, Role, etc) will be the ExternalId of each of the Entities in SGNL, available from the SoR -> Entities -> Entity Page (e.g. User), and the externalId of each of the attributes that you want to filter SGNL - Enable sync on Entra ID SoR
    • The value will be the externalId of the Attributes you want to use to filter, these are the raw attribute names in Entra Id and are available in SGNL by looking at the ExternalId of the Attributes you want to filter from within the SoR SGNL - Enable sync on Entra ID SoR