Creating and Configuring an Entra ID System of Record

Prerequisites

• Entra ID Account with Administrative privileges to Register Apps and Consent to User/Group Read Access in the Microsoft Graph
• SGNL User Account with Admin privileges

Permissions Required

• SGNL firmly believes in the principle of least privilege, as such - only the access required to achieve your authorization use-cases should be granted.
• SGNL requires an App to be registered in the Entra ID Tenant to be synchronized that has read permissions. Depending on the objects needing to be synchronized, these permissions will vary:
  • Users: Requires the User.Read.All Permission (see below for configuration)
  • Groups: Requires the Group.Read.All Permission (see below for configuration)
  • Applications: Requires the Application.Read.All Permission (see below for configuration)
  • Devices: Requires the Device.Read.All Permission (see below for configuration)

Configuring Entra ID

1. Login to the Microsoft Azure Portal and launch the Entra ID Console

2. From the left navigation pane, select App Registrations

3. Create a New Registration

   

4. Specify a Name for the App and choose Register

   

5. Within the App Registration, note the:

   • Application (client) Id (SGNL: AuthClientId)
   • Directory (tenant) Id (SGNL: AuthTenantId)

   

6. From the API permissions page in the left menu, choose to Add a permission

7. Select Microsoft Graph

   

8. Select “Application Permissions”

   

9. Select the below and Add permissions:

   • User.Read.All
   • Group.Read.All
   • Application.Read.All
   • Device.Read.All

   

10. If asked to do so, grant “admin consent”

    

11. Select Certificates and Secrets from the left menu, select Client secrets, and + New Client Secret

    

12. Give the secret a description and expiry (the length of time until a new secret will need to be generated for SGNL to communicate with Entra ID), and select Add

    

13. Copy the Value of the secret, this will be required for the SGNL Console (SGNL: AuthClientSecret)

    

Configuring SGNL

1. Login to the SGNL Console
2. From the left menu, select Systems of Record
3. Click “Add System of Record” or “Add”.
4. The SGNL SoR Catalog will show up on the screen.

5. Click on “Entra ID” which will open up the New System of Record screen with some configuration options pre-populated from the Entra ID SoR template.

6. Choose the correct adapter that matches the AzureAD System of Record Type.
7. Replace all fields that have the {{Input Required:}} placeholder with relevant information. For Entra ID, the following fields are required:

• Client ID: The Application (Client) ID you copied from Entra ID
• Client Secret: The Client Secret value you copied from Entra ID
• Tenant ID in the Token URL: The Directory (tenant) ID you copied from Entra ID

8. Click “Continue” to save your Entra ID System of Record. You will be taken to Entra ID System of Record page.

8. All entities and relationships are created as defined in the Entra ID template. If applicable, you can edit an entity and modify any properties of the entity or the associated attributes. Hover over the entity on the screen above to see the Edit button as shown below:

9. You can check the relationships created through the Relationships tab. However, relationships cannot be modified. You will need to delete an existing one, and create a new relationship.
10. (If applicable) You can also create relationships joining entities and attributes in Entra ID to entities and attributes in other Systems of Record configured in SGNL. For example, if User Employee IDs in your Entra ID are consistent with the Employee IDs in your HRIS system, you can create a relationship between the Employee ID attribute in Entra ID instance and the Employee ID attribute in your HRIS System of Record. For more information on relationships, please refer to our Help Page.
11. Note that synchronization is disabled by default when a new System of Record is created. You can choose to enable synchronization on Entities individually. Hover over the entity to see the Enable Sync button, and click on it.

12. Repeat for all Entities you want to synchronize to SGNL. Finally, Enable synchronization for the System of Record.

13. After some time, SGNL should complete ingesting the data from your Entra ID instance into the SGNL graph. The number of objects ingested per entity are displayed on the Entra ID screen. You should then be able to construct policies based on your Entra ID data and make access evaluation calls to SGNL.

14. Once ingestion is complete and Entra ID data is in the SGNL graph, you can use Data Lens to explore the SGNL graph.

Synchronization Filters

Basic Filters

In most cases, you will want to reduce the data coming from Entra ID to only the entities, attributes, and objects that you need to sucessfully evaluate your policies or take action within SGNL. Given that, it’s likely that you will want to make use of filters to reduce that data. Basic filters use Entra filtering syntax exactly as it is documented, without additional processing or intelligence in SGNL.

As with other SoRs, you can apply the native filtering syntax from the SoR, in this case Entra ID, to the Adapter Config for the System. Filters are configured per Entity and are passed directly to the System of Record at Synchronization time to be evaluated and have only the right data made available to SGNL.

Microsoft provides quality documentation and samples for their filtering syntax, but under the covers uses the odata specification which provides other useful examples.

To use Entra ID filters, simply add the appropriate filter (i.e. the text you would include after filter= on the Graph API) to the relevant entity in the Adapter config.

Sample Adapter Config

{
  "requestTimeoutSeconds": 10,
  "apiVersion": "v1.0",
  "applyFiltersToMembers": true,
  "filters": {
    "User": "department eq 'Product Management'",
    "Group": "id in ('1a902e2d-76ec-4341-b351-2ad18978ae2c','52e20194-dca1-489b-8ebc-c836d8ea871e')",
  }
}

Advanced Filters

Advanced Filters perform additional filtering by SGNL, beyond what can easily be achieved with Entra’s native capabilities. Advanced Filters add significant intelligence to SGNL’s adapters, enabling them to process complex queries based on properties like membership or association with a grouping of some sort.

Advanced Filters enable you to select a scope at the top-level, and filter the objects that are synchronized as a result.

Note The current iteration of Advanced Filters, enables SGNL Admins to specify one or more groups in order to synchronize the parent group and direct members of that group. You’re unable to use both filters and advancedFilters for the same set of Entra ID Entities. SGNL will produce a validation error if you attempt to configure advancedFilters for User, Group, or GroupMember objects that already have a filter configured.

For Entity Filters in Advanced Filters (scopeEntityFilter and memberEntityFilter), we still use the same set of Basic Filter syntax that is detailed in the Microsoft Documentation above.

Example 1 - Get all User Members of a single group Say you want to synchronize only a single group (with an Entra ID identifier of 077834dc-7dd2-46c6-ab45-91188d4d409d), and whatever users might be a direct member of it with advanced filters:

{
  "requestTimeoutSeconds": 10,
  "apiVersion": "v1.0",
  "filters": {
    "GroupRequest": "status eq 'PendingApproval'"
  },
  "advancedFilters": {
    "getObjectsByScope": {
      "GroupMember": [
        {
          "scopeEntity": "Group",
          "scopeEntityFilter": "id in ('077834dc-7dd2-46c6-ab45-91188d4d409d')",
          "members": [
            {
              "memberEntity": "User"
            }
          ]
        }
      ]
    }
  }
}

In this example, we’re looking to get all the Members of this group by using the ‘GroupMember’ type of Advanced Filter. The entity to filter on is an ordinary Group object. We only want to bring in users here, which is our memberEntity but we should bring anyone is a member of the group with Id 077834dc-7dd2-46c6-ab45-91188d4d409d unfiltered.

It’s important to note here that Advanced Filters work right alongside the filters you’re already using, but for each type of entity, you should decide whether to use Basic or Advanced Filtering (e.g. You could filter GroupRequest objects with Basic Filters and Groups with Advanced Filters, but not Groups with both Basic and Advanced).

Example 2 - Get Members of Groups by Department and nested Groups

Let’s get a little more complex, say we want to get members of two groups, but we want only users specifically with the department ‘Engineering’ or ‘IT/IS’, and we also want to synchronize a regional group that might be a member of the top-level groups, based on its displayName:

{
  "requestTimeoutSeconds": 10,
  "apiVersion": "v1.0",
  "filters": {
    "GroupRequest": "status eq 'PendingApproval'"
  },
  "advancedFilters": {
    "getObjectsByScope": {
      "GroupMember": [
        {
          "scopeEntity": "Group",
          "scopeEntityFilter": "id in ('077834dc-7dd2-46c6-ab45-91188d4d409d', '63321711-8a80-4964-8d83-04e8db6762f3')",
          "members": [
            {
              "memberEntity": "User",
              "memberEntityFilter": "department eq 'IT/IS'"
            },
            {
              "memberEntity": "User",
              "memberEntityFilter": "department eq 'Engineering'"
            },
            {
              "memberEntity": "Group",
              "memberEntityFilter": "startswith(displayName, 'North America')"
            }
          ]
        }
      ]
    }
  }
}

From this filter, I’d expect at least two groups in SGNL, those represented by ‘077834dc-7dd2-46c6-ab45-91188d4d409d’ and ‘63321711-8a80-4964-8d83-04e8db6762f3’. If there was one or more groups with a Display Name that started with ‘North America’ those Groups would sync too. We’d also expect users to come into SGNL, where they had a matching department of Engineering or IT/IS.

We would not sync any of the members of the North America group(s) as a result of this filter.

Example 3 - Get Members of Nested Groups

Let’s take the example above one step further and decide that we also want to get the members of the nested group. We’ll be a little more specific this time and declare the exact nested group we want to sync.

{
  "requestTimeoutSeconds": 10,
  "apiVersion": "v1.0",
  "filters": {
    "GroupRequest": "status eq 'PendingApproval'"
  },
  "advancedFilters": {
    "getObjectsByScope": {
      "GroupMember": [
        {
          "scopeEntity": "Group",
          "scopeEntityFilter": "id in ('077834dc-7dd2-46c6-ab45-91188d4d409d', '63321711-8a80-4964-8d83-04e8db6762f3')",
          "members": [
            {
              "memberEntity": "User",
              "memberEntityFilter": "department eq 'IT/IS'"
            },
            {
              "memberEntity": "User",
              "memberEntityFilter": "department eq 'Engineering'"
            },
            {
              "memberEntity": "Group",
              "memberEntityFilter": "id in ('143834dc-7dd2-46c6-ca11-66688d4d744d')"
            }
          ]
        },
        {
          "scopeEntity": "Group",
          "scopeEntityFilter": "id in ('143834dc-7dd2-46c6-ca11-66688d4d744d')",
          "members": [
            {
              "memberEntity": "User"
            }
          ]
        }
      ]
    }
  }
}

In the above filter, we’d get the same data as we did in Example 2, but with the addition of group ‘143834dc-7dd2-46c6-ca11-66688d4d744d’. We’d also get all User members of that group (without filters).

Adapter Config Fields

• requestTimeoutSeconds - how long to wait for a request to AAD to complete before failing and retrying, default 10
• apiVersion - the version of the Microsoft Graph API, default "v1.0"
• applyFiltersToMembers - whether to apply any filter applied to the Group entity to GroupMember entities, default true
• filters - the Entra ID filters to apply to each of the entities in Entra ID.
  • The Field Name (e.g. User, Group, Role, etc) will be the ExternalId of each of the Entities in SGNL, available from the SoR -> Entities -> Entity Page (e.g. User), and the externalId of each of the attributes that you want to filter
  • The value will be the externalId of the Attributes you want to use to filter, these are the raw attribute names in Entra Id and are available in SGNL by looking at the ExternalId of the Attributes you want to filter from within the SoR