Microsoft Entra ID

IAM & SecurityOAuth 2.0Live

Connect your customers' Entra ID tenants so your product can read users, groups, and conditional-access policies, or provision identities as part of onboarding. The customer's global admin consents on Microsoft's own screen, and Askel manages token refresh automatically.

Book a demo

View docs

What you can do

Read users and their profile attributes

Fetch display name, UPN, department, job title, account enabled state, and assigned licenses for any user in the tenant. Useful for auto-populating onboarding profiles.

List groups and their memberships

Pull security groups, Microsoft 365 groups, and dynamic groups along with their member lists. Drive access decisions in your product based on the customer's existing group structure.

Read assigned directory roles

Fetch which users hold built-in Entra directory roles such as Global Administrator, User Administrator, or Guest Inviter. Surface over-privileged accounts during security reviews.

Inspect conditional-access policies

Read the tenant's conditional-access policy list, including target applications, conditions, and grant controls. Verify that MFA is enforced for your app before go-live.

Provision users and assign groups

Create or update Entra user objects and add them to specific groups as part of an automated onboarding workflow, without requiring the customer's IT team to do it by hand.

Query service principals and app registrations

List registered applications and enterprise apps in the tenant, including consent grants and credential expiry dates. Useful for app-governance and compliance workflows.

Sample use case

Syncing customer directory data for role-based access control

You sell a B2B data platform. A new customer, Verafield Technologies, has 300 staff in Entra ID split across security groups by department. Your product needs to know which users belong to the Finance and Engineering groups so it can assign the correct data-access tier at first login without asking each user to self-declare their role.

1
Admin consents in Microsoft
Verafield's Entra Global Administrator clicks Connect Microsoft Entra ID in your product. Askel redirects to Microsoft's consent screen, which lists the read scopes needed for User.Read.All and Group.Read.All.
2
Token stored securely
The admin approves consent. Microsoft issues a refresh token that Askel stores. Access tokens are minted per request and expire in one hour; the refresh token is rotated by Microsoft periodically.
3
Group discovery
Askel reads Verafield's group list. Your product's onboarding wizard shows the groups and asks the admin to map Finance and Engineering to your product's access tiers. The group object IDs are stored against the mapping.
4
User sync at first login
When a Verafield employee logs into your product for the first time, Askel checks their Entra group memberships via the /users/{id}/memberOf endpoint. Your product assigns the matching access tier automatically.
5
Ongoing membership refresh
Askel re-reads group memberships on a schedule. When Verafield's IT team moves a user between groups in Entra, your product picks up the change at the next sync cycle without any manual intervention.

Authentication

OAuth 2.0

The customer's Entra Global Administrator (or a user with the Cloud Application Administrator role) consents on Microsoft's standard OAuth screen. Askel requests the minimum required Graph API scopes for the configured workflow. Only the refresh token is stored; access tokens are minted per request against the Microsoft identity platform token endpoint for the customer's tenant.

Data flow

How Askel sits between your product and the customer's system

UsersSecurity groupsDirectory rolesConditional-access policiesApp registrations

Related integrations

Okta

Manage users, groups, and apps in customer Okta orgs via a service app.

Google Workspace Admin

Manage users, groups, and devices in customer Google Workspace tenants.

Microsoft Intune

Read device, app, and policy data from customer Intune tenants.

FAQ for Microsoft Entra ID

What Microsoft Graph scopes does this integration request?+

The default read-only workflow requests User.Read.All, Group.Read.All, and Policy.Read.All. If your use case includes provisioning users or managing groups, Askel also requests User.ReadWrite.All and GroupMember.ReadWrite.All. The exact scope list is shown on the consent screen before the admin approves.

Does this work for GCC High or DoD Azure tenants?+

Askel's Entra ID integration uses the standard Microsoft identity platform and the global Graph endpoint. GCC High and DoD tenants use different endpoints (login.microsoftonline.us, graph.microsoft.us). Support for sovereign cloud endpoints is available on request.

What happens when the customer's Entra tenant enforces conditional-access on app consent?+

If the customer's conditional-access policies require admin approval for new app consent, the OAuth flow will prompt for admin-level approval rather than user-level approval. In most enterprise tenants this is expected behaviour and the Global Administrator handles the approval as part of the connection wizard.

Can we write back to Entra ID without storing long-lived credentials?+

Yes. The OAuth token Askel holds is sufficient for write operations if the admin consented to write scopes. No additional credential is needed. The same refresh token cycle that governs reads also governs writes.

Ready to ship integrations faster?customers faster?implementations faster?

Join onboarding teams delivering integrations without the engineering queue,
catching drift before it breaks, and hitting go-live dates.

Book a demo

Security & Compliance

Askel.ai

Automation for customer onboarding teams

Product

Features Documentation Integrations

Company

About us Our team Blog Contact

Resources