> ## Documentation Index
> Fetch the complete documentation index at: https://docs.blinkops.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Microsoft Entra ID

> Microsoft Entra ID (formerly Azure Active Directory) stores information about objects on the network and makes this information easy for administrators and users to find and use. Microsoft Entra ID uses a structured data store as the basis for a logical, hierarchical organization of directory information.

## Creating an Microsoft Entra ID connection

Use one of the following methods to make a connection:

* [OAuth](#using-oauth)
* [App Registration](#using-app-registration)
* [Using LDAP](#using-ldap)

### Using OAuth

This method will not work if your Azure User Type is ***Guest***.

#### Creating your connection

1. In the Blink platform, navigate to the **Connections** page > **Add connection**. A New Connection dialog box opens displaying icons of external service providers available.
2. Select the **Azure Active Directory** icon. A dialog box with name of the connection and connection methods appear.
3. (Optional) Edit the name of the connection. At a later stage you cannot edit the name.
4. Click **Microsoft Entra ID** to authenticate using OAuth.
5. Sign in using your credentials.

<Info>
  Need admin approval? please refer to the [Need Admin
  Approval](/docs/integrations/microsoft-entra-id/admin-approval) guide.
</Info>

### Using App Registration

To create the connection you need:

* A client ID
* A client secret
* A tenant ID

#### Obtaining the credentials

1. Log into the [Azure Portal](https://portal.azure.com/#home).

2. Go to the *Microsoft Entra ID* resource.

   <img src="https://mintcdn.com/blinkops-2/LiDiL34PEmIGHJGK/img/ActiveDirectory/azure_active_directory.png?fit=max&auto=format&n=LiDiL34PEmIGHJGK&q=85&s=57246fca73df6e9ce3f39594b5c944bf" alt="Azure Active Directory Resource" width="2760" height="1602" data-path="img/ActiveDirectory/azure_active_directory.png" />

3. In the left-hand menu, click **App registrations**.

   <img src="https://mintcdn.com/blinkops-2/LiDiL34PEmIGHJGK/img/ActiveDirectory/app_registrations.png?fit=max&auto=format&n=LiDiL34PEmIGHJGK&q=85&s=aa4834712de9b57c079d56adb68abc7f" alt="App Registrations" width="495" height="853" data-path="img/ActiveDirectory/app_registrations.png" />

4. Create a new application registration or click on one of your existing applications.

   <img src="https://mintcdn.com/blinkops-2/LiDiL34PEmIGHJGK/img/ActiveDirectory/my_app1.png?fit=max&auto=format&n=LiDiL34PEmIGHJGK&q=85&s=bc11b1db3698cb119e105eaa7e699f6b" alt="My App" width="2628" height="1138" data-path="img/ActiveDirectory/my_app1.png" />

5. In the left-hand menu, click **API permissions**.

   <img src="https://mintcdn.com/blinkops-2/LiDiL34PEmIGHJGK/img/ActiveDirectory/api_permissions.png?fit=max&auto=format&n=LiDiL34PEmIGHJGK&q=85&s=b0ed7c3e06ffd15e35fb078b7b3f0e78" alt="API Permissions" width="320" height="853" data-path="img/ActiveDirectory/api_permissions.png" />

6. Click **Add a permission** and select **Microsoft Graph**.

   <img src="https://mintcdn.com/blinkops-2/LiDiL34PEmIGHJGK/img/ActiveDirectory/add_permission.png?fit=max&auto=format&n=LiDiL34PEmIGHJGK&q=85&s=036e402e171051eb562e528089ba7d9f" alt="Add Permission" width="1920" height="832" data-path="img/ActiveDirectory/add_permission.png" />

7. Choose **Application permissions** and mark the permissions you wish to add.

   <img src="https://mintcdn.com/blinkops-2/LiDiL34PEmIGHJGK/img/ActiveDirectory/application_permissions.png?fit=max&auto=format&n=LiDiL34PEmIGHJGK&q=85&s=96ae24085dfac2547b72a7abbc82eca4" alt="Application Permissions" width="1919" height="833" data-path="img/ActiveDirectory/application_permissions.png" />

   To support all Blink actions, these are the required **application** permissions:

<Info>
  As a best practice, request the **least privileged permissions** that your app
  needs in order to access data and function correctly. Requesting permissions
  with more than the necessary privileges is poor security practice, which may
  cause users to refrain from consenting and affect your app's usage. For
  additional information, refer to [Microsoft Graph
  permissions](https://learn.microsoft.com/en-us/graph/permissions-reference).
</Info>

| Least privileged permissions    | Higher privileged permissions |
| ------------------------------- | ----------------------------- |
| GroupMember.ReadWrite.All       | Directory.AccessAsUser.All    |
| IdentityRiskyUser.ReadWrite.All | Directory.ReadWrite.All       |
| Group.Create                    | Group.ReadWrite.All           |
| User.ReadWrite.All              | User.ReadWrite.All            |
| Group.ReadWrite.All             | Directory.Read.All            |
| User.Read.All                   | SecurityAlert.ReadWrite.All   |
| SecurityAlert.Read.All          | GroupMember.ReadWrite.All     |
| GroupMember.Read.All            | Group.Read.All                |
| LicenseAssignment.ReadWrite.All | User.EnableDisableAccount.All |
| User.ManageIdentities.All       |                               |
| Directory.Read.All              |                               |

8. Click **Add permissions** to save the changes.

9. Click **Grant admin consent for `<your tenant>`** on the API permissions page. **Only admins can grant consent**.

   <img src="https://mintcdn.com/blinkops-2/LiDiL34PEmIGHJGK/img/ActiveDirectory/grant_admin_consent.png?fit=max&auto=format&n=LiDiL34PEmIGHJGK&q=85&s=ae92df915ab2cd3ffb8d3241752e6e56" alt="Grant Admin Consent" width="1319" height="833" data-path="img/ActiveDirectory/grant_admin_consent.png" />

10. Confirm that the added permissions are now verified.

    <img src="https://mintcdn.com/blinkops-2/LiDiL34PEmIGHJGK/img/ActiveDirectory/granted_azure.png?fit=max&auto=format&n=LiDiL34PEmIGHJGK&q=85&s=2d18748d4cede7a080065283e0f118a4" alt="Granted Admin Consent" width="2050" height="642" data-path="img/ActiveDirectory/granted_azure.png" />

11. Navigate to **Overview** and Copy your **client ID** and **tenant ID**.

    <img src="https://mintcdn.com/blinkops-2/LiDiL34PEmIGHJGK/img/ActiveDirectory/client_tenant.png?fit=max&auto=format&n=LiDiL34PEmIGHJGK&q=85&s=7faa71341ef29fce86e62d436472e630" alt="Client ID & Tenant ID" width="3438" height="1266" data-path="img/ActiveDirectory/client_tenant.png" />

12. Create a new **client secret**.

    <img src="https://mintcdn.com/blinkops-2/LiDiL34PEmIGHJGK/img/ActiveDirectory/secret.png?fit=max&auto=format&n=LiDiL34PEmIGHJGK&q=85&s=9d1dfac219ab431a28a8c0d5219b96f1" alt="Client Secret" width="3250" height="1252" data-path="img/ActiveDirectory/secret.png" />

13. Copy the **secret value**.

    <img src="https://mintcdn.com/blinkops-2/LiDiL34PEmIGHJGK/img/ActiveDirectory/secret_value.png?fit=max&auto=format&n=LiDiL34PEmIGHJGK&q=85&s=8c7709585443b3044f2c17e3e9493ed9" alt="Client Secret" width="2672" height="1312" data-path="img/ActiveDirectory/secret_value.png" />

#### Creating your connection

1. In the Blink platform, navigate to the **Connections** page > **Add connection**. A New Connection dialog box opens displaying icons of external service providers available.

2. Select the **Microsoft Entra ID** icon. A dialog box with name of the connection and connection methods appear.

3. (Optional) Edit the name of the connection. At a later stage you cannot edit the name.

4. Select **App Registration** as the method to create the connection.

5. Fill in the parameters:

   * The client ID
   * The client secret
   * The tenant ID

6. (Optional) Click **Test Connection** to test it.

7. Click **Create connection**. The new connection appears on the **Connections** page.

### Using LDAP

Microsoft Entra ID supports administration using the LDAP protocol, allowing you to manage your workspace using Blink's [LDAP actions](/docs/workflows/building-workflows/actions/advanced-actions/database-actions/ldap-actions#ldap-actions) instead of the Microsoft Entra ID integration.

In order to expose your Microsoft Entra ID workspace as an LDAP server, follow these steps:

1. Set up an [Microsoft Entra ID Domain Services managed domain](https://learn.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-create-instance).

2. Access the domain controller's virtual subnet.

3. If your runner is running on premises and connected to the Azure virtual subnet, your LDAP server URL is the domain controller's IP address.

4. Otherwise, in order to use an external runner, you need to add a [public IP to the virtual subnet](https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/public-ip-addresses) and assign it to your [domain controller](https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/associate-public-ip-address-vm).

5. To create an LDAP connection to this server:

   * Use the IP address accessible to the runner as your URI, with `ldap://` protocol, or `ldaps://` if you enabled "Secure LDAP"
   * Acquire the Distinguished Name of a Microsoft Entra ID user who has permissions to the server. You can use [dsquery](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc725702\(v=ws.11\)) on a connected Windows Server to obtain the full name of a user.
   * Use the password of the specified user. After activating your domain controller, the user should reset their password so that it is properly synced.

### Interactive Tutorial Guides

You can also refer to the following tutorial guides for a more in-depth understanding of how to create a Microsoft Entra ID connection.

[Creating a Microsoft Entra ID Connection](https://demo.arcade.software/LDGQ1Rl32jv3al0gvqhI?embed\&show_copy_link=true)

[Creating a Microsoft Entra ID Connection in Blink Ops ](https://demo.arcade.software/17aB7jN1XOuoNO9K3KT8?embed\&show_copy_link=true)