Integrating Microsoft Entra ID (Azure AD) with Frontegg allows your application to read and manage users, groups, applications, and directory roles in a Microsoft Entra tenant through the Microsoft Graph API — all via Frontegg's integration layer using OAuth 2.0.
Prerequisites
Prerequisites
- A Microsoft account with access to the Azure portal
- A Microsoft Entra ID (Azure AD) tenant where you can register applications
Sign in to the Azure portal and open App registrations (you can search for it in the top search bar or open it directly from Microsoft Entra ID → App registrations). Click New registration at the top of the page.
Fill in the registration form:
- Enter a name for your application (for example,
Frontegg Integration). - Under Supported account types, select Accounts in any organizational directory (Any Microsoft Entra ID tenant — Multitenant) for multi-tenant apps, or Accounts in this organizational directory only for a single-tenant app.
- Under Redirect URI, choose Web as the platform and enter:
https://YOUR_MCP_GATEWAY_URL/integration-callback - Click Register.
After registration, you are taken to the application Overview page. Copy both the Application (client) ID and the Directory (tenant) ID — you will need them when configuring the Frontegg portal.
In the left sidebar, under Manage, click Certificates & secrets. On the Client secrets tab, click New client secret.
In the Add a client secret panel, enter a description (for example, Frontegg Integration) and choose an expiry period. Click Add.
The new secret appears in the list. Copy the Value immediately — it is only shown once. After you navigate away, you cannot retrieve it again.
Save your Client Secret now
Save your Client Secret now
The Client Secret value is only displayed once. After you leave this page, you can only see the secret ID — not the value. Store the value securely before continuing.
In the left sidebar, click API permissions, then click Add a permission.
In the Request API permissions panel, click Microsoft Graph.
Click Delegated permissions. Use the search box to find each permission you need and select the checkbox next to it. Select the following scopes:
| Scope | Description |
|---|---|
openid | Sign users in |
profile | View users' basic profile |
email | View users' email address |
offline_access | Maintain access to data the user has granted (issues refresh tokens) |
User.Read.All | Read all users' full profiles |
User.ReadWrite.All | Read and write all users' full profiles |
Group.Read.All | Read all groups |
Group.ReadWrite.All | Read and write all groups |
Application.Read.All | Read applications |
Directory.Read.All | Read directory data |
Click Add permissions.
After adding permissions, the API permissions page lists all configured permissions under Microsoft Graph. Permissions marked Admin consent required (such as User.Read.All, Group.Read.All, Directory.Read.All) will only be granted after an admin clicks Grant admin consent for {tenant}, or after each user explicitly consents during sign-in.
Once you have your Client ID, Client Secret, and Directory (tenant) ID, enter them in the Frontegg portal:
- Open the Frontegg portal and navigate to [ENVIRONMENT] → Integrations → Azure AD.
- Enter the Client ID and Client Secret in the corresponding fields.
- Optionally, enter the Directory (tenant) ID. Leave blank or set to
commonfor multi-tenant applications; use a tenant GUID or domain for single-tenant applications. - Select the required scopes.
- Click Save.
Keep your credentials secure
Keep your credentials secure
Never share or commit your Client Secret to version control.