## Azure AD integration

Integrating Microsoft Entra ID (Azure AD) with Frontegg allows your application to read and manage users, groups, applications, and directory roles in a Microsoft Entra tenant through the Microsoft Graph API — all via Frontegg's integration layer using OAuth 2.0.

Prerequisites
- A Microsoft account with access to the [Azure portal](https://portal.azure.com/)
- A Microsoft Entra ID (Azure AD) tenant where you can register applications


### Register an application in Azure

#### Step 1: Open App registrations

Sign in to the [Azure portal](https://portal.azure.com/) and open **App registrations** (you can search for it in the top search bar or open it directly from **Microsoft Entra ID → App registrations**). Click **New registration** at the top of the page.

![App registrations page in Azure portal](/assets/azure-ad-1.fa5ba89e8fd4ea1a8f26b7c3128f5e7b38444fb1f4587f78688efd2689db7ab0.1ce25488.png)

#### Step 2: Register a new application

Fill in the registration form:

1. Enter a name for your application (for example, `Frontegg Integration`).
2. Under **Supported account types**, select **Accounts in any organizational directory (Any Microsoft Entra ID tenant — Multitenant)** for multi-tenant apps, or **Accounts in this organizational directory only** for a single-tenant app.
3. Under **Redirect URI**, choose **Web** as the platform and enter:

```
https://YOUR_MCP_GATEWAY_URL/integration-callback
```
4. Click **Register**.


![New application registration form with name, multitenant account type, Web platform, and redirect URI filled in](/assets/azure-ad-2.d53a9cf2fb06df6f1c92a22bf4bc4fd32116629a83c03ce6358cd43e0e5bf8a9.1ce25488.png)

#### Step 3: Copy the Application (client) ID and Directory (tenant) ID

After registration, you are taken to the application **Overview** page. Copy both the **Application (client) ID** and the **Directory (tenant) ID** — you will need them when configuring the Frontegg portal.

![Application overview page with Application (client) ID and Directory (tenant) ID highlighted](/assets/azure-ad-3.a026c036b10b59da5b3d08f95611aac4e559633f978568fc4cc09ab7cb3d0d5b.1ce25488.png)

### Create a client secret

#### Step 4: Open Certificates & secrets

In the left sidebar, under **Manage**, click **Certificates & secrets**. On the **Client secrets** tab, click **New client secret**.

![Certificates and secrets page with New client secret button highlighted](/assets/azure-ad-4.ccf45e1397f06637fbff5d21b818f4699d95be478510339fbe10ca08aff27b29.1ce25488.png)

#### Step 5: Add a description and expiry

In the **Add a client secret** panel, enter a description (for example, `Frontegg Integration`) and choose an expiry period. Click **Add**.

![Add a client secret panel with description field filled in and Add button highlighted](/assets/azure-ad-5.a1143c4c6a5aca7d1953acacba5ecaa7f1340298b8ce67a04b7a0f39df957451.1ce25488.png)

#### Step 6: Copy the client secret value

The new secret appears in the list. Copy the **Value** immediately — it is only shown once. After you navigate away, you cannot retrieve it again.

Save your Client Secret now
The Client Secret value is only displayed once. After you leave this page, you can only see the secret ID — not the value. Store the value securely before continuing.

![Client secret list showing the new secret with value blurred and highlighted](/assets/azure-ad-6.ab44aa6dabaf458648035b5b9633139a80bce6e38abc27c54581b3127dbf693b.1ce25488.png)

### Configure API permissions

#### Step 7: Open API permissions

In the left sidebar, click **API permissions**, then click **Add a permission**.

![API permissions page with Add a permission button highlighted](/assets/azure-ad-7.6661c7cfef45607d058bbf045174259399dc8cf89949e8b53c0f17a024bc9341.1ce25488.png)

#### Step 8: Select Microsoft Graph

In the **Request API permissions** panel, click **Microsoft Graph**.

![Request API permissions panel with Microsoft Graph highlighted](/assets/azure-ad-8.6aca18d157c669b572da407dc345d9973782a6d8a5d4f4127c518987ef8f5fb6.1ce25488.png)

#### Step 9: Select delegated permissions

Click **Delegated permissions**. Use the search box to find each permission you need and select the checkbox next to it. Select the following scopes:

| Scope | Description |
|  --- | --- |
| `openid` | Sign users in |
| `profile` | View users' basic profile |
| `email` | View users' email address |
| `offline_access` | Maintain access to data the user has granted (issues refresh tokens) |
| `User.Read.All` | Read all users' full profiles |
| `User.ReadWrite.All` | Read and write all users' full profiles |
| `Group.Read.All` | Read all groups |
| `Group.ReadWrite.All` | Read and write all groups |
| `Application.Read.All` | Read applications |
| `Directory.Read.All` | Read directory data |


Click **Add permissions**.

![Delegated permissions list with selected Microsoft Graph scopes](/assets/azure-ad-9.d6662df784ea3e823f7a5fa02c419ba40322c5e9c4e5e1dff22361d7558c33a2.1ce25488.png)

#### Step 10: Verify configured permissions

After adding permissions, the **API permissions** page lists all configured permissions under **Microsoft Graph**. Permissions marked **Admin consent required** (such as `User.Read.All`, `Group.Read.All`, `Directory.Read.All`) will only be granted after an admin clicks **Grant admin consent for {tenant}**, or after each user explicitly consents during sign-in.

![API permissions page showing all configured Microsoft Graph permissions](/assets/azure-ad-10.8db27a85ae8d573dcd9fa8a30eb2a7d90181276be31a2312eafecb17b6be3825.1ce25488.png)

### Configure the Frontegg portal

Once you have your **Client ID**, **Client Secret**, and **Directory (tenant) ID**, enter them in the Frontegg portal:

1. Open the **Frontegg portal** and navigate to [ENVIRONMENT] → Integrations → Azure AD.
2. Enter the **Client ID** and **Client Secret** in the corresponding fields.
3. Optionally, enter the **Directory (tenant) ID**. Leave blank or set to `common` for multi-tenant applications; use a tenant GUID or domain for single-tenant applications.
4. Select the required **scopes**.
5. Click **Save**.


Keep your credentials secure
Never share or commit your Client Secret to version control.

### Additional resources

- [Microsoft Graph API documentation](https://learn.microsoft.com/en-us/graph/overview)
- [Microsoft Graph permissions reference](https://learn.microsoft.com/en-us/graph/permissions-reference)
- [Azure portal](https://portal.azure.com/)
- [Microsoft identity platform and OAuth 2.0](https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-auth-code-flow)
- [How to get your Redirect URL](/agen-for-work/connectors/redirect-url)