{"templateId":"markdown","sharedDataIds":{"sidebar":"sidebar-agen-for-work/sidebars.yaml"},"props":{"metadata":{"markdoc":{"tagList":["Notification","LightboxImage"]},"type":"markdown"},"seo":{"title":"Azure AD integration","siteUrl":"https://developers.frontegg.com/","llmstxt":{"hide":false,"sections":[{"title":"Table of contents","includeFiles":["**/*"],"excludeFiles":[]}],"excludeFiles":[]}},"dynamicMarkdocComponents":[],"compilationErrors":[],"ast":{"$$mdtype":"Tag","name":"article","attributes":{},"children":[{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"azure-ad-integration","__idx":0},"children":["Azure AD integration"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Integrating Microsoft Entra ID (Azure AD) with Frontegg allows your application to read and manage users, groups, applications, and directory roles in a Microsoft Entra tenant through the Microsoft Graph API — all via Frontegg's integration layer using OAuth 2.0."]},{"$$mdtype":"Tag","name":"hr","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"Notification","attributes":{"title":"Prerequisites","type":"attention"},"children":[{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["A Microsoft account with access to the ",{"$$mdtype":"Tag","name":"a","attributes":{"href":"https://portal.azure.com/"},"children":["Azure portal"]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["A Microsoft Entra ID (Azure AD) tenant where you can register applications"]}]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"register-an-application-in-azure","__idx":1},"children":["Register an application in Azure"]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":4,"id":"step-1-open-app-registrations","__idx":2},"children":["Step 1: Open App registrations"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Sign in to the ",{"$$mdtype":"Tag","name":"a","attributes":{"href":"https://portal.azure.com/"},"children":["Azure portal"]}," and open ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["App registrations"]}," (you can search for it in the top search bar or open it directly from ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Microsoft Entra ID → App registrations"]},"). Click ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["New registration"]}," at the top of the page."]},{"$$mdtype":"Tag","name":"LightboxImage","attributes":{"isLightbox":true},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"img","attributes":{"src":"/assets/azure-ad-1.fa5ba89e8fd4ea1a8f26b7c3128f5e7b38444fb1f4587f78688efd2689db7ab0.1ce25488.png","alt":"App registrations page in Azure portal"},"children":[]}]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":4,"id":"step-2-register-a-new-application","__idx":3},"children":["Step 2: Register a new application"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Fill in the registration form:"]},{"$$mdtype":"Tag","name":"ol","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Enter a name for your application (for example, ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["Frontegg Integration"]},")."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Under ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Supported account types"]},", select ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Accounts in any organizational directory (Any Microsoft Entra ID tenant — Multitenant)"]}," for multi-tenant apps, or ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Accounts in this organizational directory only"]}," for a single-tenant app."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Under ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Redirect URI"]},", choose ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Web"]}," as the platform and enter:",{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"header":{"controls":{"copy":{}}},"source":"https://YOUR_MCP_GATEWAY_URL/integration-callback\n"},"children":[]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Click ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Register"]},"."]}]},{"$$mdtype":"Tag","name":"LightboxImage","attributes":{"isLightbox":true},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"img","attributes":{"src":"/assets/azure-ad-2.d53a9cf2fb06df6f1c92a22bf4bc4fd32116629a83c03ce6358cd43e0e5bf8a9.1ce25488.png","alt":"New application registration form with name, multitenant account type, Web platform, and redirect URI filled in"},"children":[]}]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":4,"id":"step-3-copy-the-application-client-id-and-directory-tenant-id","__idx":4},"children":["Step 3: Copy the Application (client) ID and Directory (tenant) ID"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["After registration, you are taken to the application ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Overview"]}," page. Copy both the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Application (client) ID"]}," and the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Directory (tenant) ID"]}," — you will need them when configuring the Frontegg portal."]},{"$$mdtype":"Tag","name":"LightboxImage","attributes":{"isLightbox":true},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"img","attributes":{"src":"/assets/azure-ad-3.a026c036b10b59da5b3d08f95611aac4e559633f978568fc4cc09ab7cb3d0d5b.1ce25488.png","alt":"Application overview page with Application (client) ID and Directory (tenant) ID highlighted"},"children":[]}]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"create-a-client-secret","__idx":5},"children":["Create a client secret"]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":4,"id":"step-4-open-certificates--secrets","__idx":6},"children":["Step 4: Open Certificates & secrets"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["In the left sidebar, under ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Manage"]},", click ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Certificates & secrets"]},". On the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Client secrets"]}," tab, click ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["New client secret"]},"."]},{"$$mdtype":"Tag","name":"LightboxImage","attributes":{"isLightbox":true},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"img","attributes":{"src":"/assets/azure-ad-4.ccf45e1397f06637fbff5d21b818f4699d95be478510339fbe10ca08aff27b29.1ce25488.png","alt":"Certificates and secrets page with New client secret button highlighted"},"children":[]}]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":4,"id":"step-5-add-a-description-and-expiry","__idx":7},"children":["Step 5: Add a description and expiry"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["In the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Add a client secret"]}," panel, enter a description (for example, ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["Frontegg Integration"]},") and choose an expiry period. Click ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Add"]},"."]},{"$$mdtype":"Tag","name":"LightboxImage","attributes":{"isLightbox":true},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"img","attributes":{"src":"/assets/azure-ad-5.a1143c4c6a5aca7d1953acacba5ecaa7f1340298b8ce67a04b7a0f39df957451.1ce25488.png","alt":"Add a client secret panel with description field filled in and Add button highlighted"},"children":[]}]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":4,"id":"step-6-copy-the-client-secret-value","__idx":8},"children":["Step 6: Copy the client secret value"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["The new secret appears in the list. Copy the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Value"]}," immediately — it is only shown once. After you navigate away, you cannot retrieve it again."]},{"$$mdtype":"Tag","name":"Notification","attributes":{"title":"Save your Client Secret now","type":"attention"},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["The Client Secret value is only displayed once. After you leave this page, you can only see the secret ID — not the value. Store the value securely before continuing."]}]},{"$$mdtype":"Tag","name":"LightboxImage","attributes":{"isLightbox":true},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"img","attributes":{"src":"/assets/azure-ad-6.ab44aa6dabaf458648035b5b9633139a80bce6e38abc27c54581b3127dbf693b.1ce25488.png","alt":"Client secret list showing the new secret with value blurred and highlighted"},"children":[]}]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"configure-api-permissions","__idx":9},"children":["Configure API permissions"]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":4,"id":"step-7-open-api-permissions","__idx":10},"children":["Step 7: Open API permissions"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["In the left sidebar, click ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["API permissions"]},", then click ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Add a permission"]},"."]},{"$$mdtype":"Tag","name":"LightboxImage","attributes":{"isLightbox":true},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"img","attributes":{"src":"/assets/azure-ad-7.6661c7cfef45607d058bbf045174259399dc8cf89949e8b53c0f17a024bc9341.1ce25488.png","alt":"API permissions page with Add a permission button highlighted"},"children":[]}]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":4,"id":"step-8-select-microsoft-graph","__idx":11},"children":["Step 8: Select Microsoft Graph"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["In the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Request API permissions"]}," panel, click ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Microsoft Graph"]},"."]},{"$$mdtype":"Tag","name":"LightboxImage","attributes":{"isLightbox":true},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"img","attributes":{"src":"/assets/azure-ad-8.6aca18d157c669b572da407dc345d9973782a6d8a5d4f4127c518987ef8f5fb6.1ce25488.png","alt":"Request API permissions panel with Microsoft Graph highlighted"},"children":[]}]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":4,"id":"step-9-select-delegated-permissions","__idx":12},"children":["Step 9: Select delegated permissions"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Click ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Delegated permissions"]},". Use the search box to find each permission you need and select the checkbox next to it. Select the following scopes:"]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"md-table-wrapper"},"children":[{"$$mdtype":"Tag","name":"table","attributes":{"className":"md"},"children":[{"$$mdtype":"Tag","name":"thead","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Scope"},"children":["Scope"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Description"},"children":["Description"]}]}]},{"$$mdtype":"Tag","name":"tbody","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["openid"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Sign users in"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["profile"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["View users' basic profile"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["email"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["View users' email address"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["offline_access"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Maintain access to data the user has granted (issues refresh tokens)"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["User.Read.All"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Read all users' full profiles"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["User.ReadWrite.All"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Read and write all users' full profiles"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["Group.Read.All"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Read all groups"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["Group.ReadWrite.All"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Read and write all groups"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["Application.Read.All"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Read applications"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["Directory.Read.All"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Read directory data"]}]}]}]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Click ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Add permissions"]},"."]},{"$$mdtype":"Tag","name":"LightboxImage","attributes":{"isLightbox":true},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"img","attributes":{"src":"/assets/azure-ad-9.d6662df784ea3e823f7a5fa02c419ba40322c5e9c4e5e1dff22361d7558c33a2.1ce25488.png","alt":"Delegated permissions list with selected Microsoft Graph scopes"},"children":[]}]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":4,"id":"step-10-verify-configured-permissions","__idx":13},"children":["Step 10: Verify configured permissions"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["After adding permissions, the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["API permissions"]}," page lists all configured permissions under ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Microsoft Graph"]},". Permissions marked ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Admin consent required"]}," (such as ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["User.Read.All"]},", ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["Group.Read.All"]},", ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["Directory.Read.All"]},") will only be granted after an admin clicks ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Grant admin consent for {tenant}"]},", or after each user explicitly consents during sign-in."]},{"$$mdtype":"Tag","name":"LightboxImage","attributes":{"isLightbox":true},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"img","attributes":{"src":"/assets/azure-ad-10.8db27a85ae8d573dcd9fa8a30eb2a7d90181276be31a2312eafecb17b6be3825.1ce25488.png","alt":"API permissions page showing all configured Microsoft Graph permissions"},"children":[]}]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"configure-the-frontegg-portal","__idx":14},"children":["Configure the Frontegg portal"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Once you have your ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Client ID"]},", ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Client Secret"]},", and ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Directory (tenant) ID"]},", enter them in the Frontegg portal:"]},{"$$mdtype":"Tag","name":"ol","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Open the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Frontegg portal"]}," and navigate to [ENVIRONMENT] → Integrations → Azure AD."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Enter the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Client ID"]}," and ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Client Secret"]}," in the corresponding fields."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Optionally, enter the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Directory (tenant) ID"]},". Leave blank or set to ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["common"]}," for multi-tenant applications; use a tenant GUID or domain for single-tenant applications."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Select the required ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["scopes"]},"."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Click ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Save"]},"."]}]},{"$$mdtype":"Tag","name":"Notification","attributes":{"title":"Keep your credentials secure","type":"attention"},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Never share or commit your Client Secret to version control."]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"additional-resources","__idx":15},"children":["Additional resources"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"a","attributes":{"href":"https://learn.microsoft.com/en-us/graph/overview"},"children":["Microsoft Graph API documentation"]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"a","attributes":{"href":"https://learn.microsoft.com/en-us/graph/permissions-reference"},"children":["Microsoft Graph permissions reference"]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"a","attributes":{"href":"https://portal.azure.com/"},"children":["Azure portal"]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"a","attributes":{"href":"https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-auth-code-flow"},"children":["Microsoft identity platform and OAuth 2.0"]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"a","attributes":{"href":"/agen-for-work/connectors/redirect-url"},"children":["How to get your Redirect URL"]}]}]}]},"headings":[{"value":"Azure AD integration","id":"azure-ad-integration","depth":2},{"value":"Register an application in Azure","id":"register-an-application-in-azure","depth":3},{"value":"Step 1: Open App registrations","id":"step-1-open-app-registrations","depth":4},{"value":"Step 2: Register a new application","id":"step-2-register-a-new-application","depth":4},{"value":"Step 3: Copy the Application (client) ID and Directory (tenant) ID","id":"step-3-copy-the-application-client-id-and-directory-tenant-id","depth":4},{"value":"Create a client secret","id":"create-a-client-secret","depth":3},{"value":"Step 4: Open Certificates & secrets","id":"step-4-open-certificates--secrets","depth":4},{"value":"Step 5: Add a description and expiry","id":"step-5-add-a-description-and-expiry","depth":4},{"value":"Step 6: Copy the client secret value","id":"step-6-copy-the-client-secret-value","depth":4},{"value":"Configure API permissions","id":"configure-api-permissions","depth":3},{"value":"Step 7: Open API permissions","id":"step-7-open-api-permissions","depth":4},{"value":"Step 8: Select Microsoft Graph","id":"step-8-select-microsoft-graph","depth":4},{"value":"Step 9: Select delegated permissions","id":"step-9-select-delegated-permissions","depth":4},{"value":"Step 10: Verify configured permissions","id":"step-10-verify-configured-permissions","depth":4},{"value":"Configure the Frontegg portal","id":"configure-the-frontegg-portal","depth":3},{"value":"Additional resources","id":"additional-resources","depth":3}],"frontmatter":{"category":"Identity","displayName":"Azure AD","seo":{"title":"Azure AD integration"}},"lastModified":"2026-05-19T15:06:34.000Z","pagePropGetterError":{"message":"","name":""}},"slug":"/agen-for-work/connectors/marketplace/azure-ad","userData":{"isAuthenticated":false,"teams":["anonymous"]},"isPublic":true}