Documentation
ConnectorsAzure AD / Entra ID

Azure AD / Entra ID

Connect Microsoft Azure AD (Entra ID) to Compass for identity and access analysis.

The Azure AD connector integrates with Microsoft Entra ID (formerly Azure Active Directory) to pull identity, access, and security metrics.

Prerequisites

  • An Azure AD tenant with at least P1 licensing (P2 recommended for full metrics)
  • An App Registration with the required API permissions
  • Admin consent granted for the app

Setup

1. Create an App Registration

  1. Go to Azure Portal > Azure Active Directory > App registrations
  2. Click New registration
  3. Name it "Compass IAM Discovery" (or similar)
  4. Set the redirect URI to https://app.usecompass.io/callback (or leave blank for client credentials)
  5. Click Register

2. Configure API Permissions

Add the following Application permissions (not Delegated):

PermissionPurpose
Directory.Read.AllRead users, groups, roles, and directory objects
AuditLog.Read.AllRead sign-in and audit log data
User.Read.AllRead user profiles and properties
Group.Read.AllRead group memberships and structures
Policy.Read.AllRead conditional access and security policies
IdentityRiskyUser.Read.AllRead risky user detections (P2 required)

Click Grant admin consent after adding all permissions.

3. Create a Client Secret

  1. Go to Certificates & secrets > New client secret
  2. Set an appropriate expiry (12 months recommended)
  3. Copy the secret value immediately — it won't be shown again

4. Add to Compass

  1. Go to Settings > Connectors in Compass
  2. Click Add Connector > Azure AD / Entra ID
  3. Enter:
    • Tenant ID — Found on the App Registration overview page
    • Client ID — The Application (client) ID
    • Client Secret — The secret you just created
  4. Click Test Connection
  5. Save

Metrics Collected

CategoryMetrics
UsersTotal count, active vs inactive, guest users, stale accounts (90+ days)
GroupsTotal count, dynamic vs assigned, empty groups, nesting depth
MFAEnrollment rate, methods distribution, users without MFA
Sign-insSuccess/failure rates, risky sign-ins, conditional access impact
Privileged AccessGlobal admin count, PIM usage, standing vs eligible assignments
ApplicationsApp count, apps with excessive permissions, stale app registrations

Troubleshooting

"Insufficient privileges" error

Ensure admin consent was granted for all permissions. Check the Enterprise applications section in Azure AD to verify consent status.

Missing sign-in data

Sign-in logs require Azure AD P1 or higher. If you're on a free or O365 basic tier, sign-in metrics will be unavailable.

Stale data

Azure AD logs have a retention period based on your licence tier (7 days free, 30 days P1/P2). Compass can only access what Azure retains.

Connector Overview

How Compass connectors work and what data they pull from your IAM systems.

Okta

Connect Okta to Compass for identity provider analysis.

On this page

PrerequisitesSetup1. Create an App Registration2. Configure API Permissions3. Create a Client Secret4. Add to CompassMetrics CollectedTroubleshooting"Insufficient privileges" errorMissing sign-in dataStale data