Docs Integrations Microsoft Entra ID

Microsoft Entra ID

Connect WNCYBER to Microsoft Entra ID (formerly Azure Active Directory) for unified identity governance across your Microsoft 365 and Azure environment.

The Microsoft Entra ID integration enables WNCYBER to discover and govern users, groups, app registrations, service principals, and managed identities across your Microsoft cloud environment.

Create an App Registration

WNCYBER connects to Entra ID using an app registration with read permissions. This is also the same app registration you will use for the contact form email integration.

  1. Sign in to the Azure portal
  2. Navigate to Microsoft Entra ID → App registrations → New registration
  3. Set:
    • Name: WNCYBER Platform
    • Supported account types: Accounts in this organisational directory only
    • Redirect URI: leave blank for now
  4. Click Register

Note the Application (client) ID and Directory (tenant) ID — you will need both.

Configure API Permissions

  1. In the app registration, navigate to API permissions → Add a permission → Microsoft Graph
  2. Select Application permissions and add:
    • Directory.Read.All
    • Application.Read.All
    • AuditLog.Read.All
    • Mail.Send (required for contact form email delivery)
  3. Click Add permissions
  4. Click Grant admin consent for [your tenant] — this is required for application permissions

Create a Client Secret

  1. Navigate to Certificates & secrets → Client secrets → New client secret
  2. Set a description and expiry (recommend 24 months)
  3. Copy the Value immediately — it is only shown once

Security note: Store this value as a secret in your Cloudflare Worker environment. Never commit it to source code.

Connect to WNCYBER

  1. In the WNCYBER console, navigate to Settings → Identity Sources → Add Source → Microsoft Entra ID
  2. Enter your Tenant ID, Client ID, and Client Secret
  3. Click Test Connection — WNCYBER verifies the credentials and required permissions
  4. Enable the sync and set the sync interval (default: 15 minutes)

What Gets Synced

Object TypeSynced Data
UsersDisplay name, UPN, job title, department, account status, last sign-in
GroupsName, membership, group type (security/distribution/M365)
App registrationsName, application ID, owners, credential expiry dates
Service principalsName, app ID, assigned roles, last activity
Managed identitiesName, resource association, role assignments

Using for Contact Form Email (Mail.Send)

Once the app registration has Mail.Send permission, store the following as secrets in your Cloudflare Worker:

AZURE_TENANT_ID=your-tenant-id
AZURE_CLIENT_ID=your-client-id
AZURE_CLIENT_SECRET=your-client-secret
CONTACT_FROM_EMAIL=contact@wncyber.com
CONTACT_TO_EMAIL=contact@wncyber.com

The Cloudflare Worker (Phase 6) calls the Microsoft Graph API using client credentials flow to send email through your Office 365 mailbox.

Troubleshooting

Sync fails with Insufficient privileges — ensure admin consent has been granted for all API permissions.

Missing users in inventory — check that the service account running the connector has access to the users you expect. Guest users from external tenants may require additional permissions.

App registration credentials expired — rotate the client secret in the Azure portal and update the secret in the WNCYBER console under Settings → Identity Sources → [Source Name] → Edit.

Back to Docs Need help? Contact support