# Azure Active Directory Integration

The Azure Active Directory (Entra ID) integration allows Sprinto to automatically collect evidence related to user access, roles, infrastructure, and security configurations.

This integration supports:

* Access reviews and user monitoring.
* Infrastructure visibility across Azure resources.
* MFA and sign-in tracking.
* Device monitoring via Intune (optional).

***

### How it works

Sprinto connects to Azure Active Directory using OAuth-based authentication. You can choose between OAuth 2.0 and OAuth 2.0 Client Credentials.

Once connected, Sprinto:

* Syncs users, groups, and roles.
* Tracks enterprise application access.
* Monitors sign-in activity and MFA (if permissions are granted).
* Fetches Azure infrastructure metadata.
* Continuously evaluates compliance checks.

Sprinto uses Microsoft Graph APIs for identity data and Azure Management APIs for infrastructure data. Tokens are securely generated and refreshed automatically.

***

#### Sprinto checks for Azure Active Directory

Below are the Sprinto checks for the following integration types: 

* Access management: Sprinto checks for users' access monitoring

| Sprinto check                                                       | Reference procedure                                                                                                                                                                                                                                                |
| ------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| Azure Active Directory access should be removed for offboarded user | [How to fix](/data-library/access/dashboard-actions/view-and-map-staff-access.md)                                                                                                                                                                                  |
| User should be identified                                           | [How to fix](/monitors/authentication-and-access-monitors/resolve-sprinto-check-for-removing-access-for-offboarded-users.md)                                                                                                                                       |
| User access to critical system should be valid                      | <p><a href="/pages/HC9mwiCK8S9HS5WliTsl">How to fix</a></p><div data-gb-custom-block data-tag="hint" data-style="info" class="hint hint-info"><p>The user access to the critical system becomes valid if the respective Org role is added to the system.</p></div> |

### Prerequisites

Ensure the following before setting up the integration:

* An active Azure subscription.
* An Azure Active Directory (Entra ID) tenant.
* Global Administrator or Application Administrator access.
* Ability to grant admin consent for required permissions.

***

### Permissions and access

#### Required permissions

Sprinto requires read-only access to:

* Users and directory data.
* Groups and memberships.
* Organisation details.
* Enterprise applications and service principals.

#### Optional permissions

* Sign-in activity (for MFA and login tracking).
* Intune device data.

#### Azure role requirement

* **Role:** Reader.
* **Scope:** Subscription level.

This ensures Sprinto can monitor resources without making any changes.

***

### Features

* Automated access reviews.
* Continuous user and group synchronisation.
* Enterprise application access tracking.
* Infrastructure monitoring across Azure resources.
* MFA and sign-in tracking (optional).
* Device monitoring via Intune (optional).

***

### Use cases

<table><thead><tr><th width="230.6015625">Use case</th><th width="326.34375">Description</th></tr></thead><tbody><tr><td>Access reviews</td><td>Validate user access across systems</td></tr><tr><td>User lifecycle tracking</td><td>Monitor onboarding and offboarding</td></tr><tr><td>Infrastructure compliance</td><td>Track Azure resources for audits</td></tr><tr><td>MFA compliance</td><td>Verify authentication policies</td></tr><tr><td>Device compliance</td><td>Monitor managed devices</td></tr></tbody></table>

***

### Connect Azure Active Directory

#### Step 1: Navigate to integrations

1. Log in to the Sprinto dashboard.
2. Go to **Settings**.
3. Select **Integrations**.
4. In the **All** tab, search for **Azure Active Directory**.
5. Click **Connect**.

<figure><img src="/files/qzDc5L8oCdASGtFQdF0a" alt="" width="563"><figcaption></figcaption></figure>

***

#### Step 2: Review permissions

1. Review the permissions required by Sprinto.
2. Review the data accessed.
3. Click **Next**.

<figure><img src="/files/wxlwbGxhGEgvtbIBGPeW" alt="" width="375"><figcaption></figcaption></figure>

***

#### Step 3: Confirm admin access

1. Select **I have admin access to my Azure Active Directory account**.
2. Click **Connect to Azure Active Directory**.

<figure><img src="/files/9pb3WCcdtntMvXO5H8pu" alt="" width="375"><figcaption></figcaption></figure>

***

#### Step 4: Choose authentication method

Select one of the following:

* **OAuth 2.0**.
* **OAuth 2.0 Client Credentials**.

<figure><img src="/files/9RQRWaoQ0VnMpwVRHXWf" alt="" width="375"><figcaption></figcaption></figure>

***

### Connect using OAuth 2.0

1. Select **OAuth 2.0**.
2. Review the permissions required and click **Connect**.

<figure><img src="/files/BqyWpLMD98Xeb4WISHsg" alt="" width="375"><figcaption></figcaption></figure>

3. Sign in to your Microsoft account in the pop-up window.
4. Review the requested permissions.
5. Click **Accept**.

Sprinto will complete the connection and begin syncing data.

***

### Connect using OAuth 2.0 Client Credentials

1. Select **OAuth 2.0 Client Credentials**.
2. Enter the following details:
   * Client ID.
   * Client Secret.
   * Tenant ID.
3. Click **Connect**.

To obtain these values, refer to this [guide](https://truto.notion.site/Azure-Active-Directory-Azure-AD-321ac512f5a580bba594c6b72cae9fe3).

<figure><img src="/files/wJh7cdJu0PoEwYttGUpL" alt="" width="375"><figcaption></figcaption></figure>

***

### Post-connection flow

After successfully connecting Azure Active Directory:

* The integration status is shown as **Connected**.
* Sprinto begins syncing users, groups, and access data automatically.
* Azure Active Directory can be added as a **critical system** under **Data Library → Access**.
* You can configure access monitoring rules based on:
  * Roles.
  * Access request tickets.
  * Organisation-wide access policies.
* Compliance checks are triggered and continuously evaluated.

***

### Troubleshooting

#### 1. Invalid credentials

* Cause: Incorrect Client ID, Client Secret, or Tenant ID.
* Resolution: Verify credentials and reconnect.

#### 2. Insufficient permissions

* Cause: Required API permissions are not granted.
* Resolution: Ensure all required permissions are added and admin consent is granted.

#### 3. Admin consent not granted

* Cause: Permissions not approved at the organisation level.
* Resolution: Grant admin consent in Entra ID.

#### 4. Expired client secret

* Cause: Client secret validity has expired.
* Resolution: Generate a new client secret and update it in Sprinto.

#### 5. Tenant or application not found

* Cause: Incorrect Tenant ID or Application ID.
* Resolution: Verify values in Azure and retry.

#### 6. Temporary API errors

* Cause: Rate limiting or service issues.
* Resolution: Retry after some time. Sprinto automatically handles retries where applicable.

***

### Support

Please get in touch with [Sprinto Support](mailto:www.support@sprinto.com) if you have any queries related to the integration or need assistance.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.sprinto.com/integrations/overview/azure-active-directory-integration.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.