Big savings, Better ROI! Exclusive discounts on ManageEngine Products!* Boost your business *T&C apply
    Click here to shrink
    Click here to expand Click here to expand

    Configuring using Azure AD premium license

    To audit your Azure AD (renamed as Entra ID) environment using an Azure AD Premium license, ADAudit Plus uses the Microsoft Graph API to obtain events from Azure AD.

    Privileges required while using Microsoft Graph API

    • Application.Read.All
    • AuditLog.Read.All
    • Directory.Read.All
    • IdentityRiskEvent.Read.All
    • Group.Read.All
    • User.Read.All

    Register an application

    Register an application in the Azure portal, using these steps:

    1. Go to the Azure portal, and sign in using your Microsoft account.
    2. Select Azure Active Directory from the Azure services section.
      Using an Azure AD Premium license
    3. Go to Manage > App registrations > + New registration to open the Register an application window.
      Using an Azure AD Premium license
    4. Enter the application name, for example, ADAudit Plus Application.
    5. Ensure that Accounts in this organizational directory only (zohoadapazure only - Single tenant) is selected under Supported account types.
    6. Using an Azure AD Premium license
    7. Click Register.

    Grant minimum privileges required for Microsoft Graph API

    To grant the necessary privileges using Microsoft Graph API:

    1. Go to the Azure portal, and sign in using your Microsoft account.
    2. Select Azure Active Directory from the Azure services section.
      Using an Azure AD Premium license
    3. Go to Manage > App registrations. Select your application under Owned applications.
      Using an Azure AD Premium license
    4. Go to Manage > API permissions and select + Add a permission.
      Using an Azure AD Premium license

      Using an Azure AD Premium license
    5. Select Microsoft Graph. Click Application permissions as the type of permission required.
    6. From the listing, select the following:
      • Application.Read.All
      • AuditLog.Read.All
      • Directory.Read.All
      • IdentityRiskEvent.Read.All
      • Group.Read.All
      • User.Read.All
    7. Using an Azure AD Premium license
    8. Click Add permissions.
    9. Select Grant admin consent for <tenantname >
    10. Click Yes.

    Obtain client ID and client secret

    1. Go to the Azure portal, and sign in using your Microsoft account.
    2. Select Azure Active Directory service from the Azure services section.
    3. Go to Manage > App registrations. Select your application under Owned applications.
      Using an Azure AD Premium license
    4. Go to Manage > Certificates & secrets.
      • Click + New client secret.
      • Enter the description.
      • Choose 24 Months as the expiration date; this is the maximum value that can be used.
      • Click Add.
      • Copy the client secret value (e.g., "14uCILxkHtIVGR3wkCq12341Nd5VtestkkWTyIPrrE=")
    5. Using an Azure AD Premium license

      Using an Azure AD Premium license
    6. Go to Manage > App registrations. Select your application under Owned Applications.
    7. Navigate to Application (Client ID) and click Copy to clipboard.
    8. Using an Azure AD Premium license

    Setting up Azure AD in ADAudit Plus

    1. Open the ADAudit Plus web console.
    2. Go to Configuration > Configured Server(s) > Cloud Directory.
    3. Select +Add Tenant in the top-right corner.
      Using an Azure AD Premium license
    4. Select Audit via Azure.
    5. In the Cloud Directory window, choose the Cloud Type based on the national cloud points from the list below:
      • Azure AD global service (Azure Cloud - Default)
      • Azure AD for US Government L4 (Azure GCC High Cloud)
      • Azure AD for US Government L5 (Azure DOD Cloud)
      • Azure AD China operated by 21Vianet (Azure China Cloud)
      • Azure AD for Germany (Azure Germany Cloud)
    6. Enter the Tenant Name, Client ID, and Client Secret.
      Using an Azure AD Premium license
    7. Note: To obtain the tenant name:
      • Go to the Azure portal, and sign in using your Microsoft account.
      • Search for and select Microsoft Entra ID.
      • Using an Azure AD Premium license
      • Go to Manage > Custom domain names.
      • Click Add filter, under Filter, select Primary from the dropdown, and under Value, select Yes from the dropdown.
      • Using an Azure AD Premium license
      • Copy the name of the primary domain that is displayed and paste it in the Tenant Name field.
      • Using an Azure AD Premium license
    8. Click Add.

    Privileges required while using Azure AD Graph API

    The use of Azure AD Graph API is deprecated. Instead, it's strongly recommended you use the Microsoft Graph API to audit your Azure AD.

    For more details on why Azure AD graph API was deprecated, check the FAQ.

    Check if you are using Azure AD Graph API and, if so, migrate using these steps:

    1. Open the ADAudit Plus web console.
    2. Go to Configuration > Configured Server(s) > Cloud Directory.
      • In the top-right corner, if the Migrate to Microsoft Graph API button is available, then Azure Active Directory Graph API is in use.
      • If the Back to Azure AD Graph API button is available, then Microsoft Graph API is in use.
    3. Migrate to Microsoft Graph API from Azure AD Graph API by clicking Migrate to Microsoft Graph API at the top-right corner.
    4. Click Yes in the confirmation prompt.
    Using an Azure AD Premium license
    Note: Once you have migrated to Microsoft Graph API, add the necessary minimum privileges using the steps listed here.

    If you still want to use Azure AD Graph API, you can find the privileges required below:

    • Directory.Read.All

    Don't see what you're looking for?

    •  

      Visit our community

      Post your questions in the forum.

       
    •  

      Request additional resources

      Send us your requirements.

       
    •  

      Need implementation assistance?

      Try onboarding

       

    On this page

    Get download link