Microsoft Entra ID / Microsoft 365

Entra ID and Microsoft 365

Entra ID (formerly Azure AD) is Microsoft's cloud-based directory service. At a basic level, a directory service maintains lists of your users, and associated groups, as well as dealing with authentication. Entra ID is a foundational element of Microsoft 365 - any user of Microsoft 365 is actually listed in Entra ID.

From a technical perspective, whilst Microsoft 365 offers additional functionality on top of Entra ID, all access is through the Microsoft Graph API which gives a consistent way to access Entra ID and other Microsoft products.

To all intents and purposes, connecting Trelica to Entra ID / Microsoft 365 is the same thing. If you just use Entra ID, then some data (e.g. Sharepoint usage) will just be empty.

Trelica connects using OAuth2, and the default permissions that Trelica requests are read-only.

You should connect to Entra ID with a user account that has at least the Directory Readers, Security Reader and Reports Reader roles.

If you enable Provisioning or Deprovisioning you will also need the Directory Writers role.

Scopes requested

Scope Reason
AuditLog.Read.All This is used to read audit logs to extract last-login times for SAML2 enabled applications (only works with Entra ID P1 and P2). The Security Reader role enables this.
Directory.Read.All Allows the Trelica to read basic data in your organization's directory, such as users, groups and apps. It also allows us to retrieve information about the Office 365 licenses each user has been assigned.
Group.Read.All Trelica reads the names and IDs of security and Office 365 groups in your organization's directory.
GroupMember.Read.All To show which users are members of each group, Trelica needs to read the members of each group.
Reports.Read.All Where audit log data is not available, Trelica reads Microsoft Office 365 usage reports to return last used dates for applications like Teams, Yammer, OneDrive and SharePoint. The Reports Reader role enables this.
User.Read.All Trelica pulls a list of all Office 365 users, and basic profile properties like name, email, employee ID, job title and creation date.
User.ReadWrite.All Required for provisioning and deprovisioning users. This needs the Directory Writers role.

Entra ID now offers a very comprehensive approach to OAuth application security. Recommended settings are to limit users' abilities to consent to OAuth applications - if you're an Entra Administrator you can see the configuration your organization is using under Enterprise applications > Consent and permissions > User consent settings.

Trelica requires a number of permissions to access resources in Entra ID and it's likely you will have Do not allow user consent or Allow user consent for apps from verified publishers, for selected permissions selected. In this case connecting Trelica to Entra ID with a non-Entra administrator account will show the Need admin approval message:

As the message suggests, you could switch to using an Entra administrator account to make the connection by clicking Have an admin account? Sign in with that account.

Trelica will not be granted the full access of your administrator account - our access is limited to the OAuth scopes we request.

Approving the Trelica application connection using a separate Entra admin account

If you want to use a different user account (perhaps a specific Trelica 'service' account with just the Global Reader role) to connect from Trelica to Entra ID, then you will still need an Entra Administrator to approve the Trelica application.

The easiest way to do this is to ask an Entra Admin (who does not need to have a Trelica account) to click the following link:

https://login.microsoftonline.com/common/adminconsent?client_id=736c9ac0-68b3-4c09-8f92-17cc92891638

This will initiate the process for approving the Trelica connection in Entra ID. They will be shown the following screen:

Entra ID permissions requested.png

You do NOT need to Consent on behalf of your organization. If you leave the box unchecked it just means that if a new connection is made, then the user must review the access Trelica is requesting.

After you click Accept, the user will see a message from Trelica that says "Request forwarding failed Forwarding the request to the upstream server failed. Please retry, and if the problem persists contact Trelica support." You can ignore this message - it's simply because the request was initiated from a direct URL outside Trelica. We are working to improve the wording of this.

You can confirm that the application has been added by going to Enterprise applications in Azure:

Enterprise App Trelica ME ID.png

Now that the application has been approved by an administrator, you can log in to Trelica and connect using your non-admin account:

Entra ID integration.png

Authorizing additional scopes

If you want to authorize additional integration functionality, e.g. to enable deprovisioning, first click the â‹® icon and disconnect the integration, and then reconnect, selecting the features you want.

Entra ID connection settings.png

If you have previously consented to a set of scopes in Entra ID you may find that any additional scopes required (e.g. User.ReadWrite.All) are not correctly granted.

To resolve this, you may need to delete the Trelica application in Entra ID and reconnect, to regrant the right scopes.

To delete the Trelica application, find the Enterprise applications Azure service:

Azure Enterprise Apps.png

Then search for Trelica (Microsoft Entra ID) (or Trelica (Microsoft Azure AD), depending on when you set up the integration):

Searching for an Enterprise application

Click through on the application, select Properties on the left-hand side and then Delete the application:

Deleting an Enterprise application

Concealed user names in Microsoft 365 usage reports

By default, Microsoft 365 now anonymizes (or "conceals") user names in usage reports. If this setting is enabled, then Trelica cannot read user-level usage data for Outlook, Teams, OneDrive or SharePoint.

If you want to see this then go to Settings > Org settings > Reports in the Microsoft 365 admin center:

M365 Admin Center.png

Make sure that the checkbox for Display concealed user, group and site names in all reports is unchecked.

Then click Save.

You must refresh the Microsoft 365 integration in Trelica to update the data:

Refresh Entra ID integration.png

Microsoft 365 usage data for Outlook, Teams, OneDrive and SharePoint typically has a slight lag, so may not register usage from the previous 48 hours.

FAQs

How is the person type determined?

The person type is determined by the following logic:

  1. If the Entra ID User Type is "Guest" then the person is marked as "External"
    Azure AD guest user type.png

  2. If the Entra ID Employee Type field is set then it is mapped as follows:

    • Employee => Employee
    • Contractor => Contractor
    • Consultant or Vendor => External
  3. If the Employee Type is not set, then if any of the following fields have a value, the person is marked as an Employee:

    • Employee ID
    • Manager
    • Cost Center
    • Division

An application shows a 'High' OAuth Access Risk, but no users have a 'High' OAuth Access Risk

An Entra administrator can grant specific consents on behalf of all users. If this has been granted then Trelica derives a risk rating from these consents and applies this to the application.

An application that I can see in the Entra ID Enterprise Applications list isn't showing in Trelica

Trelica only imports applications which meet one or more criteria:

  • Application is configured for SAML2.
  • Application has users or groups assigned to them.
  • Entra ID has issued OAuth2 tokens for the application, and they are still valid.

What does the last login date for Microsoft 365 reflect?

If you have an Entra ID P1 or P2 license then Trelica will retrieve the last interactive login date for your users. An interactive login is where a user actually enters a password (or uses an MFA app or biometric factor or QR code) to sign in to an application using their Entra ID account.

If users are primarily accessing Microsoft 365 through mobile apps (for example) then this may not reflect actual activity as these applications may be using non-interactive logins. Data relating to non-interactive logins is not available through Microsoft APIs.

To overcome this limitation, Trelica combines Entra ID last login dates with Microsoft 365 usage data from Outlook, Teams, OneDrive and SharePoint. This gives a more accurate indication of last usage.

I logged in yesterday but Trelica shows a last login from a few days ago?

Microsoft Activity report data lags by a day or two (based on Microsoft's design).

Microsoft say "The reports typically become available within 48 hours, but might sometimes take several days to become available". See https://learn.microsoft.com/en-us/microsoft-365/admin/activity-reports/activity-reports?view=o365-worldwide

What does the last login date for Teams or Outlook reflect?

Teams and Outlook usage data indicates the last time a user accessed Teams or Outlook, either on the web, from a desktop client, or from a mobile device. It does not reflect the last date a Teams meeting was held or an Outlook message was sent or received.

How do you offboard a person from Microsoft 365 with Trelica?

Trelica's integrations with Microsoft support a range of offboarding actions. For a guide on recommended use of those actions refer to Offboard users from Microsoft 365.

Was this article helpful?

0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.