Skip to main content

Entra ID

Cyscale enables you to keep track of Entra entities (users, groups, devices, etc.) and what they have access to, such as Azure resources and even resources from other cloud providers if you are using Entra ID as an IdP for your SSO setup. You connect Cyscale to your Entra ID tenant through an app registration.

Connecting Your Entra ID Tenant

Once you are ready to connect your Entra ID tenant and have the required permissions, press the + button from the sidebar and choose Microsoft Entra ID. You will be greeted with a simple multi-step process.

Step 1

In the first step, you provide the ID of your Entra ID tenant. You can find your tenant ID using the Azure Portal here.

Step 2

In the second step you create the Entra ID app registration, the service principal, and assign the required permissions.

Linking with Existing Azure Connectors

If you already have Azure subscriptions connected, Cyscale will reuse the app registration and credentials. All you have to do is assign the Entra ID permissions and grant admin consent.


Download the Terraform configuration file and, using the Terraform CLI either from your machine or using Azure Cloud Shell (click here to directly open the shell), you provision the required resources.

Authentication and Authorization

Terraform uses the provider's APIs/SDKs to manage the resource. Cyscale makes use of the hashicorp/azuread Terraform provider for creating the Entra ID app registration and service principal. You can read more about the available authentication options here.

Perhaps the simplest option is to let the provider use the credentials stored by the az CLI.

Inspect the Terraform configuration file and follow the instructions provided by Cyscale.


If you prefer setting up the resources manually from the Azure portal, follow the steps provided by Cyscale.

Access Security

While the permissions you grant to Cyscale are limited to reading the entities from your Entra ID tenant, you might still be concerned about the security of your information. Providing the service principal credentials to Cyscale means that any entity with access to these credentials can read your Entra ID data.

Cyscale encrypts and stores the credentials in a database accessible only from within the Cyscale infrastructure. Then, a specialized service decrypts and uses the credentials to read your Entra ID assets. No member of the Cyscale team has access to your credentials.

Deep Dive on Permissions

Cyscale requires the following Entra ID permissions:

  • Directory.Read.All - for reading the users, groups, and other resources
  • UserAuthenticationMethod.Read.All - for the reading the MFA information
  • Policy.Read.All - for reading the Security Defaults
  • AuditLog.Read.All - for reading the MFA information

Since these are considered high privilege permissions, you will have to grant admin consent for them. You can read more about admin consent in the Azure documentation.