Microsoft Entra ID (Devices)
The Microsoft Entra ID integration with Qualys enables ingestion of device inventory from Entra ID into CSAM/ETM and helps improve asset completeness and visibility for Entra-managed endpoints across cloud and hybrid environments.
The Microsoft Entra ID Devices Connector is available on demand. To activate it for your subscription, contact your Technical Account Manager (TAM) or Qualys Support.
Connector Details
The following table provides an overview of what the Microsoft Entra ID Devices Connector supports.
|
Vendor |
Microsoft |
|
Product |
Microsoft Entra ID |
|
Connector Category |
Assets (Devices) |
|
Asset Types Supported |
Devices |
|
Finding Types Supported |
Not Supported |
|
Supported Version & Type |
SaaS (v1.0.0) |
|
Integration Method |
API Integration (REST) |
|
Direction |
Unidirectional (Microsoft Entra ID to Qualys) |
|
Incremental Sync (Delta) |
Supported |
|
Import of Installed Software |
Not Supported |
|
Import of Source Tags |
Not Supported |
|
Filters/Filter Query |
Not Supported |
Connection Settings
User Roles and Permissions
The connector authenticates to Microsoft Entra ID using an application registration with the Microsoft Graph API. The following permission is required:
| No. | Entity | Permission |
|---|---|---|
| 1 | Devices | Device.Read.All |
To register the application and generate credentials in Microsoft Entra ID:
- Sign in to the Azure Portal and open the Microsoft Entra ID blade.
- Browse to App registrations and select New registration.
- Enter a name for the application (for example, qualys-entra-connector).
- Select the appropriate Supported account type for your organization.
- Under Redirect URI, select Web. The URI field may be left blank.
- Select Register.
- After registration, navigate to API permissions and assign the
Device.Read.Allpermission under Microsoft Graph. - Navigate to Certificates & secrets and create a new Client Secret. Record the secret value immediately; it will not be shown again.
- Note the Tenant ID and Client ID from the application's Overview page.
For complete guidance, refer to the Microsoft Entra ID Reference Documentation.
Authentication Details
Provide the following credentials in the connector configuration screen:
| Name | Key | Type | Description |
|---|---|---|---|
| Tenant ID | tenant_id |
String | Identifies the Microsoft Entra ID tenant your application authenticates against |
| Client ID | client_id |
String | Unique identifier for your application registration in Microsoft Entra ID |
| Client Secret | client_secret |
Encrypted | Password-like credential that authenticates your application's identity |
Connector Configuration
Basic Details
- Log in to Qualys ETM.
- Go to Connectors > Integrationtab and locate the Microsoft Entra ID Devices Connector.
- Click Manage from the ellipses menu.
- Provide a Name and Description for the connector.
- Select the Qualys Data Model and Qualys Data Model Type.
- Enter the Tenant ID, Client ID, and Client Secret.
Mapping Details
Data Model
The Microsoft Entra ID Devices Connector provides out-of-the-box data model mappings for device assets. The connector does not import security findings. View the data model in ETM to review all supported fields.
Transform Maps
Default transform maps are provided. You can create or clone maps to customize field transformations.
- Click Create New to add a new transform map.
- Provide a Transform Map Name, select the Source Data Model, and select the Target Data Model.
- Save the map.
- Alternatively, use Clone from the quick menu to copy and adjust the default transform map.
Data Model Mapping - Asset Transformation
|
Source Field |
Target Field |
|---|---|
|
displayName |
externalAssetId (Required) |
|
displayName |
hostName |
|
displayName |
netBiosName |
|
deviceId |
instanceId |
|
operatingSystem |
operatingSystem.name |
|
operatingSystemVersion |
operatingSystem.version |
|
manufacturer |
biosInfo.manufacturer |
|
model |
biosInfo.model |
|
createdDateTime |
biosInfo.lastBoot |
|
registrationDateTime |
sourceCreatedDate |
|
approximateLastSignInDateTime |
sourceLastUpdatedDate |
|
registrationDateTime |
firstFoundDate |
|
approximateLastSignInDateTime |
lastUpdatedDate |
|
domainName |
domain |
|
profileType |
businessMetaData.status |
|
deviceOwnership |
businessMetaData.environment |
|
managementType |
businessMetaData.managedBy |
Profiles
Profiles control the execution of the connector, including schedule and synchronization behavior.
- Click + to add a new profile.
- Provide a Name and Description.
- Select the required Transform Map.
- Select a Baseline Schedule. This setting applies to recurring schedules and controls when a full data snapshot is fetched:
- On the first connector run, a full snapshot of all devices is fetched.
- Subsequent runs within the baseline window fetch only delta changes.
- When the baseline period ends (for example, after one week), the connector fetches a full snapshot again.
- Set Status to Active or Inactive.
- Configure a Schedule: Single Occurrence or Recurring with start and end dates and times.
Identification Rules
Identification Rules are provided out-of-the-box by Qualys CSAM. They control how imported device assets are matched and deduplicated in ETM. You may proceed without modifying these rules, but ensure at least one rule is active before running the connector.
Review and Confirm
Review the connector configuration summary and click Create to complete the setup.
How Does a Connection Work?
The Microsoft Entra ID Devices Connector executes on schedule or on demand, based on the configured profile. It connects to the Microsoft Graph API, fetches device records, applies the configured transform map, and imports assets into ETM.
On the first run, the connector performs a full snapshot pull of all registered devices in Microsoft Entra ID. On subsequent runs, only delta changes are fetched, based on the configured baseline schedule. Once the baseline window resets, a new full snapshot is initiated.
A successfully configured connector transitions through the following states:
- Registered — The connector is successfully created and registered to fetch data from Microsoft Entra ID.
- Scheduled — The connector is scheduled to execute a connection.
- Processing — A connection is executing and the connector is actively fetching device data.
- Processed — The connector has successfully completed a run. Assets are being imported into ETM and CSAM.
The Processed state indicates a successful run. Full import of all assets may take up to 2 hours to complete.
Viewing Assets in ETM
After a successful run, Entra ID device assets appear in ETM Inventory:
- Assets: Go to Inventory > Assets > Host. Filter with
tags.name:"Entra".
Additional Resources
- Microsoft Graph API — List Devices
- Microsoft Graph API — Fetch Devices Delta
- Microsoft Entra ID Reference Documentation
API Reference
| API Function | Endpoint | Notes |
|---|---|---|
| List Devices | /v1.0/devices |
Fetches full snapshot of all registered devices |
| Fetch Devices Delta | /v1.0/devices/delta |
Fetches incremental changes since last sync; used on subsequent runs |