Microsoft Entra ID

The Microsoft Entra ID Connector integrates identity data from Microsoft's cloud directory into Qualys CSAM/ETM Identity, enabling security teams to maintain a centralized inventory of users, groups, and roles across their organization. By synchronizing identity assets into the Unified Asset Inventory, security practitioners gain visibility into who has access to what resources and can correlate identity information with other security asset data. The connector supports delta pulls for efficient updates after the initial full synchronization, reducing the overhead of continuous identity reconciliation. This unified view helps security teams identify access control risks, enforce principle of least privilege, and respond more effectively to identity-related threats in hybrid and cloud-native environments.

Connector Details

Vendor Microsoft
Product Name Microsoft Entra ID
Category Assets
Findings Supported Not Supported
Assets Supported Users, Groups, Roles (Identity)
Version 1.0.0
Integration Type Cloud
Direction Unidirectional (Microsoft Entra ID to Qualys)
Delta Support Supported

Connection Settings

Authentication Details

Provide the following credentials when configuring the connector:

Name Key Type
Tenant ID tenantId String
Client ID clientId String
Client Secret clientSecret Encrypted

Required Permissions

Entity Least Permissions
Groups GroupMember.Read.All
Users User.Read.All
Roles RoleManagement.Read.Directory, Directory.Read.All, RoleManagement.ReadWrite.Directory, Directory.ReadWrite.All
Service Principal  Application.Read.All
Applications  Application.Read.All
Tenant Directory.Read.All

Connector Configuration

Basic Details

  1. Log in to Qualys CSAM.
  2. Navigate to Connectors and locate Microsoft Entra ID Connector.
  3. Click Manage.
  4. Provide connector name and description.
  5. Enter Tenant ID, Client ID, and Client Secret.
  6. Assets value is set to Identity by default.

Schedule

Schedules control the execution of the connector.

  1. Select Baseline Schedule which has following options: weekly, fortnightly, Triweekly or Monthly
  2. Configure a Schedule: Single Occurrence or Recurring with start and end dates/times.

  3. Assets value is available in two options: "Identity only" and "Identities with Security Posture."

    • For UAI-listed objects (Groups, Users, and Roles Identity), select "Identity only."
    • For all other objects, choose "Identities with Security Posture." This option retrieves a comprehensive set of objects, including Groups, Users, Roles Identity, Service Principals, Applications, and Tenant.
  4. Click Next.

Review and Confirm

Review the configuration and click Create.

How Does the Connection Work?

The Microsoft Entra ID Connector synchronizes Users, Groups, and Roles from Entra ID into the CSAM Identity inventory. Synchronization runs either on a defined recurring schedule or on-demand schedule. Profiles control what identity objects are imported and the frequency of synchronization.

When the connector is created and run for the first time, it performs a Full Pull. This retrieves all Users, Groups, and Roles from Microsoft Entra ID and imports them into the inventory, establishing the initial baseline.

Recurring Delta Pulls:

After the initial run, all scheduled synchronizations run as Delta Pulls. A Delta Pull retrieves only the changes since the previous synchronization. However, the behavior differs for Roles:

  • Users and Groups return only changed data.
  • Roles are retrieved entirely every time, but they are still included in both Delta Pull and Baseline executions.

Delta Pulls run at every scheduled interval and continue until the configured Schedule End DateTime.

Baseline Full Pull Schedule:

In addition to the initial Full Pull, the connector can be configured to run periodic Full Pulls based on the Baseline Schedule.
For example, if the Baseline Schedule is set to Weekly, the connector performs a Full Pull once every week until the configured Schedule End Datetime is reached. This ensures that large-scale directory changes are periodically reconciled.

Note:

  • The first execution always performs a Full Pull.
  • Delta Pulls run at each scheduled interval after the initial execution.
  • Roles are always fetched through Full Pull logic (no delta support), but still retrieved during both Delta and Baseline runs.
  • Baseline Full Pulls run at the frequency defined in the Profile (e.g., weekly, fortnightly, Triweekly or Monthly), until the schedule end time.

In the Connector screen, you can find your newly configured connector listed and marked in the Processed state.

Connector States

A successfully configured connector goes through 4 states.

  1. Registered - The connector is successfully created and registered to fetch data from the vendor.
  2. Scheduled - The connector is scheduled to execute a connection with the vendor.
  3. Processing - A connection is executed and the connector is fetching the asset identity data.
  4. Processed - The connector has successfully fetched the assets. Wait for some more time for the connector to fetch the identity data completely.

The Processed state indicates that the Connector is successfully configured but it is under the process of importing all your assets. This process may take some time.

Viewing Identity Assets in CSAM

  1. Navigate to CSAM Inventory.
    • Go to Assets to view imported Entra ID assets.
      Inventory > Identity > Group/User/Role Identity

      Group Identity Assets


      User Identity Assets


      Role Identity Assets

Microsoft Entra ID Transformation Maps

Groups - Transformation Map

Transformation map used while transforming source Groups data.

Source Field

Target Field

id

asset.assetHeader.externalAssetId

id

asset.assetHeader.vendorAssetId

displayName

asset.assetDetail.name

id

asset.assetDetail.groupAssetClass.id

displayName

asset.assetDetail.groupAssetClass.name

displayName

asset.assetDetail.groupAssetClass.displayName

visibility

asset.assetDetail.groupAssetClass.visibility

description

asset.assetDetail.groupAssetClass.description

appRoleAssignments.value[].id

asset.assetDetail.groupAssetClass.permissions[].id

appRoleAssignments.value[].principalDisplayName

asset.assetDetail.groupAssetClass.permissions[].name

appRoleAssignments.value[].resourceDisplayName

asset.assetDetail.groupAssetClass.permissions[].resource

memberOf.value[].id

asset.assetRelations[].assetHeader.externalAssetId

memberOf.value[].id

asset.assetRelations[].assetHeader.vendorAssetId

memberOf.value[].displayName

asset.assetRelations[].assetDetail.name

memberOf.value[].id

asset.assetRelations[].assetDetail.roleAssetClass.id

memberOf.value[].description

asset.assetRelations[].assetDetail.roleAssetClass.description

memberOf.value[].displayName

asset.assetRelations[].assetDetail.roleAssetClass.displayName

memberOf.value[].displayName

asset.assetRelations[].assetDetail.roleAssetClass.name
securityIdentifier asset.assetDetail.typedAttributes.entraGroupSecurityIdentifier
securityEnabled asset.assetDetail.untypedAttributes.entraGroupSecurityEnabled

Users - Transformation Map

Transformation map used while transforming source Users data.

Source Field

Target Field

userPrincipalName

asset.assetHeader.externalAssetId

id

asset.assetHeader.vendorAssetId

FUNCTION_PICKER (accountEnabled)

asset.assetHeader.status

(ACTIVE if true)

(INACTIVE if false)

(UNKNOWN if field is not present)

id

asset.assetDetail.userAssetClass.id

displayName

asset.assetDetail.userAssetClass.name

displayName

asset.assetDetail.name

 FUNCTION_PICKER (LOOKUP on accountEnabled)

asset.assetDetail.userAssetClass.status

(ACTIVE if true)

(INACTIVE if false)

(UNKNOWN if field is not present)

 mail

 asset.assetDetail.userAssetClass.email

 givenName

 asset.assetDetail.userAssetClass.firstName

surname

asset.assetDetail.userAssetClass.lastName

displayName

asset.assetDetail.userAssetClass.displayName

mobilePhone

asset.assetDetail.userAssetClass.phone

jobTitle

asset.assetDetail.userAssetClass.jobTitle

lastPasswordChangeDateTime

asset.assetDetail.userAssetClass.passwordLastChangedAt

streetAddress

asset.assetDetail.userAssetClass.currentAddress.streetAddress

state

asset.assetDetail.userAssetClass.currentAddress.state

city

asset.assetDetail.userAssetClass.currentAddress.city

country

asset.assetDetail.userAssetClass.currentAddress.country

postalCode

asset.assetDetail.userAssetClass.currentAddress.isoCode

appRoleAssignments.value[].id

asset.assetDetail.userAssetClass.permissions[].id

appRoleAssignments.value[].principalDisplayName

asset.assetDetail.userAssetClass.permissions[].name

appRoleAssignments.value[].resourceDisplayName

asset.assetDetail.userAssetClass.permissions[].resource

memberOf.value[].id

asset.assetRelations[].assetHeader.externalAssetId

memberOf.value[].id

asset.assetRelations[].assetHeader.vendorAssetId

memberOf.value[].uniqueName

asset.assetRelations[].assetHeader.name

memberOf.value[].id

asset.assetRelations[].assetDetail.groupAssetClass.id

memberOf.value[].uniqueName

asset.assetRelations[].assetDetail.groupAssetClass.name

memberOf.value[].displayName

asset.assetRelations[].assetDetail.groupAssetClass.displayName

memberOf.value[].visibility

asset.assetRelations[].assetDetail.groupAssetClass.visibility

memberOf.value[].description

asset.assetRelations[].assetDetail.groupAssetClass.description
accountEnabled asset.assetDetail.untypedAttributes.entraUserAccountEnabled
department asset.assetDetail.typedAttributes.entraUserDepartment

Roles - Transformation Map

Transformation map used while transforming source Roles data.

Source Field

Target Field

id

asset.assetHeader.externalAssetId

id

asset.assetHeader.vendorAssetId

FUNCTION_PICKER (LOOKUP on accountEnabled)

asset.assetHeader.status

(ACTIVE if true)

(UNKNOWN if false or field is not present)

displayName

asset.assetDetail.name

id

asset.assetDetail.roleAssetClass.id

displayName

asset.assetDetail.roleAssetClass.name

displayName

asset.assetDetail.roleAssetClass.displayName

description

asset.assetDetail.roleAssetClass.description
resourceScopes asset.assetDetail.roleAssetClass.resourceScopes
templateId asset.assetDetail.typedAttributes.entraRoleTemplateId

Tenant - Transformation Map

Source Field

Target Field
* thirdPartyObject.content.&

Applications - Transformation Map

Source Field

Target Field
* thirdPartyObject.content.&

Service Principal- Transformation Map

Source Field

Target Field
* thirdPartyObject.content.&

API Endpoints

API Endpoint
Authorization https://login.microsoftonline.com/{tenant_id}/oauth2/token
Users

List Users API: https://graph.microsoft.com/v1.0/users

App Role Assignments API: https://graph.microsoft.com/v1.0/users/{{user_id}}/appRoleAssignments

Member Of API: https://graph.microsoft.com/v1.0/users/{{user_id}}/memberOf
Groups

List Group members: https://graph.microsoft.com/v1.0/groups

App Role Assignments API: https://graph.microsoft.com/v1.0/groups/{{group_id}}/appRoleAssignments

Member Of API: https://graph.microsoft.com/v1.0/groups/{{group_id}}/memberof
Roles https://graph.microsoft.com/v1.0/roleManagement/directory/roleDefinitions
Applications  https://graph.microsoft.com/v1.0/applications
Tenant  https://graph.microsoft.com/v1.0/organization
Service Principal 

List Service Principal
https://graph.microsoft.com/v1.0/servicePrincipals/

Service Principal AppRoleAssignedTo
https://graph.microsoft.com/v1.0/servicePrincipals/${spId}/appRoleAssignedTo

Service principal approleAssignments
https://graph.microsoft.com/v1.0/servicePrincipals/${spId}/appRoleAssignments

 

 

© 2026 Qualys, Inc. All rights reserved. Privacy Policy. Last updated: April, 2026