Microsoft Entra ID
The Microsoft Entra ID Connector integrates identity assets from Microsoft Active Directory into Qualys CyberSecurity Asset Management (CSAM). The connector synchronizes Users, Groups, and Roles from Entra ID to provide centralized identity visibility.
Connector Details
| Vendor | Microsoft |
| Product Name | Microsoft Entra ID |
| Category | Assets |
| Findings Supported | Not Supported |
| Assets Supported | Users, Groups, Roles (Identity) |
| Version | 1.0.0 |
| Integration Type | Cloud |
| Direction | Unidirectional (Microsoft Entra ID to Qualys) |
| Delta Support | Supported |
Connection Settings
Authentication Details
Provide the following credentials when configuring the connector:
| Name | Key | Type |
|---|---|---|
| Tenant ID | tenantId | String |
| Client ID | clientId | String |
| Client Secret | clientSecret | Encrypted |
Required Permissions
| Entity | Least Required Permissions |
|---|---|
| Groups | GroupMember.Read.All |
| Users | User.Read.All |
| Roles | RoleManagement.Read.Directory, Directory.Read.All, RoleManagement.ReadWrite.Directory, Directory.ReadWrite.All |
Connector Configuration
Basic Details
- Log in to Qualys CSAM.
- Navigate to Connectors and locate Microsoft Entra ID Connector.
- Click Manage.
- Provide connector name and description.
- Enter Tenant ID, Client ID, and Client Secret.
- Assets value is set to Identity by default.
Schedule
Schedule control connector execution. Configure when and what type of assets should be ingested as part of the connection process.
Review and Confirm
Review the configuration and click Create.
How Does the Connection Work?
The Microsoft Entra ID Connector synchronizes Users, Groups, and Roles from Entra ID into the CSAM Identity inventory. Synchronization runs either on a defined recurring schedule or on-demand schedule. Profiles control what identity objects are imported and the frequency of synchronization.
When the connector is created and run for the first time, it performs a Full Pull. This retrieves all Users, Groups, and Roles from Microsoft Entra ID and imports them into the inventory, establishing the initial baseline.
Recurring Delta Pulls:
After the initial run, all scheduled synchronizations run as Delta Pulls. A Delta Pull retrieves only the changes since the previous synchronization. However, the behavior differs for Roles:
- Users and Groups return only changed data.
- Roles are retrieved entirely every time, but they are still included in both Delta Pull and Baseline executions.
Delta Pulls run at every scheduled interval and continue until the configured Schedule End DateTime.
Baseline Full Pull Schedule:
In addition to the initial Full Pull, the connector can be configured to run periodic Full Pulls based on the Baseline Schedule.
For example, if the Baseline Schedule is set to Weekly, the connector performs a Full Pull once every week until the configured Schedule End Datetime is reached. This ensures that large-scale directory changes are periodically reconciled.
Note:
- The first execution always performs a Full Pull.
- Delta Pulls run at each scheduled interval after the initial execution.
- Roles are always fetched through Full Pull logic (no delta support), but still retrieved during both Delta and Baseline runs.
- Baseline Full Pulls run at the frequency defined in the Profile (e.g., weekly, fortnightly, Triweekly or Monthly), until the schedule end time.
In the Connector screen, you can find your newly configured connector listed and marked in the Processed state.
Connector States
A successfully configured connector goes through 4 states.
- Registered - The connector is successfully created and registered to fetch data from the vendor.
- Scheduled - The connector is scheduled to execute a connection with the vendor.
- Processing - A connection is executed and the connector is fetching the asset identity data.
- Processed - The connector has successfully fetched the assets. Wait for some more time for the connector to fetch the identity data completely.
The Processed state indicates that the Connector is successfully configured but it is under the process of importing all your assets. This process may take some time.
Viewing Identity Assets in CSAM
- Navigate to CSAM > Inventory.
- Go to Assets to view imported Entra ID assets.
Inventory > Identity > Group/User/Role Identity
Group Identity Assets
User Identity Assets
Role Identity Assets
- Go to Assets to view imported Entra ID assets.
Microsoft Entra ID Transformation Maps
Groups - Transformation Map
Transformation map used while transforming source Groups data.
|
Source Field |
Target Field |
|---|---|
|
id |
asset.assetHeader.externalAssetId |
|
id |
asset.assetHeader.vendorAssetId |
|
displayName |
asset.assetDetail.name |
|
id |
asset.assetDetail.groupAssetClass.id |
|
displayName |
asset.assetDetail.groupAssetClass.name |
|
displayName |
asset.assetDetail.groupAssetClass.displayName |
|
visibility |
asset.assetDetail.groupAssetClass.visibility |
|
description |
asset.assetDetail.groupAssetClass.description |
|
appRoleAssignments.value[].id |
asset.assetDetail.groupAssetClass.permissions[].id |
|
appRoleAssignments.value[].principalDisplayName |
asset.assetDetail.groupAssetClass.permissions[].name |
|
appRoleAssignments.value[].resourceDisplayName |
asset.assetDetail.groupAssetClass.permissions[].resource |
|
memberOf.value[].id |
asset.assetRelations[].assetHeader.externalAssetId |
|
memberOf.value[].id |
asset.assetRelations[].assetHeader.vendorAssetId |
|
memberOf.value[].displayName |
asset.assetRelations[].assetDetail.name |
|
memberOf.value[].id |
asset.assetRelations[].assetDetail.roleAssetClass.id |
|
memberOf.value[].description |
asset.assetRelations[].assetDetail.roleAssetClass.description |
|
memberOf.value[].displayName |
asset.assetRelations[].assetDetail.roleAssetClass.displayName |
|
memberOf.value[].displayName |
asset.assetRelations[].assetDetail.roleAssetClass.name |
Users - Transformation Map
Transformation map used while transforming source Users data.
|
Source Field |
Target Field |
|---|---|
|
userPrincipalName |
asset.assetHeader.externalAssetId |
|
id |
asset.assetHeader.vendorAssetId |
|
FUNCTION_PICKER (accountEnabled) |
asset.assetHeader.status (ACTIVE if true) (INACTIVE if false) (UNKNOWN if field is not present) |
|
id |
asset.assetDetail.userAssetClass.id |
|
displayName |
asset.assetDetail.userAssetClass.name |
|
displayName |
asset.assetDetail.name |
|
FUNCTION_PICKER (LOOKUP on accountEnabled) |
asset.assetDetail.userAssetClass.status (ACTIVE if true) (INACTIVE if false) (UNKNOWN if field is not present) |
|
|
asset.assetDetail.userAssetClass.email |
|
givenName |
asset.assetDetail.userAssetClass.firstName |
|
surname |
asset.assetDetail.userAssetClass.lastName |
|
displayName |
asset.assetDetail.userAssetClass.displayName |
|
mobilePhone |
asset.assetDetail.userAssetClass.phone |
|
jobTitle |
asset.assetDetail.userAssetClass.jobTitle |
|
lastPasswordChangeDateTime |
asset.assetDetail.userAssetClass.passwordLastChangedAt |
|
streetAddress |
asset.assetDetail.userAssetClass.currentAddress.streetAddress |
|
state |
asset.assetDetail.userAssetClass.currentAddress.state |
|
city |
asset.assetDetail.userAssetClass.currentAddress.city |
|
country |
asset.assetDetail.userAssetClass.currentAddress.country |
|
postalCode |
asset.assetDetail.userAssetClass.currentAddress.isoCode |
|
appRoleAssignments.value[].id |
asset.assetDetail.userAssetClass.permissions[].id |
|
appRoleAssignments.value[].principalDisplayName |
asset.assetDetail.userAssetClass.permissions[].name |
|
appRoleAssignments.value[].resourceDisplayName |
asset.assetDetail.userAssetClass.permissions[].resource |
|
memberOf.value[].id |
asset.assetRelations[].assetHeader.externalAssetId |
|
memberOf.value[].id |
asset.assetRelations[].assetHeader.vendorAssetId |
|
memberOf.value[].uniqueName |
asset.assetRelations[].assetHeader.name |
|
memberOf.value[].id |
asset.assetRelations[].assetDetail.groupAssetClass.id |
|
memberOf.value[].uniqueName |
asset.assetRelations[].assetDetail.groupAssetClass.name |
|
memberOf.value[].displayName |
asset.assetRelations[].assetDetail.groupAssetClass.displayName |
|
memberOf.value[].visibility |
asset.assetRelations[].assetDetail.groupAssetClass.visibility |
|
memberOf.value[].description |
asset.assetRelations[].assetDetail.groupAssetClass.description |
Roles - Transformation Map
Transformation map used while transforming source Roles data.
|
Source Field |
Target Field |
|---|---|
|
id |
asset.assetHeader.externalAssetId |
|
id |
asset.assetHeader.vendorAssetId |
|
FUNCTION_PICKER (LOOKUP on accountEnabled) |
asset.assetHeader.status (ACTIVE if true) (UNKNOWN if false or field is not present) |
|
displayName |
asset.assetDetail.name |
|
id |
asset.assetDetail.roleAssetClass.id |
|
displayName |
asset.assetDetail.roleAssetClass.name |
|
displayName |
asset.assetDetail.roleAssetClass.displayName |
|
description |
asset.assetDetail.roleAssetClass.description |
API Endpoints
| API | Endpoint |
|---|---|
| Authorization | https://login.microsoftonline.com/{tenant_id}/oauth2/token |
| Users | https://graph.microsoft.com/v1.0/users |
| Groups | https://graph.microsoft.com/v1.0/groups |
| Roles | https://graph.microsoft.com/v1.0/roleManagement/directory/roleDefinitions |