Microsoft Entra ID
The Microsoft Entra ID Connector integrates identity data from Microsoft's cloud directory into Qualys CSAM/ETM Identity, enabling security teams to maintain a centralized inventory of users, groups, and roles across their organization. By synchronizing identity assets into the Unified Asset Inventory, security practitioners gain visibility into who has access to what resources and can correlate identity information with other security asset data. The connector supports delta pulls for efficient updates after the initial full synchronization, reducing the overhead of continuous identity reconciliation. This unified view helps security teams identify access control risks, enforce principle of least privilege, and respond more effectively to identity-related threats in hybrid and cloud-native environments.
Connector Details
| Vendor | Microsoft |
| Product Name | Microsoft Entra ID |
| Category | IAM |
| Findings Supported | Not Supported |
| Asset Types Supported | Users, Groups, Roles (Identity) |
| Version | 1.0.0 |
| Integration Type | Cloud |
| Direction | Unidirectional (Microsoft Entra ID to Qualys) |
| Delta Support | Supported |
Connection Settings
Authentication Details
Provide the following credentials when configuring the connector:
| Name | Key | Type |
|---|---|---|
| Tenant ID | tenantId | String |
| Client ID | clientId | String |
| Client Secret | clientSecret | Encrypted |
Required Permissions
| Entity | Least Permissions |
|---|---|
|
Groups |
Directory.Read.All |
|
Users |
User.Read.All, User.Read |
|
Roles |
Directory.Read.All, RoleEligibilitySchedule.Read.Directory |
|
Service Principal |
Directory.Read.All |
|
Applications |
Directory.Read.All |
|
Tenant |
Directory.Read.All, Policy.Read.All |
Connector Configuration
Basic Details
- Log in to Qualys CSAM.
- Navigate to Connectors and locate Microsoft Entra ID Connector.
- Click Manage.
- Provide the connector name and description.
- Enter Tenant ID, Client ID, and Client Secret.
Schedule
Schedules control the execution of the connector.
- Select Baseline Schedule which has following options: weekly, fortnightly, triweekly or Monthly
- Configure a Schedule: Single Occurrence or Recurring with start and end dates/times.
-
Assets value is available in two options: "Identity only" and "Identities with Security Posture."
- For CSAM/ETM-listed objects (Groups, Users, and Roles Identity), select "Identity only."
- Select "Identities with Security Posture" ,to retrieve Groups, Users, Role identities, Service Principals, Applications, and the Tenant. select "Identities with Security Posture" to see ISPM-related features.
- Click Next.
Review and Confirm
Review the configuration and click Create.
How Does the Connection Work?
The Microsoft Entra ID Connector synchronizes Users, Groups, and Roles from Entra ID into the CSAM Identity inventory. Synchronization runs either on a defined recurring schedule or on-demand schedule. Profiles control what identity objects are imported and the frequency of synchronization.
When the connector is created and run for the first time, it performs a Full Pull. This retrieves all Users, Groups, and Roles from Microsoft Entra ID and imports them into the inventory, establishing the initial baseline.
Recurring Delta Pulls:
After the initial run, all scheduled synchronizations run as Delta Pulls. A Delta Pull retrieves only the changes since the previous synchronization. However, the behavior differs for Roles:
- Users and Groups return only changed data.
- Roles are retrieved entirely every time, but they are still included in both Delta Pull and Baseline executions.
Delta Pulls run at every scheduled interval and continue until the configured Schedule End DateTime.
Baseline Full Pull Schedule:
In addition to the initial Full Pull, the connector can be configured to run periodic Full Pulls based on the Baseline Schedule.
For example, if the Baseline Schedule is set to Weekly, the connector performs a Full Pull once every week until the configured Schedule End Datetime is reached. This ensures that large-scale directory changes are periodically reconciled.
Note:
- The first execution always performs a Full Pull.
- Delta Pulls run at each scheduled interval after the initial execution.
- Roles are always fetched through Full Pull logic (no delta support), but still retrieved during both Delta and Baseline runs.
- Baseline Full Pulls run at the frequency defined in the Profile (e.g., weekly, fortnightly, Triweekly or Monthly), until the schedule end time.
In the Connector screen, you can find your newly configured connector listed and marked in the Processed state.
Connector States
A successfully configured connector goes through 4 states.
- Registered - The connector is successfully created and registered to fetch data from the vendor.
- Scheduled - The connector is scheduled to execute a connection with the vendor.
- Processing - A connection is executed and the connector is fetching the asset identity data.
- Processed - The connector has successfully fetched the assets. Wait a bit longer for the connector to fetch the identity data completely.
-
Partially Processed - The connector has fetched some of the assets data, but it couldn’t fetch the remaining data due to missing required permissions or errors while pulling specific objects. Check the Logs tab for the exact error details.
The Processed state indicates that the Connector is successfully configured but it is under the process of importing all your assets. This process may take some time.
View Identity Assets in ETM/ETM Identity
View in CSAM/ETMView in CSAM/ETM
- Navigate to CSAM/ETM > Inventory.
- Go to Assets to view imported Entra ID assets.
Inventory > Identity > Group/User/Role Identity
Group Identity Assets
User Identity Assets
Role Identity Assets
- Go to Assets to view imported Entra ID assets.
View in ETM IdentityView in ETM Identity
- Navigate to ETM Identity > Inventory.
- Go to Assets to view imported Entra ID assets.
Inventory > Identity > Group/User/Role Identity
Group Identity Assets
User Identity Assets
Role Identity Assets
- Go to Assets to view imported Entra ID assets.
Microsoft Entra ID Transformation Maps
Groups - Transformation Map
Transformation map used while transforming source Groups data.
|
Source Field |
Target Field |
|---|---|
|
id |
asset.assetHeader.externalAssetId |
|
id |
asset.assetHeader.vendorAssetId |
|
displayName |
asset.assetDetail.name |
|
id |
asset.assetDetail.groupAssetClass.id |
|
displayName |
asset.assetDetail.groupAssetClass.name |
|
displayName |
asset.assetDetail.groupAssetClass.displayName |
|
visibility |
asset.assetDetail.groupAssetClass.visibility |
|
description |
asset.assetDetail.groupAssetClass.description |
|
appRoleAssignments.value[].id |
asset.assetDetail.groupAssetClass.permissions[].id |
|
appRoleAssignments.value[].principalDisplayName |
asset.assetDetail.groupAssetClass.permissions[].name |
|
appRoleAssignments.value[].resourceDisplayName |
asset.assetDetail.groupAssetClass.permissions[].resource |
|
memberOf.value[].id |
asset.assetRelations[].assetHeader.externalAssetId |
|
memberOf.value[].id |
asset.assetRelations[].assetHeader.vendorAssetId |
|
memberOf.value[].displayName |
asset.assetRelations[].assetDetail.name |
|
memberOf.value[].id |
asset.assetRelations[].assetDetail.roleAssetClass.id |
|
memberOf.value[].description |
asset.assetRelations[].assetDetail.roleAssetClass.description |
|
memberOf.value[].displayName |
asset.assetRelations[].assetDetail.roleAssetClass.displayName |
|
memberOf.value[].displayName |
asset.assetRelations[].assetDetail.roleAssetClass.name |
| securityIdentifier | asset.assetDetail.typedAttributes.entraGroupSecurityIdentifier |
| securityEnabled | asset.assetDetail.untypedAttributes.entraGroupSecurityEnabled |
Users - Transformation Map
Transformation map used while transforming source Users data.
|
Source Field |
Target Field |
|---|---|
|
userPrincipalName |
asset.assetHeader.externalAssetId |
|
id |
asset.assetHeader.vendorAssetId |
|
FUNCTION_PICKER (accountEnabled) |
asset.assetHeader.status (ACTIVE if true) (INACTIVE if false) (UNKNOWN if field is not present) |
|
id |
asset.assetDetail.userAssetClass.id |
|
displayName |
asset.assetDetail.userAssetClass.name |
|
displayName |
asset.assetDetail.name |
|
FUNCTION_PICKER (LOOKUP on accountEnabled) |
asset.assetDetail.userAssetClass.status (ACTIVE if true) (INACTIVE if false) (UNKNOWN if field is not present) |
|
|
asset.assetDetail.userAssetClass.email |
|
givenName |
asset.assetDetail.userAssetClass.firstName |
|
surname |
asset.assetDetail.userAssetClass.lastName |
|
displayName |
asset.assetDetail.userAssetClass.displayName |
|
mobilePhone |
asset.assetDetail.userAssetClass.phone |
|
jobTitle |
asset.assetDetail.userAssetClass.jobTitle |
|
lastPasswordChangeDateTime |
asset.assetDetail.userAssetClass.passwordLastChangedAt |
|
streetAddress |
asset.assetDetail.userAssetClass.currentAddress.streetAddress |
|
state |
asset.assetDetail.userAssetClass.currentAddress.state |
|
city |
asset.assetDetail.userAssetClass.currentAddress.city |
|
country |
asset.assetDetail.userAssetClass.currentAddress.country |
|
postalCode |
asset.assetDetail.userAssetClass.currentAddress.isoCode |
|
appRoleAssignments.value[].id |
asset.assetDetail.userAssetClass.permissions[].id |
|
appRoleAssignments.value[].principalDisplayName |
asset.assetDetail.userAssetClass.permissions[].name |
|
appRoleAssignments.value[].resourceDisplayName |
asset.assetDetail.userAssetClass.permissions[].resource |
|
memberOf.value[].id |
asset.assetRelations[].assetHeader.externalAssetId |
|
memberOf.value[].id |
asset.assetRelations[].assetHeader.vendorAssetId |
|
memberOf.value[].uniqueName |
asset.assetRelations[].assetHeader.name |
|
memberOf.value[].id |
asset.assetRelations[].assetDetail.groupAssetClass.id |
|
memberOf.value[].uniqueName |
asset.assetRelations[].assetDetail.groupAssetClass.name |
|
memberOf.value[].displayName |
asset.assetRelations[].assetDetail.groupAssetClass.displayName |
|
memberOf.value[].visibility |
asset.assetRelations[].assetDetail.groupAssetClass.visibility |
|
memberOf.value[].description |
asset.assetRelations[].assetDetail.groupAssetClass.description |
| accountEnabled | asset.assetDetail.untypedAttributes.entraUserAccountEnabled |
| department | asset.assetDetail.typedAttributes.entraUserDepartment |
Roles - Transformation Map
Transformation map used while transforming source Roles data.
|
Source Field |
Target Field |
|---|---|
|
id |
asset.assetHeader.externalAssetId |
|
id |
asset.assetHeader.vendorAssetId |
|
FUNCTION_PICKER (LOOKUP on accountEnabled) |
asset.assetHeader.status (ACTIVE if true) (UNKNOWN if false or field is not present) |
|
displayName |
asset.assetDetail.name |
|
id |
asset.assetDetail.roleAssetClass.id |
|
displayName |
asset.assetDetail.roleAssetClass.name |
|
displayName |
asset.assetDetail.roleAssetClass.displayName |
|
description |
asset.assetDetail.roleAssetClass.description |
| resourceScopes | asset.assetDetail.roleAssetClass.resourceScopes |
| templateId | asset.assetDetail.typedAttributes.entraRoleTemplateId |
Additional Transformation Maps for ETM Identity (ISPM)
Tenant - Transformation Map
|
Source Field |
Target Field |
|---|---|
| * | thirdPartyObject.content.& |
Applications - Transformation Map
|
Source Field |
Target Field |
|---|---|
| * | thirdPartyObject.content.& |
Service Principal- Transformation Map
|
Source Field |
Target Field |
|---|---|
| * | thirdPartyObject.content.& |
API Endpoints
| API | Endpoint |
|---|---|
| Authorization | https://login.microsoftonline.com/{tenant_id}/oauth2/token |
| Users |
|
| Groups |
|
| Roles | https://graph.microsoft.com/v1.0/roleManagement/directory/roleDefinitions |
| Applications | https://graph.microsoft.com/v1.0/applications |
| Tenant | https://graph.microsoft.com/v1.0/organization |
| Service Principal |
List Service Principal Service Principal AppRoleAssignedTo Service principal approleAssignments |