Quick Answer
Microsoft Entra ID integration currently requires tenant-wide Microsoft Graph permissions to read users and group membership, which may raise considerations for enterprise security teams.
Overview
Explain:
- Why Graph permissions are used today
- What they enable (user + group sync)
- Where they are configured
- Who cares (IT, security, admins)
Key Concepts
Microsoft Entra ID
Microsoft Entra ID is Microsoft’s cloud identity and access management service. It stores organizational user and group information and is commonly used to manage access to business applications.
Microsoft Graph
Microsoft Graph is the Microsoft API used to read and interact with data in Microsoft 365 and Microsoft Entra ID. In this integration, it is used to access the directory information needed for user and group synchronization.
Application Permission
An application permission allows a connected application to access data at the organizational level after an administrator grants consent. These permissions are used when the integration needs directory data without relying on a single signed-in user session.
Admin Consent
Admin consent is the approval an Entra ID administrator gives to allow an application to use requested permissions on behalf of the organization. This is required before the integration can read the directory data it depends on.
User.Read.All
User.Read.All is a Microsoft Graph permission that allows the application to read profile information for users in the tenant. This is used to retrieve the user records needed for provisioning and synchronization workflows.
GroupMember.Read.All
GroupMember.Read.All is a Microsoft Graph permission that allows the application to read group memberships in the tenant. This is used to determine which users belong to the configured groups used for synchronization.
Tenant-Wide Permission
A tenant-wide permission applies across the customer’s Microsoft Entra ID environment rather than being limited to one selected group or subset of users. This matters because some enterprise organizations prefer tightly scoped access aligned with least-privilege principles.
Least Privilege
Least privilege is a security principle that means a system should only receive the minimum access required to perform its function. This concept often comes up during enterprise security reviews when broad directory permissions are required.
How it Works
During setup, an administrator grants Microsoft Graph permissions to Pinnacle Series using admin consent. This allows the platform to read user and group data from Microsoft Entra ID.
Once granted, the integration can:
- Retrieve users from the directory
- Retrieve group membership information
- Support Sync Overview and Sync Now workflows
The integration reads this data to determine which users and groups are available for synchronization. It does not create, modify, or delete users in Microsoft Entra ID.
Because the permissions apply at the tenant level, the integration has visibility across the directory, even if only specific groups are selected for sync within the platform.
Limits and Constraints
- The integration requires Microsoft Graph application permissions. Required permissions include:
- User.Read.All
- GroupMember.Read.All
Permissions are granted at the tenant level and cannot be scoped to a single group. Admin consent is required before the integration can be used. The integration provides read-only access to directory data. Some enterprise security teams may reject tenant-wide permissions based on internal IAM or least-privilege policies.
Common Questions
Why does the integration require Microsoft Graph permissions?
The integration needs to read user and group data from Microsoft Entra ID so administrators can configure and run synchronization processes.
Can these permissions be limited to a specific group?
No. The required Microsoft Graph permissions are granted at the tenant level and cannot be scoped to a single group.
Does this integration modify data in Microsoft Entra ID?
No. The integration uses read-only access to retrieve user and group information and does not create, update, or delete directory objects.
Why might a security team reject these permissions?
Some organizations require tightly scoped access based on least-privilege principles. Tenant-wide permissions may be flagged during security reviews, even when access is read-only.
Still Need Help