UniAsset
Home/Knowledge Base/Security & Compliance/Connecting Microsoft Entra ID (Directory Sync)
Back to Security & Compliance

Connecting Microsoft Entra ID (Directory Sync)

8 min readintermediateLast updated: January 2, 2026

Overview

Microsoft Entra ID Directory Sync connects UniAsset to your company's Microsoft Entra ID (formerly Azure Active Directory) tenant. Once connected, your directory becomes the source of truth for user access — enabling bulk import, automatic provisioning, group-to-role mapping, and nightly deprovisioning of leavers.

Plan required: Enterprise

Prerequisites

Before connecting, confirm you have:

  • An active Microsoft Entra ID (Azure AD) tenant
  • A UniAsset account on the Enterprise plan
  • A Microsoft account with Global Administrator rights in your Entra tenant, or permission to grant admin consent to third-party applications
  • Owner or Admin role in UniAsset

⚠️ WARNING: The connection step requires granting admin consent in Azure. This must be done by a user with Global Admin rights in your Entra tenant. If you don't have those rights, ask your Azure administrator to complete this step.

Connecting Your Entra ID Tenant

Step 1: Open the Integrations Settings

  1. Log in to UniAsset as an Owner or Admin
  2. Click Settings in the left sidebar
  3. Select the Integrations tab
  4. Click Microsoft Entra ID

Step 2: Start the Connection Flow

  1. Click Connect Entra ID
  2. You are redirected to the Microsoft login page

Step 3: Authorize UniAsset in Microsoft

  1. Sign in with your Global Admin account
  2. Review the permissions UniAsset is requesting:
    • User.Read.All — read user accounts in your directory
    • Group.Read.All — read group membership
  3. Click Accept to grant admin consent

💡 TIP: These are read-only permissions. UniAsset reads from your directory but never writes to it.

Step 4: Confirm the Connection

After authorizing:

  1. You are redirected back to UniAsset
  2. The Integrations page shows your connected tenant name and verified domain
  3. The connection status shows Connected

Your verified domain (e.g., yourcompany.com) is stored and used to match users signing in with Microsoft SSO.

What You Can Configure After Connecting

Once connected, three features become available under the Entra ID integration settings:

FeatureWhat it does
Auto-provision usersUsers from your verified domain can sign in without an invitation
Auto-deprovision syncNightly sync deactivates users whose Entra accounts are disabled
Group → Role mappingEntra group membership determines UniAsset roles at sign-in

Each feature has its own toggle and can be enabled or disabled independently.

See the related articles below for step-by-step guides on each feature.

Security Details

Permissions: The integration uses read-only Microsoft Graph API permissions — User.Read.All and Group.Read.All. UniAsset cannot modify your directory.

Token storage: OAuth access tokens are encrypted at rest. Tokens are used only to query the Graph API on your behalf.

Domain verification: The verified domain recorded at connection time is used to scope auto-provisioning. Only users with email addresses matching that domain are auto-provisioned.

Disconnecting Entra ID

To remove the integration:

  1. Go to Settings → Integrations → Microsoft Entra ID
  2. Click Disconnect
  3. Confirm the action

⚠️ WARNING: Disconnecting removes the stored token and domain. Auto-provisioning, auto-deprovisioning, and group mapping will stop immediately. Existing users are not removed — they retain their accounts and roles, but will no longer be subject to directory sync. If those users sign in with Microsoft SSO, they will still be able to log in as long as their UniAsset account is active.

Troubleshooting

"Admin consent required" error during connection

The account used to authorize does not have Global Admin rights in the Entra tenant.

Solution:

  • Ask a Global Admin in your organization to complete the connection step
  • Or ask your Azure administrator to pre-approve admin consent for the UniAsset application

Connection shows as failed after authorization

Possible causes:

  • The authorization was cancelled before completing
  • The Microsoft account used does not have permission to consent

Solution:

  1. Return to Settings → Integrations → Microsoft Entra ID
  2. Click Connect Entra ID again and complete the full authorization flow

Tenant name or domain not showing after connection

Solution:

  1. Refresh the Integrations page
  2. If the tenant details are still missing, disconnect and reconnect
  3. Contact support@uniasset.app if the issue persists

Related Articles

Need Help?

For assistance connecting your Entra ID tenant, contact support at support@uniasset.app. Include your tenant domain and a description of any error messages you see.

Need Help?

If you have questions not covered in this article, our support team is here to help.

Contact Support