Microsoft 365 / Entra ID
Connect Microsoft 365 to sync your Entra ID (Azure AD) directory into ConcertoGRC. The integration auto-populates and maintains your personnel directory, detects MFA status, inventories enterprise applications, and generates compliance evidence reports.
What You Get
Personnel Directory
- User sync -- All Entra ID users are synced to AccessPersonnel with name, email, department, job title, and status
- Group sync -- Security groups and distribution lists imported into AccessGroup
- MFA detection -- Per-user MFA enrollment status tracked automatically
- Admin user identification -- Users with directory or global admin roles are flagged
- Auto-escalation -- Suspended users are automatically escalated to TERMINATED status after a configurable number of days
Enterprise Applications
- App inventory -- Enterprise applications registered in Entra ID are synced to AccessApplication
- Access grants -- OAuth permission grants and app role assignments mapped to AccessGrant records
Evidence Reports (Auto-Generated)
Five compliance reports are automatically generated on each sync cycle:
| Report | Description |
|---|---|
| User Roster | Complete directory listing with department, title, and status |
| MFA Status | Per-user MFA enrollment with method details |
| Admin Users | Users with administrative role assignments |
| Group Membership | Group roster with member counts and nesting |
| Inactive Users | Users with no sign-in activity beyond a configurable threshold |
Setup
One-Click Admin Consent
ConcertoGRC uses Microsoft's admin consent flow for the simplest setup experience.
- Navigate to Integrations in ConcertoGRC
- Find the Microsoft 365 card and click Connect
- Click Grant Admin Consent -- this redirects to Microsoft's consent page
- Sign in with a Microsoft 365 Global Administrator or Privileged Role Administrator account
- Review the requested permissions and click Accept
- You are redirected back to ConcertoGRC with the connection established
Required Permissions (Microsoft Graph API)
The integration requests these Microsoft Graph permissions (application type):
User.Read.All-- Read user profiles, department, job titleGroup.Read.All-- Read security groups and membershipDirectory.Read.All-- Read directory roles and admin assignmentsApplication.Read.All-- Read enterprise app registrationsAppRoleAssignment.ReadWrite.All-- Read app role assignments and grantsAuditLog.Read.All-- Read sign-in activity for inactive user detection
All permissions are read-only. ConcertoGRC does not write to or modify your Entra ID directory.
Sync Behavior
- Frequency: Every 24 hours
- User matching: On initial sync, existing AccessPersonnel records are matched by email address to avoid duplicates
- Field sync policy: Each field has a sync policy -- either IdP-managed (overwritten on sync) or local (preserved). Administrators can configure which fields the IdP controls.
- Status mapping: Entra ID account status maps to platform status (Active → ACTIVE, Disabled → SUSPENDED)
- Delta detection: Only changed records are updated on subsequent syncs
Disconnecting
Revoking the integration from ConcertoGRC removes the stored credentials. To fully revoke access, also remove the ConcertoGRC enterprise application from your Entra ID admin center (Enterprise Applications → ConcertoGRC → Properties → Delete).
Disconnecting does not delete previously synced personnel records -- they remain in ConcertoGRC but are no longer updated by sync.