Skip to main content

What Living Security needs

Scopes (Application permissions): Required role: Application Administrator or Global Administrator in Microsoft Entra ID

Prerequisites

  • You must have Application Administrator or Global Administrator access in Microsoft Entra ID to register applications and grant admin consent.

Part A — In Microsoft Entra ID

Your Microsoft Entra ID administrator completes these steps.
1

Register a new application

  1. Sign in to the Microsoft Entra admin center.
  2. In the left navigation, browse to Entra IDApp registrations.
  3. Click New registration.
  4. Enter a meaningful name for the app, such as Living Security Platform.
  5. Under Supported account types, select Accounts in this organizational directory only.
  6. Leave Redirect URI blank — this integration uses the client credentials flow.
  7. Click Register.
After registration, record the following values from the Overview page:
  • Application (client) ID
  • Directory (tenant) ID
2

Add Microsoft Graph application permissions

  1. On your app’s Overview page, click API permissions in the left menu.
  2. Click Add a permission.
  3. Select Microsoft Graph.
  4. Select Application permissions.
  5. Search for and select each permission below, then click Add permissions:
    • User.Read.All
    • SecurityAlert.Read.All
    • AuditLog.Read.All
    • DeviceManagementManagedDevices.Read.All
These are the minimum permissions for all data streams. If you only intend to enable a subset of streams, you can omit permissions for streams you won’t use.
3

Grant admin consent

Application permissions require explicit admin consent.
  1. On the API permissions page, click Grant admin consent for <your tenant name>.
  2. In the confirmation dialog, click Yes.
  3. Verify that every permission shows Granted under the Status column.
If the Grant admin consent button is grayed out, you need Privileged Role Administrator or Global Administrator privileges. Admin consent must be re-granted any time you add new permissions.
4

Create a client secret

  1. On your app’s Overview page, click Certificates & secrets in the left menu.
  2. Click the Client secrets tab, then click New client secret.
  3. Enter a description (e.g., Living Security Platform).
  4. Choose an expiration that matches your rotation policy.
  5. Click Add.
Copy the secret value immediately. Microsoft Entra ID displays the full client secret only once. If you navigate away before copying it, you must delete the secret and create a new one.
Store the secret securely. Set a calendar reminder to rotate it before expiration — an expired secret causes syncs to fail with 401 Unauthorized.
5

Determine the Graph API and Authority hosts

For most organizations on the commercial cloud, use the defaults:For government or sovereign clouds, use the appropriate endpoints for your environment.
The Graph API host and Authority host must match — tokens from one cloud’s authority are not valid for another cloud’s Graph endpoint.

Part B — In the Living Security Platform

The program owner completes this step, or the system admin if using delegated setup.
1
You are now connected to Microsoft Entra ID (Client Credentials).

Troubleshooting

The credentials are invalid or expired. Check:
  1. Client Secret has not expired or been rotated
  2. Tenant ID and Client ID are correct
  3. Authority host matches your cloud environment
The app registration is missing permissions or admin consent was not granted. Verify:
  1. All required permissions are listed in API permissions
  2. Each permission shows Granted status (green checkmark)
  3. Admin consent was granted after adding permissions
If you added new permissions after initial consent, you must re-grant admin consent.
The app may be missing the specific permission for that stream:
  • No users → missing User.Read.All
  • No security alerts → missing SecurityAlert.Read.All
  • No sign-in logs → missing AuditLog.Read.All
  • No devices → missing DeviceManagementManagedDevices.Read.All
The Graph API host and Authority host may be mismatched. Both must correspond to the same cloud environment (commercial, government, etc.).