Microsoft Entra ID  is an identity and access management solution from Microsoft that helps organizations secure and manage identities for hybrid and multi-cloud environments.

Connecting the integration

Navigate to the Integration

1. Go to the Integrations page in Secureframe.
2. Search for Microsoft Entra ID in the "Available Integrations" list. (If you have the Custom Integration feature, click on Add native connection). 
3. Click Connect.

Select Secureframe OAuth App or Your Own App Registration

How to connect 

When setting up your integration, you’ll be prompted to choose between two connection methods:

Option 1: Secureframe OAuth App

Use this option for the fastest and most streamlined setup.

• Click Connect via Secureframe OAuth App
  
• Sign in with an admin account that has the necessary permissions
• Review and approve the requested permissions to complete the setup

Option 2: Your Own App Registration

Secureframe now supports an alternate workflow for connecting Microsoft Entra ID. This option is designed for organizations that prefer to limit Secureframe’s access more narrowly when establishing connections.

Use this option if your organization prefers greater control over permissions and access scopes, or if you use Privileged Identity Management (PIM) tools.

• Click Connect via your own App Registration
  
• Follow the guided steps in Secureframe to register your own app within your identity provider or cloud platform
• Enter the app credentials (Client ID, Secret, and Tenant/Directory ID, if applicable) to finalize the connection

Permissions, Fields Pulled, Controls, and Automated Tests

1. Navigate to the “Integration” page.
2. Select the “Available” tab.
3. Search for the integration.
4. Click “View Details”.

Frequently Asked Questions (FAQ)

How does Secureframe’s Microsoft Entra ID integration determine if MFA is enabled for a user?

Secureframe determines MFA status by checking the user’s account in Microsoft Entra ID to verify if MFA is enabled at the user level. This typically involves confirming that:

• The user has registered at least one MFA method (e.g., phone number, authenticator app, or security key).

• MFA is enforced for that account.

A few important notes:

• The integration requires a Microsoft Entra ID Premium P1 (or higher) license and the connection must be created by a user with Global Reader role permissions.

• If users appear as “not enabled” even though they’re in a security group requiring MFA, it may be due to incomplete MFA registration, sync delays, or the use of third-party MFA solutions (e.g., Duo) instead of Microsoft MFA tokens.

• If your account does not have the required license tier, you can use the “Pass with upload” option on the MFA test to provide evidence manually.