Connecting the integration
Microsoft Entra ID is an identity and access management solution from Microsoft that helps organizations secure and manage identities for hybrid and multi-cloud environments.
Navigate to the Integration
Go to the Integrations page in Secureframe.
Search for Microsoft Entra ID in the "Available Integrations" list. (If you have the Custom Integration feature, click on Add native connection).
Click Connect.
Select Secureframe OAuth App or Your Own App Registration
How to connect
When setting up your integration, you’ll be prompted to choose between two connection methods:
Option 1: Secureframe OAuth App
Use this option for the fastest and most streamlined setup.
Click Connect via Secureframe OAuth App
Sign in with an admin account that has the necessary permissions
Review and approve the requested permissions to complete the setup
Option 2: Your Own App Registration
Secureframe now supports an alternate workflow for connecting Microsoft Entra ID. This option is designed for organizations that prefer to limit Secureframe’s access more narrowly when establishing connections.
Use this option if your organization prefers greater control over permissions and access scopes, or if you use Privileged Identity Management (PIM) tools.
Click Connect via your own App Registration
Follow the guided steps in Secureframe to register your own app within your identity provider or cloud platform
Enter the app credentials (Client ID, Secret, and Tenant/Directory ID, if applicable) to finalize the connection
Permissions, Fields Pulled, Controls, and Automated Tests
Navigate to the “Integration” page.
Select the “Available” tab.
Search for the integration.
Click “View Details”.
Frequently Asked Questions (FAQ)
Does the Entra MFA test respect Conditional Access, and where do I confirm a user is MFA registered?
Secureframe reads the Microsoft Graph registration report, which reflects registered MFA methods. Conditional Access can enforce MFA at sign-in, but a user who is excluded from the policy or has not registered a supported method can still show as not covered. Confirm both policy scope and registration.
To confirm registration, open Protection → Authentication methods → User registration details in the Microsoft Entra admin center.
For the full integration MFA troubleshooting flow, see FAQs: Integration MFA tests, enrollment gaps, and troubleshooting.
How do I fix a 401 Unauthorized error when reconnecting Microsoft Entra?
This usually means the connection token expired or the connecting admin no longer has sufficient Entra permissions.
Reconnect with a Microsoft Entra admin account. If using your own app registration, confirm the Client ID, secret, and Tenant ID are current, then run a manual sync.
See also FAQs: Duplicate personnel, email addresses, and login issues. If reconnect still fails, contact [email protected].
How does Secureframe’s Microsoft Entra ID integration determine if MFA is enabled for a user?
Secureframe determines MFA status by checking the user’s account in Microsoft Entra ID to verify if MFA is enabled at the user level. This typically involves confirming that:
The user has registered at least one MFA method (e.g., phone number, authenticator app, or security key).
MFA is enforced for that account.
Important:
The integration requires a Microsoft Entra ID Premium P1 (or higher) license and the connection must be created by a user with Global Reader role permissions.
If users appear as “not enabled” even though they’re in a security group requiring MFA, it may be due to incomplete MFA registration, sync delays, or the use of third-party MFA solutions (e.g., Duo) instead of Microsoft MFA tokens.
If your account does not have the required license tier, you can use the “Pass with upload” option on the MFA test to provide evidence manually.
