Entra ID FAQ

How is Adding Entra ID Users Different from Federated Users?

While a federated user must log on to the platform once before their account appears on the platform, an Entra ID user can be added to the platform by an administrator and fully set up (with roles, permissions, groups, identity policies, secrets and folder sharing, etc.) before the Entra ID user first logs on to the platform. And unlike a federated group, an Entra ID group does not need to be mapped to a local group.

What if Users Can’t Log in After the Integration is Set Up?

Ensure that the Registered App is “Enabled”.
Verify that the API Permission, Log-in to Entra ID is selected for the registered app.
On the platform, navigate to Settings > Federation providers and select the Entra ID federation configuration.
Open the Federation console tab to run the debugging process.

What Happens if I Disable a Registered App?

The registered app facilitates the connection between the Delinea Platform and Microsoft Entra ID. Disabling the registered app prevents Entra ID users from logging in to the Delinea Platform, and blocks administrators from querying the Entra ID directory.

Can I Create a Registered App for Each API Permission?

Yes, you may create a registered app for each API permission as required.

What Validations and Errors Might Arise when Creating a Registered App?

Scenario: Attempting to create a registered app with the same "Log in to Entra ID" permission for an existing Entra ID application client ID.
Outcome: A registered app cannot be created with duplicate permissions for the same application ID.
Message: "An app '%appname' with 'Log in to Entra ID' permission already exists for client ID '%appclientid'."
Scenario: Attempting to register a platform app with "Read" permission for the same Entra ID tenant.
Outcome: "Read" permission can only be granted once per Entra ID tenant, as it is tenant-wide.
Message: "'Entra ID - Read' permission is already assigned to '%appname' for tenant '%tenantid'."

What Configurations Create Different Outcomes?

Entra ID - Read	Log-in to Entra ID	Provision Directory Services	Outcome
✘	✔	✔	- Registration app created - Federation provider created - Entra ID users can log in to the platform.
✔	✔	✔	- Registration app created - Federation provider created - Directory service created - Entra ID users can log in to the platform - Platform Admins can manage Entra ID users and groups in the platform.
✔	✘	✔	- Registration app created - Federation provider not created - Directory service created - Entra ID users cannot log in to the platform - Platform Admins can manage Entra ID users and groups in the platform.

Entra ID - Read

Log-in to Entra ID

Provision Directory Services

Outcome

✘

✔

- Registration app created

- Federation provider created

- Entra ID users can log in to the platform.

✔

- Registration app created

- Federation provider created

- Directory service created

- Entra ID users can log in to the platform

- Platform Admins can manage Entra ID users and groups in the platform.

✔

✘

✔

- Registration app created

- Federation provider not created

- Directory service created

- Entra ID users cannot log in to the platform

- Platform Admins can manage Entra ID users and groups in the platform.

What is the scope of the API permission “Entra ID – Read"?

Granting this permission provides READ access to users and groups across the associated Azure tenant.

Can I use Entra ID Federation and API-Based Entra ID Integration Simultaneously?

No, if your platform already has an Entra ID federation configuration, adding a new native Entra ID-registered app for the same Entra ID tenant will not succeed.

Can I use the Connector with the API-based Entra ID Integration Simultaneously?

If you have a platform tenant set up with Active Directory (AD) users that match their Entra users (i.e. same usernames or email addresses) the integration will fail.

Will We Eventually have the Same Browsing Experience for AD and Entra ID?

When browsing Entra ID groups and selecting an Entra ID directory, results are automatically displayed after selecting. However, Active Directory (AD) results are returned only after entering a search term.

How Long Does the Platform Take to Detect and Reflect Changes to Entra ID?

You can expect changes in Microsoft Entra ID directory objects, such as users and groups, to be updated on the Delinea platform within 10 minutes.

How do User Attributes (e.g. mobile number) Propagate from Entra ID to Platform?

User attributes supported by the Delinea Platform are automatically propagated from Entra ID, eliminating the need to configure user attribute mapping within the federation provider on the platform.

How is Entra ID Federation User Mapping Different from Standard Federation?

Standard federation supports user mapping to an Active Directory:

The user object originates from AD
Authentication occurs through federation
Permissions can be assigned through AD users or groups, and MFA can also be set up for the user.

Entra ID federation configuration is system-generated and does not support user mapping to an Active Directory. This is a known, current limitation for Privilege Control for Servers, and we are actively working to address this limitation in future releases.