Entra ID Discovery

Discovery must be enabled in Secret Server to discover Entra ID accounts.

A distributed engine is required to use Entra ID Discovery with Secret Server Cloud. Secret Server On-Premises customers can leverage both distributed engines and webnodes.

Overview

Secret Server can scan Microsoft Entra ID for Roles and Users. Users can be exported as Secrets of the Entra ID User Account template.

Configuration

Setting permissions:

Create an App Registration in Entra ID.
Add a client secret to the registration
Once the client secret is created, the following data will appear. Copy the data in the “Value” column immediately—it will not be displayed again.
Grant API Permissions for the registration. Click Add A Permission to add each permission. The minimum permissions for discovery are:
- EntitlementManagement.Read.All
- RoleManagement.Read.Directory
- User.ReadBasic.All

Permissions must be added as Application Permissions not Delegated Permissions:

The Application Registration may have permissions granted by default in addition to the ones listed above. These should have no impact on Discovery.

If you want to use the same Application Registration for password changing you will also need the User.ReadWrite.All and UserAuthenticationMethod.ReadWrite.All permissions.

Map the appropriate fields to an Azure Application Registration Secret in Secret Server.
- Azure Portal:
- Secret Server:
When mapping the fields from Entra to the new secret:

Application ID maps to Client ID.
Directory ID maps to Tenant ID.
The Client Secret is the value generated in Step 2.

In Secret Server, create a new Discovery Source using the Azure Application Registration Secret.
Add the Scanner Flow for Entra ID to the Discovery Source. For each scanner set the Azure Application Registration as the credential Secret.

Scanning

Entra ID Roles can be obtained by running a Discovery Scan. To scan Roles for Users, run a computer scan, or click on a role from the Discovery Network View and scan it individually.