Microsoft Entra ID
Connects to Microsoft Entra ID (formerly Azure AD) to pull users, groups, and service principals into Clariti for identity asset management. Once connected, Clariti continuously syncs your identity data so you always have an up-to-date picture of who has access to what.
What You'll Need
- Global Administrator or Application Administrator role in Entra ID
- Entra ID P1 or P2 license (free tier works for basic user data)
- About 10 minutes
- A Clariti account with adapter setup permissions
Configure in Microsoft Entra
Open App Registrations
Navigate to: entra.microsoft.com → App registrations → New registration
Navigate to entra.microsoft.com, then go to Identity → Applications → App registrations in the left sidebar. Click New registration at the top of the page.
Why: Clariti needs its own registered application in your tenant to authenticate via OAuth2 client credentials.
Register the Application
Navigate to: App registrations → Register an application
Fill in the registration form:
- Name:
Clariti AI - Supported account types: Select Accounts in this organizational directory only
- Redirect URI: Leave blank — Clariti uses client credentials, not interactive login
Click Register.
Why: This creates the identity Clariti will use to call Microsoft Graph on your behalf.
Copy Application and Tenant IDs
Navigate to: App registration → Overview page
On the Overview page that appears after registration, copy two values:
- Application (client) ID — the GUID in the middle row
- Directory (tenant) ID — the GUID just below it
Application (client) ID is the "Application (client) ID" on the overview page — the GUID in the middle row. Don't use the Object ID above it. They look similar but serve different purposes.
Don't confuse Tenant ID with Subscription ID. Your Tenant ID is on the App Registration overview page labeled "Directory (tenant) ID." The Subscription ID is for Azure billing — it won't work here.
Why: These two GUIDs uniquely identify your app and your Azure AD tenant. Clariti needs both to authenticate.
Create a Client Secret
Navigate to: App registration → Certificates & secrets → Client secrets
Go to Certificates & secrets in the left sidebar, then click the Client secrets tab. Click New client secret.
- Description:
Clariti-AI - Expires: Choose your preferred expiration (recommend 12 or 24 months)
Click Add. Immediately copy the Value column — this is your client secret.
Client secret values are only visible at creation. If you navigate away or refresh the page and see dots or asterisks, the value is gone forever. You'll need to create a new secret.
Name your client secret something descriptive like "Clariti-AI Production" so you know what it's for 6 months from now when you see it in the list. Future-you will appreciate it.
Why: The client secret is the password Clariti uses alongside the Client ID. Think of it as an API key for this specific app registration.
📋 Copy the Client secret value — you'll need it in Clariti.
Add API Permissions
Navigate to: App registration → API permissions → Add a permission
Go to API permissions in the left sidebar. Click Add a permission → Microsoft Graph → Application permissions.
Search for and add these two permissions:
- User.Read.All — Read all users' full profiles
- Directory.Read.All — Read directory data (groups, service principals)
Click Add permissions.
Application vs Delegated permissions: Clariti runs as a background service without a signed-in user, so it needs Application permissions. Delegated permissions only work when a human is logged in interactively — they won't work for automated sync.
Why: Permissions define what data Clariti can read. Without these, the app registration exists but can't access any directory data.
Grant Admin Consent
Navigate to: API permissions page
Still on the API permissions page, click the Grant admin consent for [your organization] button at the top. Click Yes to confirm.
You should see green checkmarks appear next to each permission in the Status column.
Why: Adding permissions is a request. Granting consent is the approval. Without this step, the permissions exist on paper but aren't actually active.
Verify Consent Status
Navigate to: API permissions page
Confirm all permissions show Granted for [your org] with green checkmarks in the Status column. If any show "Not granted," click Grant admin consent again.
Why: A quick sanity check before leaving the Azure portal saves troubleshooting time later.
Enter Credentials in Clariti
Back in Clariti, navigate to Adapters → Add Adapter → Microsoft Entra ID and enter the values you collected:
| Value from vendor console | Paste into Clariti field |
|---|---|
Application (client) ID | Client ID |
Directory (tenant) ID | Tenant / Directory ID |
Client secret value | Client Secret |
Verify Connection
Click Test Connection in Clariti. A successful connection returns a green checkmark within 30 seconds. Your first sync will pull users and groups within 2 minutes — you'll see them appear in your asset inventory automatically.
Troubleshooting
401 Unauthorized You added permissions but didn't click "Grant admin consent." This is the most common mistake. Fix: Go back to API permissions → click Grant admin consent for [your org] → Yes.
400 Bad Request Wrong tenant ID or a malformed credential. Go back to the App Registration Overview page and verify the Directory (tenant) ID is correct. Also check that you pasted the full client secret without any trailing spaces.
403 Forbidden Insufficient license tier or missing permissions. Verify your Entra ID license includes the data you're trying to pull, and confirm all permissions show "Granted" status.
AADSTS700016 — Application not found You're using credentials from a different Azure AD tenant than the one you're trying to connect. This usually happens when you have multiple Azure tenants (dev/prod) and copied credentials from the wrong one. Verify the Directory (tenant) ID matches the tenant where you registered the app.