Azure Entra ID
Feature availability
Section titled “Feature availability”| Feature | Support |
|---|---|
| User management | ✅ Full |
| Organizations | ✅ Via Groups or Custom Attribute (see below) |
| Audit logs | ⚠️ Sign-ins only (requires AuditLog.Read.All permission) |
-
Register an application in Entra ID
In the Microsoft Entra admin center, go to App registrations → New registration.
- Name:
AUMS Management(or any name you prefer) - Supported account types: Accounts in this organizational directory only
- Click Register
Note the Application (client) ID and Directory (tenant) ID from the overview page.
- Name:
-
Create a client secret
Go to the app registration → Certificates & secrets → New client secret.
- Enter a description and choose an expiration period
- Copy the Value immediately — it is only shown once
-
Grant API permissions
Go to API permissions → Add a permission → Microsoft Graph → Application permissions.
Grant permissions based on the features you need:
Feature Required permissions User management User.Read.All,User.ReadWrite.AllOrganizations (groups strategy) Group.ReadWrite.All,GroupMember.ReadWrite.AllOrganizations (custom_attribute strategy) User.ReadWrite.All(already included above)Audit logs AuditLog.Read.AllAfter adding permissions, click Grant admin consent for your tenant.
-
Choose an organization strategy
Choose how AUMS maps “organizations” in your Entra tenant. See Organization strategies below for guidance.
-
Set environment variables
Terminal window PROVIDER=entraENTRA_TENANT_ID=your-tenant-idENTRA_CLIENT_ID=your-client-idENTRA_CLIENT_SECRET=your-client-secret# Organization strategy (default: groups)ENTRA_ORGANIZATION_STRATEGY=groups# Required only when ENTRA_ORGANIZATION_STRATEGY=custom_attribute:# ENTRA_ORGANIZATION_ATTRIBUTE_NAME=extension_abc123_organizationId
Organization strategies
Section titled “Organization strategies”Entra ID does not have a native “organization” object. AUMS supports two approaches:
Which strategy should I use?
Section titled “Which strategy should I use?”Use groups if:
- Your Entra tenant is a workforce or B2B tenant
- Your customer organizations already have Entra security groups
- You need full CRUD (create / rename / delete organizations via AUMS)
- Users may belong to multiple organizations
Use custom_attribute if:
- Your Entra tenant is an external (CIAM) tenant
- Users signed up via a sign-up flow or social identity provider
- You store a single
organizationIdper user as a custom extension attribute - You do not need to create or delete organizations through AUMS
Strategy: groups
Section titled “Strategy: groups”Each Entra security group is treated as an organization. AUMS manages group membership to assign and remove users from organizations.
Required permissions: Group.ReadWrite.All, GroupMember.ReadWrite.All
What AUMS does:
| Operation | Graph API call |
|---|---|
| List orgs | GET /v1.0/groups |
| Create org | POST /v1.0/groups (security group, mail-disabled) |
| Delete org | DELETE /v1.0/groups/{id} |
| List members | GET /v1.0/groups/{id}/members |
| Add member | POST /v1.0/groups/{id}/members/$ref |
| Remove member | DELETE /v1.0/groups/{id}/members/{userId}/$ref |
Configuration:
ENTRA_ORGANIZATION_STRATEGY=groupsStrategy: custom_attribute
Section titled “Strategy: custom_attribute”An extension attribute on each user profile stores the user’s organization ID. AUMS derives the list of organizations by collecting distinct non-null values of that attribute across all users.
Required permissions: User.ReadWrite.All
What AUMS does:
| Operation | Graph API call |
|---|---|
| List orgs | Derived from GET /v1.0/users?$select={attr} (all pages) |
| List members | Filter GET /v1.0/users by attribute value |
| Assign user | PATCH /v1.0/users/{id} with { "{attr}": "{orgId}" } |
| Remove user | PATCH /v1.0/users/{id} with { "{attr}": null } |
| Create/delete org | ❌ Not supported — returns a 405 error |
Configuration:
ENTRA_ORGANIZATION_STRATEGY=custom_attributeENTRA_ORGANIZATION_ATTRIBUTE_NAME=extension_abc123def456abc123def456abc12345_organizationIdFinding your extension attribute name:
Extension attributes registered by the b2c-extensions-app follow the pattern
extension_{appId without hyphens}_{attributeName}. You can list them via:
GET /v1.0/applications/{b2cExtensionsAppObjectId}/extensionPropertiesOr find the attribute name in Entra admin center → External Identities → Custom user attributes.
User management notes
Section titled “User management notes”Email and UPN
Section titled “Email and UPN”Entra ID uses userPrincipalName (UPN) as the primary login identifier. AUMS sets the UPN to the user’s email address on creation. The email domain must be a verified domain in your tenant.
Password policy
Section titled “Password policy”When creating a user without a password, AUMS generates a random temporary password. The user will need to reset it on first sign-in or through self-service password reset (SSPR) if configured in your tenant.
Audit logs
Section titled “Audit logs”Audit logs surface Microsoft Entra sign-in events (/v1.0/auditLogs/signIns). Filtering by user ID and date range is supported.
OIDC login (optional)
Section titled “OIDC login (optional)”To protect the AUMS dashboard with Entra ID SSO, register a separate application (web platform, standard authorization code flow):
AUTH_CLIENT_OPENID_CONFIGURATION_URL=https://login.microsoftonline.com/{tenant-id}/v2.0AUTH_CLIENT_ID=your-oidc-app-client-idAUTH_CLIENT_SECRET=your-oidc-app-client-secretAdd <BASE_URL>/api/auth/callback/oidc to the application’s Redirect URIs.