Skip to content

Azure Entra ID

FeatureSupport
User management✅ Full
Organizations✅ Via Groups or Custom Attribute (see below)
Audit logs⚠️ Sign-ins only (requires AuditLog.Read.All permission)
  1. Register an application in Entra ID

    In the Microsoft Entra admin center, go to App registrations → New registration.

    • Name: AUMS Management (or any name you prefer)
    • Supported account types: Accounts in this organizational directory only
    • Click Register

    Note the Application (client) ID and Directory (tenant) ID from the overview page.

  2. Create a client secret

    Go to the app registration → Certificates & secrets → New client secret.

    • Enter a description and choose an expiration period
    • Copy the Value immediately — it is only shown once
  3. Grant API permissions

    Go to API permissions → Add a permission → Microsoft Graph → Application permissions.

    Grant permissions based on the features you need:

    FeatureRequired permissions
    User managementUser.Read.All, User.ReadWrite.All
    Organizations (groups strategy)Group.ReadWrite.All, GroupMember.ReadWrite.All
    Organizations (custom_attribute strategy)User.ReadWrite.All (already included above)
    Audit logsAuditLog.Read.All

    After adding permissions, click Grant admin consent for your tenant.

  4. Choose an organization strategy

    Choose how AUMS maps “organizations” in your Entra tenant. See Organization strategies below for guidance.

  5. Set environment variables

    Terminal window
    PROVIDER=entra
    ENTRA_TENANT_ID=your-tenant-id
    ENTRA_CLIENT_ID=your-client-id
    ENTRA_CLIENT_SECRET=your-client-secret
    # Organization strategy (default: groups)
    ENTRA_ORGANIZATION_STRATEGY=groups
    # Required only when ENTRA_ORGANIZATION_STRATEGY=custom_attribute:
    # ENTRA_ORGANIZATION_ATTRIBUTE_NAME=extension_abc123_organizationId

Entra ID does not have a native “organization” object. AUMS supports two approaches:

Use groups if:

  • Your Entra tenant is a workforce or B2B tenant
  • Your customer organizations already have Entra security groups
  • You need full CRUD (create / rename / delete organizations via AUMS)
  • Users may belong to multiple organizations

Use custom_attribute if:

  • Your Entra tenant is an external (CIAM) tenant
  • Users signed up via a sign-up flow or social identity provider
  • You store a single organizationId per user as a custom extension attribute
  • You do not need to create or delete organizations through AUMS

Each Entra security group is treated as an organization. AUMS manages group membership to assign and remove users from organizations.

Required permissions: Group.ReadWrite.All, GroupMember.ReadWrite.All

What AUMS does:

OperationGraph API call
List orgsGET /v1.0/groups
Create orgPOST /v1.0/groups (security group, mail-disabled)
Delete orgDELETE /v1.0/groups/{id}
List membersGET /v1.0/groups/{id}/members
Add memberPOST /v1.0/groups/{id}/members/$ref
Remove memberDELETE /v1.0/groups/{id}/members/{userId}/$ref

Configuration:

Terminal window
ENTRA_ORGANIZATION_STRATEGY=groups

An extension attribute on each user profile stores the user’s organization ID. AUMS derives the list of organizations by collecting distinct non-null values of that attribute across all users.

Required permissions: User.ReadWrite.All

What AUMS does:

OperationGraph API call
List orgsDerived from GET /v1.0/users?$select={attr} (all pages)
List membersFilter GET /v1.0/users by attribute value
Assign userPATCH /v1.0/users/{id} with { "{attr}": "{orgId}" }
Remove userPATCH /v1.0/users/{id} with { "{attr}": null }
Create/delete org❌ Not supported — returns a 405 error

Configuration:

Terminal window
ENTRA_ORGANIZATION_STRATEGY=custom_attribute
ENTRA_ORGANIZATION_ATTRIBUTE_NAME=extension_abc123def456abc123def456abc12345_organizationId

Finding your extension attribute name:

Extension attributes registered by the b2c-extensions-app follow the pattern extension_{appId without hyphens}_{attributeName}. You can list them via:

GET /v1.0/applications/{b2cExtensionsAppObjectId}/extensionProperties

Or find the attribute name in Entra admin center → External Identities → Custom user attributes.

Entra ID uses userPrincipalName (UPN) as the primary login identifier. AUMS sets the UPN to the user’s email address on creation. The email domain must be a verified domain in your tenant.

When creating a user without a password, AUMS generates a random temporary password. The user will need to reset it on first sign-in or through self-service password reset (SSPR) if configured in your tenant.

Audit logs surface Microsoft Entra sign-in events (/v1.0/auditLogs/signIns). Filtering by user ID and date range is supported.

To protect the AUMS dashboard with Entra ID SSO, register a separate application (web platform, standard authorization code flow):

Terminal window
AUTH_CLIENT_OPENID_CONFIGURATION_URL=https://login.microsoftonline.com/{tenant-id}/v2.0
AUTH_CLIENT_ID=your-oidc-app-client-id
AUTH_CLIENT_SECRET=your-oidc-app-client-secret

Add <BASE_URL>/api/auth/callback/oidc to the application’s Redirect URIs.