Entra ID Configuration

Create an Entra ID App Registration to allow EntraGuard to access your tenant in read-only mode.

1. Create an App Registration

  1. Go to the Entra admin center → Microsoft Entra ID → App registrations
  2. Click New registration
  3. Name: EntraGuard Collector
  4. Supported account types: Single tenant
  5. Click Register

2. Configure API permissions

Add the following Microsoft Graph permissions (all as Application, not Delegated):

Permission Used for
Directory.Read.All Users, groups, roles, directory objects
User.Read.All Detailed user attributes
Group.Read.All Group details and memberships
Application.Read.All App registrations, service principals
RoleManagement.Read.Directory Role assignments and PIM
Policy.Read.All Conditional Access policies
AuditLog.Read.All Sign-in activity (stale accounts)
Device.Read.All Devices
UserAuthenticationMethod.Read.All MFA status
AdministrativeUnit.Read.All Administrative Units

After adding the permissions, click Grant admin consent.

3. Create a Client Secret

  1. Go to Certificates & secrets
  2. Click New client secret
  3. Recommended duration: 6 months
  4. Copy the value immediately — it will not be shown again

4. Configure EntraGuard

Enter the credentials via the Setup Wizard or in the .env file:

.env 
# .env
AZURE_TENANT_ID=your-tenant-id
AZURE_CLIENT_ID=your-client-id
AZURE_CLIENT_SECRET=your-client-secret

Flow used: Client Credentials (ConfidentialClientApplication). No interactive flow.
Tip: Credentials entered via the Setup Wizard are encrypted (AES-GCM) in the database, avoiding plain-text environment variables.

5. Create the app via CLI (optional)

Azure CLI 
# Azure CLI (logged in as admin)
az ad app create --display-name "EntraGuard Collector"
# Then assign permissions and grant consent via the Entra admin center

6. Launch the first scan

Launch 
cd coderaft && ./start.sh
# Open http://localhost:3000 — the Setup Wizard appears

Troubleshooting

Permission denied / Insufficient privileges

Verify that admin consent has been granted for all API permissions.

Tenant not found

Check your Tenant ID in the Entra admin center → Microsoft Entra ID → Overview.

Expired client secret

Secrets expire. Create a new one in Certificates & secrets.

MFA not detected in findings

Ensure UserAuthenticationMethod.Read.All is granted with admin consent.

Neo4j out of memory

Neo4j requires ~2 GB RAM for large tenants. Increase Docker memory allocation.