Creating apps in Entra ID for Microsoft connectors

The Neurons Platform includes a variety of connectors for retrieving data from your Microsoft database sources. Before setting up these connectors in Neurons, you need to register each one as an app in the Entra ID section of your Azure portal with the necessary permissions and credentials. (Entra ID was formerly Azure AD.)

This extra step is mandatory for the following connectors (whether they are run in the cloud or using an on-premises connector server):

  • Entra ID

  • Intune

  • Microsoft 365

  • Defender for Endpoint (MDE) – Requires its own procedure (see below).

Important notes:

  • To better facilitate troubleshooting, create a new app for each connector you plan on using.

  • When adding permissions for each app, ensure Grant admin consent is selected for each permission.

  • If you add or change permissions for the app after initial registration, the Microsoft Application Key will not be updated and will need to be generated again. Make sure to update the connector with the new secret after changing permissions.

  • If there is user data already in Neurons from another source and you import user data from Entra ID, Neurons will reconcile the records using the user’s email so that you do not have duplicate user records.

Repeat this procedure for each connector (Entra ID, Intune, or Microsoft 365) that you want to set up in Neurons.

  1. Sign in to the Azure portal and select Microsoft Entra ID.
  2. In the left navigation pane, click App registrations.
  3. At the top of the page, click New registration.
  4. On the Register an application page, enter a name for this app, select the appropriate account type, and click Register to create the application. No redirect URI is needed.
  5. On the Overview page for your new app, click View API permissions.
  6. Click Add a permission.
  7. Click Microsoft Graph.
  8. In the right pane under Request API permissions, click Application permissions (not Delegated permissions).
  9. Add the following API permissions for the connector and ensure Grant admin consent is selected (so that each permission displays with a green checkmark).

    Entra ID:

    • Application.Read.All
    • Auditlog.Read.All
    • Device.Read.All
    • DeviceManagementServiceConfig.Read.All
    • DeviceManagementServiceConfig.ReadWrite.All
    • Directory.Read.All
    • Directory.ReadWrite.All
    • Reports.Read.All
    • User.Export.All
    • User.Read
    • User.Read.All
    • User.ReadWrite.All
    • To receive purchase order identifier data: DeviceManagementServiceConfig.Read.All
    • To use group filters (device and user) in Neurons: Group.Read.All

    Intune:

    • Device.Read.All
    • Device.ManagementApps.Read.All
    • DeviceManagementManagedDevices.Read.All
    • Directory.Read.All
    • User.Read.All
    • To use scope tag filters in Neurons:

      • DeviceManagementConfiguration.Read

      • DeviceManagementRBAC.Read.All

    • To perform actions and queries in Neurons:
      • DeviceManagementManagedDevices.ReadWrite.All
      • Directory.ReadWrite.All
      • User.ReadWrite.All

    You will also need to fill in the Action credentials fields for this connector in the Neurons console.

    Microsoft 365:

    • Directory.Read.All
    • Organization.Read.All
    • Reports.Read.All
    • User.Read
  10. Click Add permissions.
  11. In the left navigation pane, click Certificates & secrets.
  12. Click New client secret.
  13. Enter a description and timeline, then click Add. Copy and paste the secret into Notepad. You will need this secret when setting up the connector in Neurons.
  14. In the left navigation pane, click Overview. Copy and paste the Application (client) ID and Directory (tenant) ID into Notepad. You will need these IDs when setting up the connector in Neurons.

You are now ready to set up the same connector(s) in Neurons. For details, see Microsoft Entra ID connector, Microsoft Intune connector, or Microsoft 365 connector.

For more information not provided here, see Use Microsoft Defender for Endpoint APIs in the MDE documentation.

  1. Sign in to the Azure portal and select Microsoft Entra ID.
  2. In the left navigation pane, click App registrations.
  3. At the top of the page, click New registration.
  4. On the Register an application page, enter a name and select the appropriate account type.
  5. Under the Redirect URI (optional) section, select Web and enter your application URI.
  6. Click Register to create the application.
  7. On the Overview page for your new app, copy and paste the Application (client) ID and Directory (tenant) ID into Notepad. You will need these IDs later when setting up the connector in Neurons.
  8. In the left navigation pane, click Certificates & secrets, then click New client secret.
  9. Enter a timeline and description, then click Add. Copy and paste the secret into Notepad. You will need this secret when setting up the connector in Neurons.
  10. In the left navigation pane, click App registration. You should see the application that you created. Click it to open.
  11. In the left navigation pane, click API permissions, then click Add a permission > APIs my organization uses.
  12. In the search field, type windows, and look for WindowsDefenderATP in the list. Click it to open.
  13. Click Application permission. You should see all the entities to which you can have access via this application.
  14. Add the following API permissions for the connector and ensure Grant admin consent is selected (so that both permissions display with a green checkmark):
    • Machine.Read.All
    • Vulnerability.Read.All
  15. Click Add permissions.

You are now ready to set up the MDE connector in Neurons. For details, see Microsoft Defender for Endpoint connector.