Entra ID
Entra ID (Azure AD) integration: Synchronize users, groups, and S/MIME certificates.
Entra ID Integration
The Entra ID integration (formerly Azure AD) connects Conbool directly with your Microsoft 365 tenant. Users, groups, and S/MIME certificates are thereby automatically available for policies, encryption, routing, and user management – without manual maintenance or local storage of sensitive data.
The integration uses the Microsoft Graph API v1.0 and supports both certificate-based authentication and client secrets.
Feature Scope
- User synchronization – Automatic import of all users from Entra ID including pagination for large tenants
- Group synchronization – Import of security and Microsoft 365 groups
- S/MIME certificate retrieval – Certificates are loaded directly from Entra ID and used for email encryption
- Change Notifications – Webhook-based notifications for changes in the tenant
- Expiration monitoring – Automatic display of expiration dates for secrets and certificates
- Audit logging – Every configuration change to the Entra ID connection is logged
Prerequisites
Before setting up the integration, make sure the following requirements are met:
- You have Global Administrator or Cloud Application Administrator rights in your Microsoft 365 tenant.
- An App Registration has been created in Azure AD / Entra ID (or you let Conbool create it automatically via the Admin Consent Flow).
- The App Registration has the required Microsoft Graph API permissions (Application Permissions):
User.Read.All– Read usersGroup.Read.All– Read groupsMail.Read– Email-related data (for S/MIME)
- A valid certificate or client secret for the App Registration is available.
Establish Connection
The connection is established via the OAuth2 Admin Consent Flow. No user password is stored in Conbool – instead, an administrator grants consent for the entire organization.
Step-by-Step Guide
- Navigate to Settings → Integrations → Entra ID.
- Click "Connect with Microsoft".
- You will be redirected to the Microsoft sign-in page. Sign in with an administrator account.
- Review the requested permissions and grant Admin Consent for your organization.
- After successful consent, you will be automatically redirected back to Conbool (callback).
- The connection details – Tenant ID, Client ID, and Scope – are automatically populated.
- Select the desired authentication mode (see below).
- Click Save.
After saving, Conbool immediately begins the first synchronization. Depending on the size of the tenant, this process may take a few minutes.
Authentication Mode
Conbool supports two authentication methods for the Microsoft Graph API. The mode is automatically detected but can also be changed manually.
| Feature | Certificate (recommended) | Client Secret (legacy) |
|---|---|---|
| Security level | High – private key never leaves the server | Medium – shared secret |
| Rotation | Replace certificate | Renew secret regularly |
| Expiration monitoring | Yes, with warning | Yes, with warning |
| Setup | Upload certificate in App Registration | Generate secret in Azure Portal |
| Recommendation | Production environments | Test environments, migration |
Microsoft recommends certificate-based authentication. Client secrets are considered a legacy method and should only be used in exceptional cases.
Synchronized Data
User Attributes
The following fields are retrieved per user from Entra ID:
| Entra ID Field | Conbool Placeholder | Description |
|---|---|---|
displayName | {user.display_name} | Display name |
mail | {user.email} | Primary email address |
userPrincipalName | — | Sign-in name (UPN, internal) |
mobilePhone | {user.mobile} | Mobile phone number |
jobTitle | {user.job_title} | Job title |
department | {user.department} | Department |
officeLocation | {user.office} | Office location |
city | {user.city} | City |
country | {user.country} | Country |
postalCode | {user.postal_code} | Postal code |
streetAddress | {user.street} | Street address |
businessPhones | {user.phone} | Business phone number |
These attributes are available as placeholders in disclaimers and templates. Use the Conbool placeholder names (e.g., {user.department}) to insert dynamic content into email disclaimers.
Groups
All security groups and Microsoft 365 groups are synchronized. Groups can be used as conditions in policies, e.g., "Only members of the Sales group may send unencrypted."
S/MIME Certificates
Conbool retrieves S/MIME certificates directly via the Microsoft Graph API. The certificates are not stored locally but loaded in real time on demand. This ensures that the current certificate from Entra ID is always used.
Configuration Fields
| Field | Description | Example |
|---|---|---|
| Tenant ID | Unique ID of your Microsoft 365 tenant | a1b2c3d4-e5f6-... |
| Client ID | ID of the App Registration in Entra ID | f7g8h9i0-j1k2-... |
| Scope | API permission scope | https://graph.microsoft.com/.default |
| Auth mode | Certificate or client secret (automatically detected) | certificate / client_secret |
| Secret expiration date | Automatically displayed when a secret is configured | 2026-12-31 |
Disconnect
To deactivate the Entra ID integration:
- Navigate to Settings → Integrations → Entra ID.
- Click "Disconnect" or deactivate the toggle.
- Confirm the disconnection.
After disconnecting, no further data is synchronized from Entra ID. Previously synchronized user data remains in Conbool until manually removed. Certificates that were only loaded from Entra ID are no longer available.
To also remove the connection on the Microsoft side, delete the Admin Consent in the Azure Portal enterprise application or remove the App Registration.
Troubleshooting
Connection fails
- Tenant ID or Client ID incorrect – Verify the values in the Azure Portal App Registration under Overview.
- Missing Admin Consent – Ensure that a Global Administrator has granted the permissions. Under API permissions, the status must show "Granted for [Organization]".
- Network restrictions – Conbool must be able to reach
login.microsoftonline.comandgraph.microsoft.comover HTTPS.
Users are not synchronized
- Pagination – For tenants with more than 999 users, Conbool uses automatic pagination. Check whether the synchronization is still running.
- License filter – Only licensed users with a valid
mailattribute are synchronized. - Permissions – The app requires
User.Read.Allas an Application Permission (not Delegated).
Certificates not available
- S/MIME certificates must be stored in the user profile in Entra ID.
- Check whether the
Mail.ReadAPI permission has been granted.
Secret expired
- Conbool displays the secret's expiration date in the settings. Renew the secret in time in the Azure Portal and update it in Conbool.
- Consider switching to certificate-based authentication to reduce dependency on expiring secrets.
Security Notes
- No local storage of certificates – S/MIME certificates are loaded from Entra ID on demand and are not permanently stored in Conbool.
- Audit trail – All changes to the Entra ID configuration (activation, deactivation, credential changes) are fully logged and viewable in the audit log.
- Principle of least privilege – Grant the App Registration only the Graph API permissions that are actually needed.
- Prefer certificate-based authentication – Avoid client secrets in production environments. Certificates provide a higher security level since no shared secret is transmitted.
- Regular review – Regularly check the granted permissions in the Azure Portal enterprise application and remove access that is no longer needed.
- Webhook security – Change notifications are received and validated via secured HTTPS endpoints.
Further Documentation
- Integrations Overview – Overview of all available integrations.
- Placeholders – Using user attributes such as
{user.department}in disclaimers and templates. - Groups – Group management and using synchronized groups in policies.