Overview
The Microsoft Entra ID integration (formerly Azure Active Directory) connects to your Microsoft 365 tenant to collect identity and access management evidence for compliance controls.
Evidence collected automatically:
- User list with roles, licenses, and last sign-in
- MFA registration and enforcement status per user
- Conditional Access policy configuration
- Privileged role assignments (Global Admins, Security Admins)
- Guest user accounts and their access
- Risky sign-ins detected by Entra ID Protection
- Self-service password reset (SSPR) configuration
- Sign-in and audit logs summary
Prerequisites
- Microsoft Entra ID (Azure AD) tenant — included with Microsoft 365 Business or Enterprise plans
- Matproof Admin or Owner role
- Microsoft 365 Global Administrator account to authorize the connection
After initial authorization, Global Admin rights are not needed for ongoing evidence collection. Matproof uses the Microsoft Graph API with application permissions scoped to read-only directory and audit data.
Connecting Microsoft Entra ID
- Go to Settings → Integrations
- Click Connect next to Microsoft Entra ID / Azure AD
- Sign in with a Global Administrator Microsoft 365 account
- Review and grant the requested application permissions (admin consent required)
- Return to Matproof — the integration status will show Connected
The first sync runs immediately. Subsequent syncs run every 24 hours.
Permissions Requested
Matproof registers an application in your Entra ID tenant with the following Microsoft Graph permissions (all read-only, application-level):
| Permission | What It’s Used For |
|---|
User.Read.All | User list, MFA status, last sign-in |
Directory.Read.All | Group memberships, role assignments |
AuditLog.Read.All | Sign-in logs and audit events |
Policy.Read.All | Conditional Access policy configuration |
IdentityRiskyUser.Read.All | Risky user detections from Entra ID Protection |
What Gets Mapped to Which Controls
| Evidence Collected | Control Examples |
|---|
| MFA registration rate | MFA controls (SOC 2 CC6.1, DORA Art. 9, NIS2 Measure 10) |
| Conditional Access — MFA required | Conditional access controls |
| Global Admin count (should be ≤ 5) | Privileged access management |
| Guest user access review | Third-party and external access controls |
| Risky sign-ins detected and responded to | Threat detection and incident controls |
| SSPR enabled | Account self-service controls |
Conditional Access
Matproof evaluates your Conditional Access policies and reports whether they cover the key scenarios compliance frameworks care about:
| Scenario | What Matproof Checks |
|---|
| MFA for all users | CA policy requiring MFA applies to “All users” |
| MFA for admins | Privileged role members required to use MFA |
| Block legacy authentication | CA policy blocking legacy auth protocols (IMAP, POP, basic auth) |
| Compliant device required | CA policy requires device compliance for sensitive apps |
Legacy authentication blocking is a quick win that addresses a very common attack vector. If your tenant still allows it, Matproof will flag this and you can fix it in one Conditional Access policy.
Privileged Role Monitoring
Matproof tracks all users assigned to privileged Entra ID roles:
- Global Administrator
- Security Administrator
- Exchange Administrator
- SharePoint Administrator
- User Administrator
- Privileged Role Administrator
For each role, it reports how many members are assigned, when their assignment was last reviewed, and whether they have MFA enrolled. Compliance frameworks typically require ≤5 Global Admins and Just-in-Time (JIT) assignment via PIM where possible.
Common Issues
”Admin consent failed”
The person authorizing must be a Global Administrator — not a user with delegated admin permissions. Application permissions require Global Admin consent.
”MFA stats don’t match what I see in the Entra portal”
Matproof reports MFA registration (user has registered a method) separately from MFA enforcement (Conditional Access requires MFA at sign-in). A user can be registered but not enforced — both metrics are shown.
Dismissed risks in Entra ID Protection are reflected in the next sync (within 24 hours). If they still appear, check that the dismissal was confirmed in the Entra portal under Protection → Risky users.
Disconnecting
Go to Settings → Integrations → Microsoft Entra ID → Disconnect. Also remove the Matproof enterprise application from your Entra ID tenant under Enterprise applications to fully revoke access.
