Skip to main content
Select Actions to adjust the guide
Some actions may require additional configuration in the provider to be accessible. Choose the actions you need and the guide will be updated.
Action
Scope(s)
Loading actions…
Dynamic Guide URL
Scopes Selected
Separator
You must have at least Application Developer permissions in your Azure account to register applications in Microsoft Entra ID. A Global Administrator must grant admin consent for the required directory permissions.

Register Your Application in Microsoft Entra ID

To connect Microsoft Entra ID with StackOne, you need to register an application in Microsoft Entra ID to obtain OAuth 2.0 credentials.

1

Sign in to Microsoft Entra Admin Center

Sign in to the Microsoft Entra admin center as at least an Application Developer. If you have access to multiple tenants, click the Settings (gear) icon in the top-right corner, then select the desired tenant from the list under Directory + subscription.

2

Create a New App Registration

From the left sidebar, go to App registrations and click on New registration.

  • Enter a meaningful Name for your app (e.g., StackOne Entra ID Integration).
  • Under Supported account types, select the appropriate option. Choose Accounts in any organizational directory for multi-tenant access or Accounts in this organizational directory only for single-tenant.
  • Select Register to create the app registration.
3

Copy the Application (Client) ID

After registration, you’ll be directed to the application’s Overview page. Copy the Application (client) ID value and store it securely for use later.

Configure Redirect URI

Set up the OAuth 2.0 callback URL to enable authentication flow between StackOne and Microsoft Entra ID.

1

Navigate to Authentication Settings

From your app’s Overview page, select Authentication (Preview) from the left menu under Manage. If you are using the older UI, this may appear as Authentication.

2

Set the Redirect URI

Under Redirect URI configuration, click Add Redirect URI, select Web, enter the StackOne OAuth callback URL, and click Configure.

  • Redirect URI: https://api.stackone.com/connect/oauth2/microsoftentraid/callback
  • Note: If you are using the older UI, under Platform configurations click Add a platform, select Web, enter the URI above, and click Configure.

Configure API Permissions

Grant your application the necessary Microsoft Graph API permissions. Add the scopes based on the permission type (Delegated or Application) and the resources your integration needs.

1

Open API Permissions

From the left menu under Manage, select API permissions.

2

Add Delegated Permissions

Enables actions: Add App Role Assignment To Service Principal, Add Directory Role Member, Add Group Member, Assign App Role To User, Create Application, Create Conditional Access Policy, Create Country Named Location, Create Domain, Create Group, Create IP Named Location, Create OAuth2 Permission Grant, Create Service Principal, Create User, Delete Application, Delete Conditional Access Policy, Delete Device, Delete Domain, Delete Group, Delete Named Location, Delete OAuth2 Permission Grant, Delete Service Principal, Delete User, Get Application, Get Conditional Access Policy, Get Device, Get Directory Role, Get Domain, Get Group, Get Named Location, Get OAuth2 Permission Grant, Get Organization, Get Service Principal, Get User, List Applications, List Conditional Access Policies, List Device Group Memberships, List Device Registered Owners, List Device Registered Users, List Devices, List Directory Role Members, List Directory Roles, List Domain Service Configuration Records, List Domain Verification DNS Records, List Domains, List Group Members, List Groups, List Named Locations, List OAuth2 Permission Grants, List Organizations, List Role Templates, List Service Principal App Role Assignments, List Service Principals, List User App Role Assignments, List Users, Remove App Role Assignment From Service Principal, Remove App Role From User, Remove Directory Role Member, Remove Group Member, Update Application, Update Conditional Access Policy, Update Device, Update Group, Update OAuth2 Permission Grant, Update Organization, Update Service Principal, Update User, Verify Domain

Click Add a permission, select Microsoft Graph, then select Delegated permissions. Enable the scopes required for the resources your integration needs, then click Add permissions to save:

3

Add Application Permissions

Enables actions: Add App Role Assignment To Service Principal, Add Directory Role Member, Add Group Member, Assign App Role To User, Create Application, Create Conditional Access Policy, Create Country Named Location, Create Domain, Create Group, Create IP Named Location, Create OAuth2 Permission Grant, Create Service Principal, Create User, Delete Application, Delete Conditional Access Policy, Delete Device, Delete Domain, Delete Group, Delete Named Location, Delete OAuth2 Permission Grant, Delete Service Principal, Delete User, Get Application, Get Conditional Access Policy, Get Device, Get Directory Role, Get Domain, Get Group, Get Named Location, Get OAuth2 Permission Grant, Get Organization, Get Service Principal, Get User, List Applications, List Conditional Access Policies, List Device Group Memberships, List Device Registered Owners, List Device Registered Users, List Devices, List Directory Role Members, List Directory Roles, List Domain Service Configuration Records, List Domain Verification DNS Records, List Domains, List Group Members, List Groups, List Named Locations, List OAuth2 Permission Grants, List Organizations, List Role Templates, List Service Principal App Role Assignments, List Service Principals, List User App Role Assignments, List Users, Remove App Role Assignment From Service Principal, Remove App Role From User, Remove Directory Role Member, Remove Group Member, Update Application, Update Conditional Access Policy, Update Device, Update Group, Update OAuth2 Permission Grant, Update Organization, Update Service Principal, Update User, Verify Domain

Click Add a permission, select Microsoft Graph, then select Application permissions if your integration requires app-only access (no signed-in user). Enable the scopes required for the resources your integration needs, then click Add permissions to save:

4

Grant Admin Consent

Click Grant admin consent for [tenant name] and select Yes to consent on behalf of all users in your tenant. After granting, verify that Granted for [tenant name] appears under the Status column. A Global Administrator is required to grant consent for directory-level permissions.

Generate Client Secret

Create a client secret that will be used to authenticate your application with Microsoft Entra ID.

1

Navigate to Certificates & Secrets

From the left menu under Manage, select Certificates & secrets.

2

Create a New Client Secret

Under the Client secrets tab, click New client secret.

  • Add a Description (e.g., StackOne Entra ID Integration Secret).
  • Select an appropriate expiration period.
  • Click Add.
3

Copy the Client Secret Value

Immediately copy the Value of the newly created client secret and store it securely for use later. This value will only be shown once and cannot be retrieved again.

Creating the StackOne Connector Profile

To create the Connector Profile in StackOne for Microsoft Entra ID:
1

Navigate to Connector Profiles

Login to StackOne and navigate to Connector Profiles
2

Create New Connector Profile

  • Click + Connector Profile
  • Search for and select Microsoft Entra ID
  • Select Type as OAuth 2.0 (Common)
  • Fill out the fields using details retrieved from your provider:
    • Client ID
    • Client Secret
    • Scopes (Optional)
  • (Optional) Select Actions to be enabled for this Connector Profile
  • Click Create profile
Congratulations! The new Connector Profile will now show up in your project ready to be used. You can now continue to Link Accounts for Microsoft Entra ID.