Connect Microsoft Entra ID to Porcia
Connect your Microsoft Entra ID (formerly Azure AD) to automatically discover all applications your team accesses via Microsoft SSO.Prerequisites
- Microsoft Entra ID (Azure AD) tenant
- Global Administrator privileges
- 5-10 minutes for setup
You need Global Administrator access to grant the necessary permissions. If you don’t have admin access, ask your IT administrator to set this up.
What Porcia Will Discover
Once connected, Porcia will discover:Enterprise Applications
All enterprise applications configured in Entra ID
App Registrations
Custom applications and API integrations
User Assignments
Which team members have access to each application
Sign-in Activity
Login frequency and usage analytics
Step-by-Step Setup
Review Privacy Notice
A privacy notice will appear explaining exactly what data Porcia collects (app names, user principal names, sign-in timestamps, app permissions). You must check two acknowledgement boxes and click Accept & Continue to proceed.
Sign in with Admin Account
You’ll be redirected to Microsoft’s sign-in page. Important: Sign in with your Global Administrator account.
Review Permissions
Microsoft will show the permissions Porcia is requesting:Microsoft Graph API:
- Read all users’ full profiles
- Read directory data
- Read all applications
- Read audit log data
- Read all users’ sign-in activity
Wait for Initial Sync
You’ll be redirected back to Porcia. The initial sync will begin automatically and takes 5-10 minutes.Porcia will:
- Discover all enterprise applications
- Map user assignments and roles
- Analyze recent sign-in activity
- Match applications to vendor database
Permissions Explained
What We Can Access
Directory Data (Read-Only):- ✅ User profiles (name, email, department)
- ✅ Group memberships
- ✅ Organizational structure
- ✅ User status and licenses
- ✅ Enterprise applications catalog
- ✅ App registrations and configurations
- ✅ User assignments to applications
- ✅ Application roles and permissions
- ✅ Sign-in logs and events
- ✅ Application usage statistics
- ✅ Audit logs for app access
- ✅ Conditional access policy results
What We CANNOT Do
- ❌ Modify users - We never add, remove, or change users
- ❌ Change app assignments - We never modify who has access to what
- ❌ Access user data - We never read emails, files, or personal data
- ❌ Modify applications - We never change app configurations
- ❌ Create resources - We never create new apps or users
All permissions are read-only. Porcia cannot make any changes to your Microsoft Entra ID configuration.
What Gets Discovered
Enterprise Applications
Examples of apps Porcia will find:- Salesforce
- ServiceNow
- Slack
- Zoom
- Adobe Creative Cloud
- AWS SSO
- Google Workspace (if configured)
- Application name and logo
- Vendor identification
- User assignments and roles
- Sign-in frequency
- Last access date
- Conditional access policies
App Registrations
Examples of custom apps:- Internal company applications
- Custom API integrations
- Power Platform apps
- Third-party integrations
- Application name and type
- API permissions granted
- User consent status
- Usage frequency
User Access Patterns
Analytics Porcia provides:- Most used applications by team
- Unused application licenses
- Sign-in frequency distribution
- Failed sign-in attempts
- Conditional access policy impacts
- Shadow IT detection
Troubleshooting
Connection Failed
Error: “AADSTS50105: The signed in user is not assigned to a role for the application”- Ensure you’re signing in with a Global Administrator account
- Check that the admin account has the necessary privileges
- Try using a different Global Admin account
- Your organization may require admin pre-approval
- Contact your Global Administrator
- They may need to pre-approve Porcia in the Azure portal
- Ensure you’re signing in to the correct tenant
- Check the tenant ID in the URL
- Use the correct organizational account
Pre-approve Porcia in Azure Portal
Pre-approve Porcia in Azure Portal
If your organization requires pre-approval:
- Go to Azure Portal → Azure Active Directory → Enterprise applications
- Click New application → Create your own application
- Enter “Porcia” as the application name
- Select Integrate any other application you don’t find in the gallery
- Click Create
- Go to Properties and set User assignment required as needed
- Go to Users and groups to assign users
- Go to Permissions and grant admin consent
No Applications Discovered
If no applications appear after sync:- Wait longer - Large organizations can take 15-20 minutes for initial sync
- Check enterprise apps - Verify your organization has enterprise applications configured
- Verify admin permissions - Ensure the connected account has Global Administrator role
- Check API permissions - Verify all required Graph API permissions are granted
Sync Stopped Working
If sync stops after working initially:- Check connection status - Go to Settings → Integrations → SSO
- Reconnect if needed - Click Reconnect if status shows “Disconnected”
- Check token expiration - OAuth tokens may expire; reconnect to refresh
- Check admin account - Verify the admin account is still active and has permissions
Need Help? Check our FAQ or contact support@porcia.org for SSO troubleshooting assistance.
Azure Portal Management
Viewing Connected Apps
To see all apps in your Entra ID:- Go to Azure Portal → Azure Active Directory → Enterprise applications
- View All applications
- Filter by Application type or Assignment required
Managing App Access
To control app access:- Go to Azure Portal → Azure Active Directory → Enterprise applications
- Select an application
- Go to Users and groups to manage assignments
- Go to Conditional Access to set access policies
Sign-in Logs
To view sign-in activity:- Go to Azure Portal → Azure Active Directory → Sign-ins
- Filter by Application, User, or Date range
- View detailed sign-in events and errors
Audit Logs
To view audit logs:- Go to Azure Portal → Azure Active Directory → Audit logs
- Filter by Service (Application Management)
- View application-related changes and events
Microsoft 365 vs Azure AD
Porcia works with both Microsoft 365 and standalone Azure AD:| Feature | Microsoft 365 | Azure AD Free | Azure AD Premium |
|---|---|---|---|
| Enterprise Apps | ✅ Full access | ✅ Full access | ✅ Full access |
| Sign-in Logs | ✅ 30 days | ❌ Limited | ✅ 30 days |
| Audit Logs | ✅ 90 days | ❌ Limited | ✅ 90 days |
| Conditional Access | ✅ Available | ❌ Not available | ✅ Available |
| Advanced Analytics | ✅ Available | ❌ Limited | ✅ Available |
Data Sync Frequency
Initial Sync:- Complete enterprise applications catalog
- All user assignments and roles
- 30 days of sign-in history (if available)
- Audit logs for application changes
- Applications: Daily (new apps, configuration changes)
- User assignments: Daily (new assignments, role changes)
- Sign-in data: Daily (login events, activity)
- Audit data: Daily (configuration changes)
Privacy & Security
Data Storage
- User directory - Names, emails, departments (encrypted)
- Application catalog - App names, logos, configurations
- Sign-in analytics - Login events, frequency (anonymized in reports)
- Access patterns - User-to-app relationships
Data Protection
- Encryption - AES-256 at rest, TLS 1.3 in transit
- Access control - Only workspace admins can view detailed user data
- Audit logs - Complete audit trail of all sync activity
- Token security - OAuth tokens stored securely with encryption at rest
Compliance
- Data privacy - Right to access, delete, and export data (GDPR compliance in progress)
- Microsoft Security - Follows Microsoft’s security best practices
- Zero Trust - Compatible with Zero Trust security models
Security: Porcia follows industry-standard security practices including end-to-end encryption and role-based access control. Full security documentation coming soon.
Disconnecting Microsoft Entra
To disconnect your Microsoft Entra ID:- Go to Settings → Integrations → SSO
- Find Microsoft Entra connection
- Click Disconnect
- Confirm disconnection
Disconnecting will stop new application discovery and usage tracking. Historical data will be preserved unless you choose to delete it.
Revoke Access in Azure
To completely revoke Porcia’s access:- Go to Azure Portal → Azure Active Directory → Enterprise applications
- Find “Porcia” in the applications list
- Click Delete or go to Properties and disable
- Alternatively, go to App registrations and delete the registration
Common Integration Scenarios
Scenario 1: Hybrid Environment
Setup: Using both on-premises AD and Azure AD- Connect Azure AD to Porcia for cloud applications
- On-premises applications won’t be discovered (cloud-only)
- Consider Azure AD Connect for unified identity
Scenario 2: Multiple Tenants
Setup: Multiple Azure AD tenants (e.g., after acquisition)- Connect each tenant separately to Porcia
- Porcia will show applications from all connected tenants
- Useful for consolidation planning
Scenario 3: B2B Collaboration
Setup: External users accessing your applications- Porcia discovers applications but filters external users
- Focus on internal user access patterns
- External user activity available in detailed logs