Microsoft App Registration setup
Driftmark connects to a Microsoft tenant by using an application registration with Microsoft Graph application permissions. This is the recommended setup when Driftmark runs scheduled snapshots and reports without an interactive user present.Before you start
You need:- access to the Microsoft Entra admin center for the tenant you want to monitor
- permission to create or manage app registrations
- permission to grant admin consent for Microsoft Graph application permissions
- Register an application in Microsoft Entra ID
- Update an app’s requested permissions
- Request application permissions and admin consent
1. Create the app registration
In the Microsoft Entra admin center:- Go to Entra ID -> App registrations.
- Select New registration.
- Enter a name such as
Driftmark - ProductionorDriftmark - <tenant name>. - Leave the app as single tenant unless you have a very specific reason not to.
- Redirect URI is not required for Driftmark tenant snapshots.
- Create the app.
- Application (client) ID
- Directory (tenant) ID
2. Create a client secret
From the app registration:- Open Certificates & secrets.
- Choose New client secret.
- Add a description and expiration period that matches your security policy.
- Save it and copy the secret value immediately.
3. Add Microsoft Graph application permissions
From the app registration:- Open API permissions.
- Select Add a permission.
- Choose Microsoft Graph.
- Choose Application permissions.
- Add the minimum required permission:
Organization.Read.All
This is the minimum permission required for Driftmark to validate and connect a tenant.
4. Add permissions required by your selected Driftmark template
Driftmark templates determine what configuration areas are collected. Each enabled control can require additional Graph application permissions. Minimum permission required to integrate Driftmark with your tenant:Organization.Read.All
Other common permissions needed for Driftmark snapshots include, but not limited to:
User.Read.All
Group.Read.All
Directory.Read.All
Application.Read.All
Policy.Read.All
EntitlementManagement.Read.All
RoleManagement.Read.Directory
The exact required set depends on which controls are enabled in the selected template.
5. Grant admin consent
After adding permissions:- Stay on API permissions.
- Select Grant admin consent for
<tenant name>. - Confirm the consent action.
- Refresh the page and verify the permissions show as granted.
6. Add the tenant in Driftmark
In Driftmark:- Go to Settings -> Integrations -> Microsoft.
- Choose Add tenant.
- Enter:
- Tenant ID
- Client ID
- Client Secret
- optional label
- Save the connection.
Minimum permissions vs full monitoring
Minimum connection permission
At minimum, Driftmark needs:Organization.Read.All
Additional permissions for broader monitoring
To collect more than basic organization data, add the permissions required by the controls in your selected template. Examples:- Directory controls:
User.Read.AllGroup.Read.All
- Identity and access controls:
Directory.Read.AllUser.Read.All
- Applications controls:
Application.Read.All
- Security settings controls:
Policy.Read.All
Recommended operational model
For production, use:- one dedicated app registration per monitored tenant
- a clear naming convention
- a defined secret rotation process
- templates that match your actual review scope
- rotate secrets safely
- audit permissions
- isolate tenant-specific failures
Troubleshooting
Connection validation fails
Check:- tenant ID, client ID, and client secret are correct
- the secret value was copied, not the secret ID
- admin consent was granted
- the app has at least
Organization.Read.All