Microsoft Entra ID Support

In addition to Active Directory, Tenable Identity Exposure supports Microsoft Entra ID (formerly Azure AD or AAD) to expand the scope of identities in an organization. This capability leverages new Indicators of Exposure that focus on risks specific to Microsoft Entra ID.

To integrate Microsoft Entra ID with Tenable Identity Exposure, follow closely this on-boarding process:

  1. Have the Prerequisites

  2. Check the Permissions

  3. Configure Microsoft Entra ID settings

  4. Activate Microsoft Entra ID support

  5. Enable tenant scans


You must have a Tenable Vulnerability Management account to use the Microsoft Entra ID support feature. This account allows you to configure Tenable scans for your Microsoft Entra ID and collect the results of these scans.


The support of Microsoft Entra ID requires the collecting of data from Microsoft Entra ID such as users, groups, applications, service principals, roles, permissions, policies, logs, etc. It collects this data using Microsoft Graph API and service principal credentials following Microsoft recommendations.

  • You must sign in to Microsoft Entra ID as a user with permissions to grant tenant-wide administrator consent on Microsoft Graph, which must have the Global Administrator or Privileged Role Administrator role (or any custom role with appropriate permissions), according to Microsoft.

  • To access the configuration and data visualization for Microsoft Entra ID, your Tenable Identity Exposure user role must have the appropriate permissions. For more information, see Set Permissions for a Role.

Configure Microsoft Entra ID settings

Use the following procedures (adapted from the Microsoft Quickstart: Register an application with the Microsoft identity platform documentation) to configure all required settings in Microsoft Entra ID.

  1. After you configure all the required settings in Microsoft Entra ID:

    1. In Tenable Vulnerability Management, create a new credential of type "Microsoft Azure".

    2. Select the "Key" authentication method and enter the values that you retrieved in the previous procedure: Tenant ID, Application ID, and Client Secret.

Activate Microsoft Entra ID support

Enable tenant scans