Overview

Torii integrates with Microsoft Entra ID and syncs:

• User list

• 3rd party application list

• 3rd party permissions

• Usage Data

Prerequisites

Accounts & permissions

• You are required to have an Administrator role

• For Torii to pull sign-in info from Microsoft Entra ID, it requires you to have a Premium 1 license (P1). 
  Without this license, Torii will not be able to retrieve the SaaS applications connected to your Microsoft Entra ID information

• The user who connects Microsoft Entra ID to Torii should have a P1 license. That should cost around $6/month

Scopes

• To connect Torii with minimum Read permissions:
  • auditlog.read.all
  • directory.read.all
  • user.read
  • user.read.all
  • user.readbasic.all
• Additionally, to enable Microsoft Entra ID actions, Torii requires:
  • Group.ReadWrite.All
  • User.ReadWrite.All
  • User.EnableDisableAccount.All

  • UserAuthenticationMethod.ReadWrite.All

  • user_impersonation (for PowerShell actions)

Prerequisites Technical instructions

1. Create a new Service Account in Microsoft Entra ID

2. Go to Users to assign Administrative Roles to the service

3. Select Assigned roles

   

4. Click on Add assignments to add the roles

5. Read permissions - To connect Torii with minimum Read permissions, Microsoft Entra ID requires the following roles: Application Administrator or Global reader

   
   
    

6. Get usage permissions - to allow Torii to get and show usage, you will have to enable one of the following roles:

   1. Global Reader

   2. Reports Reader

   3. Security Administrator

   4. Security Operator

   5. Security Reader

   6. Global Administrator (less recommended)
7. Read and take actions permissions - to allow Torii to take actions, Microsoft Entra ID requires the following roles:
   1. User Administrator (handle users and groups)
   2. Authentication Administrator (handle password changes and session management)
    

8. Read and take actions permissions including PowerShell actions - To provide Torii full permissions that will enable you to have a comprehensive user and usage view, select the Global administrator role. There is no way to choose less privileged permissions in this case due to Microsoft limitations.

   

Connect Microsoft Entra ID integration to Torii

1. Go to the Integrations page and select the Microsoft Entra ID tile

2. Connect to Microsoft Entra ID

3. In Connect Microsoft Entra ID select the permission type (Read or Read and Take action)

4. Click Connect

   • Use the service user you created to connect the integration.

5.  

   

Purchasing Microsoft Entra ID P1 license

1. Sign in to the Microsoft consumer portal (https://portal.office.com/AdminPortal) and navigate to Billing -> Purchase services.

2. Look for the "Microsoft Entra ID Premium P1" or “Azure Active Directory Premium P1” license. Purchase one license, and assign it to the relevant user (I can assume that would be you).

Please notice that you only need to purchase one license, which should be assigned to the user connecting Entra ID to Torii.

Q&A

Q: Which Microsoft Entra ID groups will be shown in Torii?

A: The "Microsoft 365" and "Security" groups are the only group types that will be shown due to limitation with the Microsoft Graph API.

Q: How can I update non-standard or advanced user fields via actions?

A: Use the Custom Attributes field in the action to pass additional key–value pairs (strings, arrays, JSON objects, etc.) to the target app. See the detailed setup guide: Custom Attributes configuration .