Console
    Start free

    Collect Azure AD Organizational Context data

    Supported in:

    This document explains how to collect Microsoft Entra ID (formerly Azure Active Directory) organizational context data by setting up a Google Security Operations feed using the Third Party API.

    Azure AD Organizational Context provides directory information such as users, groups, and devices from your Microsoft Entra ID tenant. This is not event or log data — it is a periodic snapshot of directory state that enriches other log types in Google SecOps with identity context.

    Before you begin

    Ensure that you have the following prerequisites:

    • A Google SecOps instance
    • Privileged access to the Microsoft Azureportal
    • One of the following roles for granting admin consent:
      • Global Administrator- can grant consent for any permission, for any API
      • Privileged Role Administrator- can grant consent for any permission, for any API

    Configure IP allowlisting

    Before creating the feed, you must allowlist Google SecOps IP ranges in your Microsoft Azure network settings or Conditional Access policies.

    Get Google SecOps IP ranges

    1. Go to SIEM Settings > Feeds.
    2. Click Add New Feed.
    3. Note the IP ranges displayed in the feed creation interface.
    4. Alternatively, retrieve IP ranges programmatically using the Feed Management API .

    Configure Conditional Access for workload identities (if required)

    If your organization uses Conditional Access policies that restrict access by location:

    1. In the Microsoft Entra admin center, go to Protection > Conditional Access > Named locations.
    2. Click + New location.
    3. Provide the following configuration details:
      • Name: Enter Google SecOps IP Ranges .
      • Mark as trusted location: Optional, based on your security policy.
      • IP ranges: Add each Google SecOps IP range in CIDR notation.
    4. Click Create.
    5. Go to Conditional Access > Policies.
    6. For any policies that apply to workload identities, configure an exclusion for the Google SecOps IP Ranges named location or the specific service principal.

    Configure Microsoft Entra app registration

    Create app registration

    1. Sign in to the Microsoft Entra admin center or Azure portal .
    2. Go to Identity > Applications > App registrations.
    3. Click New registration.
    4. Provide the following configuration details:
      • Name: Enter a descriptive name (for example, Google SecOps Azure AD Context Integration ).
      • Supported account types: Select Accounts in this organizational directory only (Single tenant).
      • Redirect URI: Leave blank (not required for service principal authentication).
    5. Click Register.
    6. After registration, copy and save the following values:
      • Application (client) ID
      • Directory (tenant) ID

    Configure API permissions

    The integration requires the following Microsoft Graph application permissions to read directory objects:

    1. In the app registration, go to API permissions.
    2. Click Add a permission.
    3. Select Microsoft Graph > Application permissions.
    4. Search for and select the following permissions:
      • Directory.Read.All- Required to read directory data (users, groups, organizational structure).
      • User.Read.All- Required to read user profile data.
      • Group.Read.All- Required to read group membership data.
      • Device.Read.All- Required to read device information.
    5. Click Add permissions.
    6. Click Grant admin consent for [Your Organization].

    7. Verify that the Statuscolumn shows Granted for [Your Organization]for all permissions.

      Permission Type Description
      Directory.Read.All
      		 Application Read directory data
      User.Read.All
      		 Application Read all users' full profiles
      Group.Read.All
      		 Application Read all groups
      Device.Read.All
      		 Application Read all device information

    Create client secret

    1. In the app registration, go to Certificates & secrets.
    2. Click New client secret.

    3. Provide the following configuration details:

      • Description: Enter a descriptive name (for example, Google SecOps Feed ).
      • Expires: Select an expiration period.

    4. Click Add.

    5. Copy the client secret Valueimmediately.

    Set up feeds

    There are two different entry points to set up feeds in the Google SecOps platform:

    • SIEM Settings > Feeds > Add New Feed
    • Content Hub > Content Packs > Get Started

    Configure a feed in Google SecOps to ingest Azure AD organizational context data

    1. Click the Azure Platformpack.
    2. Locate the Azure AD Organizational Contextlog type.

    3. Specify values for the following fields:

      • Source Type: Third party API (recommended)
      • OAuth Client ID: Enter the Application (client) IDfrom the app registration.
      • OAuth Client Secret: Enter the client secret valueyou copied earlier.
      • Tenant ID: Enter the Directory (tenant) IDfrom the app registration in UUID format (for example, 0fc279f9-fe30-41be-97d3-abe1d7681418 ).
      • Retrieve devices: Select whether to retrieve device information within user context. Set to Trueto include device data.
      • Retrieve groups: Select whether to retrieve group membership information within user context. Set to Trueto include group data.

      • API Full Path: Microsoft Graph REST API endpoint URL:

         graph.microsoft.com/beta

      • API Authentication Endpoint: Microsoft Active Directory Authentication Endpoint:

         login.microsoftonline.com

      Advanced Options:

      • Asset namespace: The asset namespace .
      • Ingestion labels: The label to be applied to the events from this feed.

    4. Click Create feed.

    After creating the feed, context data will be retrieved periodically. It may take up to 24 hours for the initial directory snapshot to appear in Google SecOps.

    For more information about configuring multiple feeds for different log types within this product family, see Configure feeds by product .

    For more information about Google Security Operations feeds, see Google Security Operations feeds documentation . For information about requirements for each feed type, see Feed configuration by type . If you encounter issues when you create feeds, contact Google Security Operations support .

    Regional endpoints

    For Microsoft Entra ID deployments in sovereign clouds, use the appropriate regional endpoints:

    Cloud Environment API Full Path API Authentication Endpoint
    Global
    		 graph.microsoft.com/beta login.microsoftonline.com
    US Government L4
    		 graph.microsoft.us/beta login.microsoftonline.us
    US Government L5 (DOD)
    		 dod-graph.microsoft.us/beta login.microsoftonline.us
    China (21Vianet)
    		 microsoftgraph.chinacloudapi.cn/beta login.chinacloudapi.cn

    Need more help? Get answers from Community members and Google SecOps professionals.

    Create a Mobile Website
    View Site in Mobile | Classic
    Share by: