Connect Your Tenant
Grant IdentityOps read-only access to your Microsoft Entra tenant in under a minute using Microsoft's standard admin consent flow.
Applies to: All plansModule: Onboarding
Read-only enforced by Microsoft Graph. No write scopes. No background agents.
Prerequisites
Before connecting, make sure you have the following:
A Microsoft Entra ID tenant (any plan — Free, P1, or P2).
An admin account with consent privileges (Global Administrator or Application Administrator).
Access to a modern browser. No software or agents to install.
Step-by-step process
1
Click "Connect Your Tenant"
From the IdentityOps landing page or Settings, click the connect button. This redirects you to Microsoft's standard admin consent endpoint.
2
Sign in with your Microsoft work account
Use the account that has admin consent privileges in your Entra tenant. This must be a work or school account — personal Microsoft accounts are not supported.
3
Review the permissions prompt
Microsoft displays the exact permissions IdentityOps is requesting. Every permission is read-only. Review the list and confirm you're comfortable before proceeding.
4
Grant admin consent
Click "Accept" on the Microsoft consent screen. This creates a standard Enterprise Application in your Entra tenant, just like any other SaaS integration.
5
Your first scan starts automatically
IdentityOps immediately begins reading your tenant data via Microsoft Graph. Depending on tenant size, results appear within 1–5 minutes.
What happens behind the scenes
When you grant consent, three things happen in sequence:
Enterprise Application created
Microsoft creates a service principal in your tenant representing IdentityOps. You can view and manage it in Entra Admin Center → Enterprise Applications.
Delegated permissions granted
The permissions you approved are recorded as delegated grants on the service principal. IdentityOps runs as the signed-in user, not as a background service.
Tokens encrypted and stored server-side
Access and refresh tokens are encrypted with AES-256-GCM and stored in our database. Tokens never leave the server and are never exposed to your browser.
Security notes
Read-only by design
No passwords are stored. IdentityOps never sees or handles your Microsoft password — authentication is handled entirely by Microsoft's identity platform.
No write permissions. Even if there were a bug in IdentityOps, Microsoft would block any write operation at the permission level.
Revokable at any time. Go to Entra Admin Center → Enterprise Applications → find IdentityOps → Delete. All API access stops immediately.
Session tokens rotate every 15 minutes. Absolute session lifetime is capped at 24 hours.
Common issues
“I'm not a Global Admin”
You need an account with admin consent privileges. This is typically a Global Administrator or an Application Administrator. Ask your IT admin to perform the consent step, or have them grant your account the Application Administrator role temporarily.
“Consent was blocked by policy”
Your tenant may have a policy that restricts user consent to enterprise applications. An admin needs to either approve the IdentityOps application directly in Entra Admin Center, or adjust the consent policy to allow admin-approved apps.
“I see a permissions error”
Make sure you're signing in with a work or school account, not a personal Microsoft account (e.g., @outlook.com or @hotmail.com). IdentityOps requires an Entra ID tenant — personal accounts don't have one.
“The consent screen shows unexpected permissions”
IdentityOps requests only read-only delegated permissions. If you see write permissions or application-level permissions in the consent prompt, you may be looking at a different app. Verify the app name shows "IdentityOps" on the consent screen.