Microsoft Entra ID (formerly Azure AD) Permissions

By Salur Onural

Learn about the Graph API permissions required for the Microsoft Entra ID user directory integration

Note: Microsoft Entra ID is the new name for Azure AD (Azure Active Directory)

Integration Overview

The Microsoft Entra ID Integration in Kandji allows customers to sync all Microsoft Entra ID user and group objects into the user directory within Kandji, allowing administrators to assign devices to Microsoft Entra ID users within Kandji. These delegated permissions are leveraged through the Microsoft Graph API to synchronize user directory information. 

Permissions Overview

The following permissions are automatically requested and required to sync Microsoft Entra ID users and groups into Kandji successfully. A Microsoft Entra ID Administrator needs to have sufficient permissions to delegate the following permissions to Kandji.


Display Text


Read all groups
Allows the Kandji to list groups, and to read their properties and all group memberships on behalf of the signed-in user.


Read all users' full profiles

Synchronize all AD Users


Sign in and read user profile

Store integrating AD administrator's information 


Maintain access to data you have given it access to

Allows long-term syncing


Allows users to sign in to the app with their work or school accounts and allows the app to see basic user profile information.

Leveraged for legacy OpenID login for Microsoft Entra ID users into Kandji.

(This is now handled by a new independent Microsoft Entra ID application record)