Skip to content

Microsoft Entra ID directory inventory

Microsoft Entra ID supplies user, group, and directory context so Venturi can attribute AI usage to workforce owners and teams.

Release state

This guide documents the read-only azure_ad connector implemented in the platform connector surface.

Required access

Grant a dedicated app registration these Microsoft Graph application scopes:

Scope Purpose
User.Read.All Read users, lifecycle status, and profile attributes.
Group.Read.All Read groups and membership context.
Directory.Read.All Validate tenant directory access and directory metadata.

Do not grant write or ReadWrite scopes.

Setup

  1. Create a dedicated app registration in the tenant.
  2. Grant the read-only Graph application scopes above and complete admin consent.
  3. Store the tenant id and access-token reference in the tenant secrets flow.
  4. Configure ARGMIN_AZURE_AD_TENANT_ID; set ARGMIN_AZURE_AD_GRAPH_BASE and ARGMIN_AZURE_AD_PAGE_SIZE only when your environment requires overrides.
  5. In Venturi, open Administration -> Connectors -> Microsoft Entra ID and run Test connection.

Verification

  • The connector inventory shows the connector as read-only.
  • User and group counts match the tenant scope you granted.
  • Deactivated users remain available for historical attribution rather than being removed from past records.
  • Coverage & unknowns no longer lists directory inventory as a would-close source for connected teams.

Rotation and offboarding

Rotate the app credential through your normal privileged-access process. If you remove the connector, new workforce joins, moves, and leaves stop updating until the connector is restored.