IEM Entra ID Setup

8 min

getting started here are the steps for setting up the iem integration both from the side of flare and entra id setup overview create entra id app registration assign permissions setup the integration in the docid\ z x8zdlsy7wd0c1jdpxg7 and import identities configure alerting if using mark as compromised create a conditional access policy within entra id create an entra id application registration within entra id create a new application registration have flare in the name to ensure users understand what the application is for the following configurations should be in place for this app require the user to be assigned the app for access create a client secret for the application this will be needed by flare in a later step assign permissions the table below highlights the application permissions to assign to the app registration directory read all is required for the integration however each of the permissions corresponds to a different remediation capability determine which permission best corresponds with your organizations remediation needs add directory read all then what you need if you’re not using a remediation option, you don’t have to grant its permission capability permission identity profiles & directory reads directory read all revoke user sessions (invalidate refresh tokens) user revokesessions all disable user account user enabledisableaccount all mark user as compromised identityriskyuser readwrite all mark user as compromised requires a conditional access policy to fully remediate the user setup integration in the integration hub navigate to integrations from the sidebar click add integration in the modal, select microsoft entra id as the integration type fill in the required fields integration name a descriptive name for the integration (e g , entra id ) entra id client id enter the application (client) id from your entra id app registration’s overview page entra id client secret enter the secret value from the app registration certificates & secrets page entra id tenant id enter your organization’s directory (tenant) id from your app registration’s overview page (optional) identity creation automatically create identity identifiers for my synced identities toggle on to sync identities group object id (optional) enter a group id to restrict which identities are created if left blank, all identities will be created identities may take up to 24 hours to appear ⚠️ identity identifiers are created only up to the limit of your package if you’ve reached your identifier limit, entra id synchronization continues, but additional identities are not created contact your customer success manager for more details about this (optional automation) configure automated validation & mitigation automated validation this will automatically validate new credentials found related to your authorized identity identifiers each of the below settings can be configured to just a specific group within entra id automated mitigation disable accounts this will automatically test new credentials, if they are confirmed valid, flare will disable the account automated mitigation mark as compromised this will automatically test new credentials, if they are confirmed valid, flare will mark the account as compromised note flare recommends creating a conditional access policy where the user risk is high to remediate these events automated mitigation revoke sessions this will automatically test new credentials, if they are confirmed valid, flare will revoke the sessions of the account with the execption of validation all of the above can also be enabled/disabled for manual operations test integration before saving click test integration to validate the configuration if the test passes, you’ll see a confirmation message a failure will display an error message common errors we have observed invalid parameters the entra id client id, entra id client secret or entra id tenant id may be incorrect the entra id secret is not correct or has expired missing permissions you will need to grant additional permissions to the application you have registered in entra id see table x located at y for list of permissions required by feature the application is missing the required permissions untested integrations can be saved, but they remain disabled by default click save changes to finalize the configuration setup alerts to create an alert follow these steps within the alerts page, create a new alert identifier scope corporate identities severity filters critical this will fire an alert anytime a credential has been found and confirmed valid conditional access policy setup (for mark as compromised) if the remediation option is mark as compromised a conditional access policy is required to action the signal flare sends (if not using mark as compromised skip this section) this requires microsoft p1 or business premium licenses flare recommended implementation users all users however this can be fine grained to lower the scope target resources all resources conditions user risk is high grant access require authentication strength ( we recommend using passwordless mfa if possible ) and require a password change session sign in frequency every time alternatively use identity protection or logic apps for more fine grained remediation options troubleshooting confirm the correct permissions are applied to the app registration confirm the secret value is being entered and not the secret id confirm the integration has been tested within flare