About the Entra ID Marketplace App
The Entra ID Marketplace App synchronizes user data from Entra ID to Beekeeper, mapping attributes to Beekeeper profile fields. Note that group membership information from Entra ID cannot be synced. While Microsoft's cloud platform, Azure, remains unchanged, the identity and access management service previously known as Azure Active Directory is now called Microsoft Entra ID. You can coordinate with your Customer Success Manager to set up filters and define the sync frequency to meet your needs. This guide will walk you through configuring the app for the first time and renewing credentials if they expire.
How to Set Up the Entra ID Marketplace App
Requirements
- Beekeeper Global Admin rights
- Entra ID Admin rights
1. Install the Entra ID Marketplace App in Beekeeper
- In Beekeeper, go to Extensions > Marketplace.
-
Search for Entra ID.
-
Click Connect (or Request on the detail page) to request the app.
- Coordinate with your Customer Success Manager to configure:
- Profile Fields: Define which Entra ID attributes should sync to Beekeeper (e.g., first name, last name). A mapping table might be needed.
- Sync Scope: Define filters, such as syncing only users with specific profile field values.
- Sync Frequency: Define the frequency of delta sync (updates only) and full sync to determine how often data is synchronized.
2. Configure an App in the Microsoft Portal
Step 1: Create a new Application
-
Log in to the Azure Portal and click on View in the Manage Microsoft Entra ID section.
- Navigate to App Registrations and click on + New registration.
1. Fill in the app details:
-
- Name, e.g. “Beekeeper User Sync” app.
- Supported account types: Leave as Accounts in this organizational directory only (Default Directory only - Single tenant).
- Redirect URI: Add any URL (e.g., your company homepage). NOTE: even though is is labelled as optional, this is required for later steps.
- Click on Register to add the new app.
2. After registration, note the Application (client) ID and Directory (tenant) ID from the app’s Overview page. You will need to share these later on.
Step 2: Configure API Permissions
-
Go to the API Permissions page and delete the delegated User.Read permission by selecting it and clicking Remove permission. You may have to confirm this action.
-
Add a new permission by clicking on the + Add a permission.
- Select Microsoft Graph which should be the first tile under Commonly used Microsoft APIs
- Select the Application permissions configuration.
- Add User.Read.All and Directory.Read.All and then click on Add permissions.
- Click Grant admin consent for [Your Tenant] to approve these permissions.
- Once access has been granted, you should be seeing the status turning green for the added permissions:
Step 3: Add Beekeeper Configuration to the App Manifest
- Go to the Manifest page.
2. In the Microsoft Graph App Manifest (New) section scroll down until you find “oauth2PermissionScopes” in the “api” object. It is currently set to an empty array ([]).
3. Replace the oauth2PermissionScopes object with the following:
"oauth2PermissionScopes": [
{
"adminConsentDescription": "Allow the Beekeeper user sync application to access all user directory information.",
"adminConsentDisplayName": "Beekeeper User Sync (Admin)",
"id": "974c519c-e5c1-424b-ac8d-4bb632f455ec",
"isEnabled": true,
"type": "User",
"userConsentDescription": "Allow the Beekeeper user sync application to access your information.",
"userConsentDisplayName": "Beekeeper User Sync (You)",
"value": "access_as_user"
}
]
4. Save the changes.
Step 4: Generate a Client Secret
-
Navigate to Certificates & Secrets page.
-
Click on + New client secret.
-
Fill in the details:
- Description, e.g. “Beekeeper Secret”
- Expires: select the preferred expiry duration (e.g., 24 months).
Click on Add to create the secret.
4. IMPORTANT: Copy and save the secret value as this is the only time you have access to it. This secret is crucial for the integration between Entra ID and Beekeeper.
5. We recommend setting a calendar reminder ahead of your secret’s expiration date to ensure it is renewed on time. Once renewed, please share the updated secret with us promptly. If the secret expires, the user sync will stop functioning, and users in Beekeeper will no longer be updated.
Step 5: Consent For Access
-
Navigate to the following URL, replacing the values of <YOUR_AD_DOMAIN> and <APPLICATION_ID> with your specific Application (client) ID and Directory (tenant) ID values from the Overview page.
<https://login.microsoftonline.com/><YOUR_AD_DOMAIN>/adminconsent?client_id=<APPLICATION_ID>
b. Follow the authorization steps to fully grant permissions.
NOTE: A successful approval should leave you at the Redirect URI that you entered when created the App.
Step 6: Share Credentials with Beekeeper
IMPORTANT: Do NOT share this information via email.
Request a secure Box link from your Customer Success Manager to share the following credentials:
- Application (client) ID
- Directory (tenant) ID
- Client Secret Value
- Client Secret expiration date
- AD Domain
For any questions, comments, or concerns please reach out to Support. Once these steps are completed, Beekeeper will verify user access via the Entra ID Marketplace app and finalize the user sync configuration in Beekeeper. This will take several weeks to complete. We kindly ask for your patience as we complete this process.
Renew Client Secret
If your client secret expires, follow these steps to generate a new one:
Step 1: Create new Secret
-
Log in to Azure Portal and find the app created for Beekeeper (e.g. Beekeeper User Sync).
-
Go to Certificates & secrets and click on + New client secret.
-
Fill in the details:
- Description, e.g. “Beekeeper Secret”
- Expires: select the preferred expiry duration (e.g. 24 months).
Click on Add to create the secret.
4. IMPORTANT: Copy and save the secret value as this is the only time you have access to it. This secret is crucial for the integration between Entra ID and Beekeeper.
5. We recommend setting a calendar reminder ahead of your secret’s expiration date to ensure it is renewed on time. Once renewed, please share the updated secret with us promptly.
Step 2: Delete old Secret
- On the secret overview page, select the delete symbol for the expired secret, and delete it. You might have to confirm your choice.
- If prompted agree to set the new secret as the valid secret.
Step 3: Share Credentials with Beekeeper
IMPORTANT: Do NOT share this information via email.
Request a secure Box link from your Customer Success Manager to share the following credentials:
- New Client Secret Value
- New Client Secret expiration date
- Application (client) ID
- Directory (tenant) ID
- AD Domain
Comments
0 comments
Please sign in to leave a comment.