Microsoft Entra Directory
The Microsoft Entra directory integration syncs your Entra user directory with Incode, enabling employee lookups and claims matching during identity verification sessions. This integration is a prerequisite for Entra-connected use cases that require verifying a user against their directory record, including Self-Serve Portal password and MFA resets, Helpdesk verifications, and claims matching in Entra IAM flows.
This is a directory-only integration. It does not trigger verification sessions. For authentication-layer integrations with Microsoft Entra, see Microsoft Entra External Authentication Method (EAM).
NoteIf your Microsoft Entra environment uses federated access through Okta as the identity provider, follow the Okta Directory guide instead.
Prerequisites
- Access to the Integrations page in Dashboard. Contact your Incode representative if you do not see the Integrations page.
- A Microsoft Entra account with the following roles:
- User Administrator, Groups Administrator, Application Administrator, and App Developer — for App Registration, group, and user setup
- Global Administrator — to grant the required app permissions
What gets synced
Incode reads user profile data from Microsoft Entra to perform claims matching. Depending on your claims matching policy, some of the following fields may be required for verification to succeed. Ensure these attributes are populated for all users in the groups you intend to sync:
| Attribute | Used for |
|---|---|
| First name (given name) | Name claim matching |
| Last name (surname) | Name claim matching |
| User principal name (UPN) | Primary user lookup (loginHint) |
| Notification delivery, email claim matching | |
| Mobile phone | Phone claim matching |
| Date of birth | DOB claim matching |
| Street address, city, state, postal code, country | Address claim matching |
NoteMissing attributes will cause claims matching failures for affected users. Ensure the relevant fields are populated in Entra before triggering a directory sync.
Set up guide
Step 1: Configure the Entra directory integration in Incode
- Log in to Dashboard.
- In the left navigation, click Integrations.
- Click New integration.
- From the Directory tab, select Microsoft Entra Directory, then click Continue.
- Enter a Directory name.
- Enter the User Group ID (Object ID) of the Entra group containing the employees you want to sync. To find this, go to your Microsoft Entra portal → Groups → All groups, and copy the Object ID for the relevant group.
- Select the permission level for the integration:
- Read-only — allows directory sync only
- Read and write — allows directory sync and Self-Serve password and MFA resets
- Click Save.
Step 2: Grant directory permissions in Microsoft Entra
After saving, you will be redirected to the Microsoft Entra admin consent page to approve the required permissions. A Global Administrator must complete this step.
NoteIf permissions are rejected, or the approving user does not have sufficient privileges, the integration will remain in an incomplete state and the setup process must be restarted.
Step 3: Trigger a directory sync
Once permissions are granted, trigger an initial sync to import your users into Incode:
- In the left navigation, click Integrations.
- From the Directory tab, locate the integration you just created.
- On the integration card, click Sync directory.
Depending on the size of your directory, the initial sync may take several minutes.
View synced users
Click Directory information in the left navigation to view all synced users and their enrollment status. Users shown as not enrolled have been synced from Entra but have not yet completed an Incode verification session. To initiate verification for these users, trigger a session through your configured IAM or Helpdesk integration.
Updated about 2 hours ago