Microsoft Entra Directory
The Microsoft Entra directory integration syncs your Entra user directory
with Incode, enabling employee lookups and claims matching during identity
verification sessions. This integration is a prerequisite for
Entra-connected use cases that require verifying a user against their
directory record, including Self-Serve Portal password and MFA resets,
Helpdesk verifications, and claims matching in Entra IAM flows.
This is a directory-only integration. It does not trigger verification
sessions. For authentication-layer integrations with Microsoft Entra, see
Microsoft Entra External Authentication Method (EAM).
NoteIf your Microsoft Entra environment uses federated access through Okta as
the identity provider, follow the
Okta Directory guide
instead.
Prerequisites
- Access to the Integrations page in Dashboard. Contact your Incode
representative if you do not see the Integrations page. - A Microsoft Entra account with the following roles:
- User Administrator, Groups Administrator,
Application Administrator, and App Developer — for App
Registration, group, and user setup - Global Administrator — to grant the required app permissions
- User Administrator, Groups Administrator,
What gets synced
Incode reads user profile data from Microsoft Entra to perform claims
matching. Depending on your claims matching policy, some of the following
fields may be required for verification to succeed. Ensure these attributes
are populated for all users in the groups you intend to sync:
| Attribute | Used for |
|---|---|
| First name (given name) | Name claim matching |
| Last name (surname) | Name claim matching |
| User principal name (UPN) | Primary user lookup (loginHint) |
| Notification delivery, email claim matching | |
| Mobile phone | Phone claim matching |
| Date of birth | DOB claim matching |
| Street address, city, state, postal code, country | Address claim matching |
NoteMissing attributes will cause claims matching failures for affected users.
Ensure the relevant fields are populated in Entra before triggering a
directory sync.
Set up guide
Step 1: Configure the Entra directory integration in Incode
- Log in to Dashboard.
- In the left navigation, click Integrations.
- Click New integration.
- From the Directory tab, select Microsoft Entra Directory, then
click Continue. - Enter a Directory name.
- Enter the User Group ID (Object ID) of the Entra group containing
the employees you want to sync. To find this, go to your Microsoft Entra
portal → Groups → All groups, and copy the Object ID for the
relevant group. - Select the permission level for the integration:
- Read-only — allows directory sync only
- Read and write — allows directory sync and Self-Serve password and
MFA resets
- Click Save.
Step 2: Grant directory permissions in Microsoft Entra
After saving, you will be redirected to the Microsoft Entra admin consent
page to approve the required permissions. A Global Administrator must
complete this step.
NoteIf permissions are rejected, or the approving user does not have
sufficient privileges, the integration will remain in an incomplete state
and the setup process must be restarted.
Step 3: Trigger a directory sync
Once permissions are granted, trigger an initial sync to import your users
into Incode:
- In the left navigation, click Integrations.
- From the Directory tab, locate the integration you just created.
- On the integration card, click Sync directory.
Depending on the size of your directory, the initial sync may take several
minutes.
View synced users
Click Directory information in the left navigation to view all synced
users and their enrollment status. Users shown as not enrolled have been
synced from Entra but have not yet completed an Incode verification session.
To initiate verification for these users, trigger a session through your
configured IAM or Helpdesk integration.
Updated 20 days ago