Aiyoda

Entra ID App Registration for Microsoft Graph

Step-by-step guide to creating an Entra ID App Registration for Aiyoda's Microsoft 365 Graph discovery capabilities.

v3.5 · Updated 2026
Resource Hub/Entra ID App Registration
ℹ️
What is this for? To discover Microsoft 365 data in Aiyoda, you need to register an application in Microsoft Entra ID (formerly Azure Active Directory) and grant it Microsoft Graph API permissions. This gives Aiyoda read-only access to your M365 tenant data without using a user account or password.
5
Steps to Complete
~10
Minutes to Complete
Read-Only
Permissions Required
Prerequisites
✅ What You Need Before Starting
Step-by-Step App Registration
1

Navigate to App Registrations

Open the Azure Portal and go to Microsoft Entra ID

🌐 portal.azure.com Microsoft Entra ID App registrations + New registration
a

Sign in to portal.azure.com with your admin account.

b

In the search bar at the top, type "Microsoft Entra ID" and select it.

c

In the left sidebar, click "App registrations" under the Manage section.

d

Click the "+ New registration" button at the top of the page.

2

Register the Application

Fill in the app details and create the registration

a

Name: Enter a meaningful name, e.g. "Aiyoda-Discovery"

b

Supported account types: Select "Accounts in this organizational directory only (Single tenant)"

c

Redirect URI: Leave this blank, Aiyoda uses client credentials flow (no user redirect needed)

d

Click the "Register" button to create the app.

💡 After registering, you will land on the app's Overview page. Copy and save the Application (client) ID and Directory (tenant) ID, you'll need these for the Aiyoda configuration.
3

Create a Client Secret

Generate credentials for Aiyoda to authenticate with

App Overview Certificates & secrets + New client secret
a

In the left sidebar click "Certificates & secrets" under Manage.

b

Click "+ New client secret".

c

Description: Enter "Aiyoda Secret" (or similar).

d

Expires: Select an appropriate expiry period.12 months (recommended).

e

Click "Add". Immediately copy the Secret Value shown as it will be hidden after you leave this page.

⚠️ Important: Copy the secret Value immediately. Once you navigate away from this page, the full value is hidden and you will need to create a new secret.
4

Assign Graph API Permissions

Grant Aiyoda the read-only permissions it needs

App Overview API permissions + Add a permission Microsoft Graph
a

Click "API permissions" in the left sidebar.

b

Click "+ Add a permission" → Select "Microsoft Graph" → Select "Application permissions".

c

Search and add each of the required permissions listed in the table below.

d

Click "Add permissions" to save, then click "Grant admin consent for [your tenant]" and confirm.

PermissionTypePurpose
User.Read.AllApplicationRead all users in your M365 tenant
Device.Read.AllApplicationRead all devices in your M365 tenant
Directory.Read.AllApplicationRead directory data (users, groups, devices)
Organization.Read.AllApplicationRead organization/tenant information
DeviceManagementApps.Read.AllApplicationRead Microsoft Intune apps
DeviceManagementManagedDevices.Read.AllApplicationRead Intune managed device inventory
AuditLog.Read.AllApplicationRead audit log data for licence compliance
Subscription.Read.AllDelegatedRead licence assignments for users
IdentityRiskyUser.Read.AllApplicationRead all identity risky user information
Policy.Read.ConditionalAccessApplicationRead your organization's conditional access policies
Policy.Read.AllApplicationRead your organization's policies
Reports.Read.AllApplicationRead all usage reports
SecurityEvents.Read.AllApplicationRead your organization’s security events
Sites.Read.AllApplicationRead items in all site collections
UserAuthenticationMethod.Read.AllApplicationRead all users' authentication methods
ReportSettings.Read.AllApplicationRead all admin report settings
⚠️ Admin consent required: Application permissions require a Global Administrator to click "Grant admin consent". Without this step, the app will receive authentication errors.
5

Configure Aiyoda with Your App Details

Enter the details into the Aiyoda console

In the Aiyoda console, navigate to the Microsoft 365 Scan configuration and enter the following values collected from the previous steps:

Tenant ID : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx // From App Overview → Directory (tenant) ID Client ID : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx // From App Overview → Application (client) ID Client Secret : your-secret-value-here // From Certificates & secrets → Value
a

Open the Aiyoda Console and navigate to Scan Settings → Microsoft 365.

b

Paste your Tenant ID, Client ID, and Client Secret into the respective fields.

c

Click "Test Connection" to verify Aiyoda can authenticate successfully.

d

Once the connection test passes, you can run a Microsoft 365 Discovery.

✅ Success indicator: After a successful connection test you are now ready to scan your M365 environment.
Security Best Practices
Keeping Your App Secure
  • Rotate secrets regularly — Set calendar reminders before expiry (12 months recommended)
  • Limit permissions — Only grant the permissions listed above, nothing more
  • Store secrets securely — Never store the client secret in plain text or source control
  • Monitor sign-ins — Review the app's sign-in logs in Entra ID periodically
  • Dedicated app — Use a dedicated registration for Aiyoda only
Troubleshooting Common Issues
  • 401 Unauthorized — Check that admin consent was granted for all permissions
  • 403 Forbidden — A required permission may be missing from the list
  • Secret expired — Create a new client secret and update Aiyoda config
  • Invalid tenant — Verify the Tenant ID matches your M365 directory
  • Consent not granted — Global Admin must approve permissions in Entra ID