Connecting Entra ID
Connecting your Entra ID tenant unlocks the full Microsoft Cloud tool set in InfraScout. Once connected, Claude can query your users, groups, roles, Azure subscriptions, Conditional Access policies, Defender alerts, Microsoft 365 services, and more — without requiring an agent on any of those systems.
What You Need
You need a Microsoft Entra ID (Azure AD) tenant and the ability to register an app in that tenant. The Application Administrator role (or higher) in Entra ID is sufficient to create the registration and grant admin consent for the permissions listed below.
Register an App in Entra ID
InfraScout connects to Microsoft Graph using an app registration with application permissions. Create the registration once and then provide the credentials to InfraScout.
- Sign in to the Azure portal and navigate to Entra ID → App registrations → New registration.
- Give the app a descriptive name (for example, "InfraScout"). Leave the redirect URI blank and click Register.
- Note the Application (client) ID and the Directory (tenant) ID — you will need both when adding the connection in InfraScout.
- Go to Certificates & secrets → New client secret. Choose an expiry period and copy the secret value immediately — it is only shown once.
Required API Permissions
Add the following Microsoft Graph application permissions (not delegated) to your app registration, then grant admin consent for all of them.
| Permission | What it enables |
|---|---|
User.Read.All | Read all user profiles |
Group.Read.All | Read all groups and membership |
GroupMember.Read.All | Read group membership |
Directory.Read.All | Read directory objects (roles, admin units, service principals) |
RoleManagement.Read.All | Read role assignments and PIM schedules |
Policy.Read.All | Read Conditional Access policies |
AuditLog.Read.All | Read sign-in and audit logs |
IdentityRiskyUser.Read.All | Read risky user detections |
SecurityEvents.Read.All | Read Defender alerts and security events |
DeviceManagementManagedDevices.Read.All | Read Intune managed devices |
Application.Read.All | Read app registrations and service principals |
WARNING
Grant admin consent after adding all permissions. Without admin consent the connection will fail when InfraScout first attempts to read directory data.
Optional: Defender APIs
Microsoft 365 Defender exposes its own APIs separate from Microsoft Graph. Add these permissions only if you plan to use the Defender tools (machine inventory, recommendations, logon users, and Advanced Hunting). Find them in API permissions → Add a permission → APIs my organization uses.
| API | Permission | What it enables |
|---|---|---|
| WindowsDefenderATP | Machine.Read.All | List Defender for Endpoint machines, read recommendations and logon users |
| Microsoft Threat Protection | AdvancedHunting.Read.All | Run KQL hunting queries against the Defender XDR data lake |
Grant admin consent after adding either permission. Without these, the corresponding mscloud_defender_* tools will return an authorization error; the rest of the Microsoft Cloud tool set is unaffected.
Add the Connection in InfraScout
In the InfraScout dashboard, go to Settings → Microsoft Cloud → Add Connection. Fill in:
- A display name for this connection (shown in Claude when listing available connections)
- Your Tenant ID
- The Application (client) ID
- The client secret you copied during app registration
Click Save and Test. InfraScout verifies the credentials against Microsoft Graph and starts an initial sync of your directory.
What Syncs
After connecting, InfraScout syncs your Entra users, groups, and group membership. This sync runs continuously in the background so that directory changes are reflected promptly when Claude queries them during an assessment. The sync is read-only — InfraScout never writes to your directory.
Using the Connection in Claude
Once connected, call entra_connection_list in Claude to see your available Entra connections and select the one to use for the current session. After selecting, the full Microsoft Cloud tool set becomes available — tools for Entra ID, Azure, Microsoft 365, and Defender. See Microsoft Cloud Tools for an overview of what each tool provides.
Secret Rotation
Client secrets expire on the schedule you chose when you created them. When a secret is nearing expiry, create a new secret in Entra ID first, then update the connection in InfraScout (Settings → Microsoft Cloud → edit the connection) before the old secret expires. Updating the secret in InfraScout takes effect immediately with no disruption to running assessments.