Microsoft Entra ID Connector
The Entra connector reads Microsoft Entra users, groups, and group membership through Microsoft Graph.
Provider Path
Section titled “Provider Path”Microsoft Graph v1.0Typical resources:
/users/groups/groups/{id}/membersRoster uses Microsoft Graph live when an admin searches Entra users or groups
from the Platform participant picker. When the admin adds a selected user or
group to a participant, Roster caches that selected record in
directory_records and directory_record_sources. When the selected record is a
group, Roster also caches the selected group’s direct members and membership
edges for participant resolution.
MCP and REST directory-record search uses only Roster’s cached/materialized directory records. It does not call Microsoft Graph live.
Production Requirements
Section titled “Production Requirements”- Microsoft Entra tenant
- app registration approved for directory reads
- client secret stored in the runtime environment or secret manager
- refresh schedule for user, group, and membership data
- stable external IDs from Graph records
Use least-privilege Microsoft Graph permissions that allow Roster to read the users, groups, and memberships needed for participant resolution.
For the current client-secret implementation, grant Microsoft Graph application permissions:
User.Read.AllGroup.Read.AllGroupMember.Read.AllThen grant admin consent for the tenant.
Secret Kinds
Section titled “Secret Kinds”Supported secret kind:
client_secretStore the secret value outside Roster, then reference it from the connector:
env:ENTRA_CLIENT_SECRETNormalized Data
Section titled “Normalized Data”The connector normalizes Entra records into Roster directory users and groups:
queryUsers(query)getUser(externalId)queryGroups(query)getGroup(externalId)getGroupMembers(externalId, query)Live search supports prefix matching on display name, email or user principal name, mail nickname, and exact external ID.
Use participant membership to map Entra users or groups to Roster participants.