Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.matproof.com/llms.txt

Use this file to discover all available pages before exploring further.

Overview

The Microsoft Entra ID integration (formerly Azure Active Directory) connects to your Microsoft 365 tenant to collect identity and access management evidence for compliance controls. Evidence collected automatically:
  • User list with roles, licenses, and last sign-in
  • MFA registration and enforcement status per user
  • Conditional Access policy configuration
  • Privileged role assignments (Global Admins, Security Admins)
  • Guest user accounts and their access
  • Risky sign-ins detected by Entra ID Protection
  • Self-service password reset (SSPR) configuration
  • Sign-in and audit logs summary

Prerequisites

  • Microsoft Entra ID (Azure AD) tenant — included with Microsoft 365 Business or Enterprise plans
  • Matproof Admin or Owner role
  • Microsoft 365 Global Administrator account to authorize the connection
After initial authorization, Global Admin rights are not needed for ongoing evidence collection. Matproof uses the Microsoft Graph API with application permissions scoped to read-only directory and audit data.

Connecting Microsoft Entra ID

  1. Go to Settings → Integrations
  2. Click Connect next to Microsoft Entra ID / Azure AD
  3. Sign in with a Global Administrator Microsoft 365 account
  4. Review and grant the requested application permissions (admin consent required)
  5. Return to Matproof — the integration status will show Connected
The first sync runs immediately. Subsequent syncs run every 24 hours.

Permissions Requested

Matproof registers an application in your Entra ID tenant with the following Microsoft Graph permissions (all read-only, application-level):
PermissionWhat It’s Used For
User.Read.AllUser list, MFA status, last sign-in
Directory.Read.AllGroup memberships, role assignments
AuditLog.Read.AllSign-in logs and audit events
Policy.Read.AllConditional Access policy configuration
IdentityRiskyUser.Read.AllRisky user detections from Entra ID Protection

What Gets Mapped to Which Controls

Evidence CollectedControl Examples
MFA registration rateMFA controls (SOC 2 CC6.1, DORA Art. 9, NIS2 Measure 10)
Conditional Access — MFA requiredConditional access controls
Global Admin count (should be ≤ 5)Privileged access management
Guest user access reviewThird-party and external access controls
Risky sign-ins detected and responded toThreat detection and incident controls
SSPR enabledAccount self-service controls

Conditional Access

Matproof evaluates your Conditional Access policies and reports whether they cover the key scenarios compliance frameworks care about:
ScenarioWhat Matproof Checks
MFA for all usersCA policy requiring MFA applies to “All users”
MFA for adminsPrivileged role members required to use MFA
Block legacy authenticationCA policy blocking legacy auth protocols (IMAP, POP, basic auth)
Compliant device requiredCA policy requires device compliance for sensitive apps
Policies that are in Report-only mode are shown but do not count as implemented controls — they must be in Enabled state.
Legacy authentication blocking is a quick win that addresses a very common attack vector. If your tenant still allows it, Matproof will flag this and you can fix it in one Conditional Access policy.

Privileged Role Monitoring

Matproof tracks all users assigned to privileged Entra ID roles:
  • Global Administrator
  • Security Administrator
  • Exchange Administrator
  • SharePoint Administrator
  • User Administrator
  • Privileged Role Administrator
For each role, it reports how many members are assigned, when their assignment was last reviewed, and whether they have MFA enrolled. Compliance frameworks typically require ≤5 Global Admins and Just-in-Time (JIT) assignment via PIM where possible.

Common Issues

The person authorizing must be a Global Administrator — not a user with delegated admin permissions. Application permissions require Global Admin consent.

”MFA stats don’t match what I see in the Entra portal”

Matproof reports MFA registration (user has registered a method) separately from MFA enforcement (Conditional Access requires MFA at sign-in). A user can be registered but not enforced — both metrics are shown.

”Risky users showing as detected but we’ve already remediated them”

Dismissed risks in Entra ID Protection are reflected in the next sync (within 24 hours). If they still appear, check that the dismissal was confirmed in the Entra portal under Protection → Risky users.

Disconnecting

Go to Settings → Integrations → Microsoft Entra ID → Disconnect. Also remove the Matproof enterprise application from your Entra ID tenant under Enterprise applications to fully revoke access.