Microsoft Entra connector

Use your Microsoft Entra data for reporting, automation and AI.

Data Panda pulls your Entra users, groups, applications, sign-in events and conditional-access policies into the same warehouse as the rest of your business. From one place we turn it into dashboards, automations, AI workflows and custom apps that IT, security and finance use during the month, not only the week of an access review.

Data Panda Reporting Automation AI Apps
Microsoft Entra logo
About Microsoft Entra

The identity-of-record for a Microsoft-shop company.

Microsoft Entra is the umbrella Microsoft introduced in 2022 for its identity and network-access products, with Azure Active Directory renamed Entra ID through 2023. Sitting under the same brand are Entra ID Governance (access reviews, entitlement management and lifecycle workflows), Entra Permissions Management (CIEM across Azure, AWS and Google Cloud, originating from the 2021 CloudKnox acquisition), Entra Verified ID (verifiable credentials) and Entra External ID (the customer-identity product that replaces Azure AD B2C for new tenants). Every Microsoft 365 and Azure tenant on the planet sits on an Entra ID directory, which is why for a Microsoft-shop company it is the de facto identity-of-record alongside or in front of Okta.

The Entra admin center at entra.microsoft.com tells you who is in the directory today and which conditional-access policy fired on the last sign-in. The harder questions, like which paid Microsoft 365 E3 or E5 seats are sitting on dormant accounts, where MFA registration has slipped past policy because of legacy-authentication carve-outs, how long it really takes between a leaver in HiBob or BambooHR and the matching Entra user being disabled, or which enterprise applications and service principals have grown the fastest in admin-consent grants per business unit, sit across Entra and the systems around it. Our connector pulls users, groups, enterprise applications, service principals, directory roles, sign-in and audit logs, conditional-access policies, authentication-method registrations, devices and licence assignments through Microsoft Graph into your warehouse, so identity reporting joins finance, HR and the SaaS catalogue rather than living in an admin-center export.

What your Microsoft Entra data is for

What you get once Microsoft Entra is connected.

Identity, access and licence reporting

Users, groups, enterprise applications, MFA coverage and conditional-access outcomes in one place, joined to HR and Microsoft 365 spend.

  • Active versus dormant accounts per Microsoft 365 SKU (E3, E5, F3, Business Premium) and per business unit
  • MFA-method registration and skip rate per group, per app and per conditional-access carve-out
  • Leaver-to-disable lag from HR offboarding to Entra user disable and licence release

Lifecycle and access automation

Let HR events and Entra signals drive the right access work, instead of an IT ticket queue rebuilt every Monday.

  • Provision Entra users, groups and Microsoft 365 licences on the day a new hire signs in HiBob or BambooHR
  • Disable the Entra account within hours of a leaver record, free the licence and revoke active sessions
  • Open a ticket when a privileged directory role grows past its approved size or sees a new admin-consent grant

AI workflows

Put identity, app assignments and conditional-access outcomes behind AI that sees actual usage, not the org chart from last quarter.

  • Recommend group memberships based on peers in the same role and team
  • Risk-score sign-in events using location, device-compliance state, conditional-access result and historical pattern
  • Natural-language Q&A across users, groups, enterprise applications and licence assignments for IT and audit

Custom apps on your data

Lightweight tools on Entra data for managers and BU heads who should not need an Entra admin role to read their own team.

  • Access-review app per manager with peer comparison and recent sign-in context built in
  • App-owner dashboard with active users, MFA coverage and Microsoft 365 SKU cost per enterprise application
  • Joiner-mover-leaver tracker with the gap from HR action to Entra change visible per case
Use cases

Use cases we deliver with Microsoft Entra data.

A list of concrete reports, automations and AI features we have built on Microsoft Entra data. Pick the one that matches your situation.

Dormant-account auditEntra accounts inactive past 30, 60 or 90 days, per Microsoft 365 SKU and per business unit, with the licence cost per seat attached.
MFA coverage mapAuthentication-method registration per group, per app and per conditional-access carve-out, with legacy-authentication exposure called out.
Leaver-to-disable lagHours between a HiBob or BambooHR termination record and the Entra user being disabled and stripped of licences.
Enterprise application growthNew enterprise application registrations and admin-consent grants per business unit and per quarter, ranked by sign-in volume.
Privileged-role reviewMembership of Global Administrator, Privileged Role Administrator and other directory roles against approved size and approver, including PIM eligible versus active.
Conditional-access policy effectivenessBlock, grant and report-only outcomes per policy, per app and per user population, with policy carve-outs called out.
Sign-in failure patternsFailed sign-ins per app, country and reason, with brute-force and credential-stuffing shapes against guest and member accounts.
Service-principal and secret agingApplication registrations with secrets or certificates close to expiry, plus service principals with admin-consent scopes that exceed business need.
Microsoft 365 licence reconciliationAssigned subscribedSkus per user against actual product activity (Exchange, Teams, OneDrive), per cost centre.
Guest-user lifecycleB2B guest accounts past 90 days without sign-in, per inviting tenant and per shared application.
Joiner provisioning timingTime from new-hire start date to fully provisioned Entra user with the right groups, licence and MFA registered, per role and team.
Real business questions

Answers you will finally get.

Which paid Microsoft 365 seats are sitting on dormant accounts?

Account activity per Entra user, joined to assigned subscribedSkus (E3, E5, F3, Business Premium) and the per-seat licence cost, so finance and IT see exactly which Microsoft 365 seats sit unused past 60 or 90 days. Reclaiming or downgrading those seats becomes a list of names and cost centres rather than a quarterly back-and-forth with the licence reseller.

How long does it really take to disable a leaver in Entra?

The lag in hours between a termination record in HiBob or BambooHR and the matching Entra user being disabled, with active sessions revoked and Microsoft 365 licences released. HR and security see the cases that drift past policy, and the apps whose downstream deprovisioning runs slowest, instead of trusting that the lifecycle workflow fired on time.

Where does MFA get skipped in practice?

Authentication-method registration per group, per app and per conditional-access carve-out, joined to recent sign-ins. The security team sees which carve-outs (legacy authentication, executive exceptions, service principals) account for most of the unprotected logins, and which can be retired without breaking a workflow.

Value for everyone in the organisation

Where each function gets value.

For finance leaders

Microsoft 365 licence spend reconciled against actual identity-level activity per SKU. You see which E5 or Business Premium contracts can be downgraded at renewal because the seats sit on dormant accounts, instead of taking the per-seat number from the Microsoft Customer Agreement at face value.

For sales leaders

Group and enterprise-application hygiene for the customer-facing stack that is provisioned through Entra SSO. Sales ops sees which reps still sit in groups for territories they no longer cover, and which leavers were never removed from shared distribution lists or Teams.

For operations

Joiner-mover-leaver in one operational view. IT sees the gap between an HR action in HiBob or BambooHR and the matching Entra change per case, instead of trusting that the lifecycle workflow fired and reading about exceptions in next month's audit.

Ideas

What you can automate with Microsoft Entra.

Pair with HiBob

Drive Entra joiners and leavers from HiBob

New hires in Bob trigger the matching Entra user, the right groups, Microsoft 365 licence (E3, E5, F3 or Business Premium) and MFA registration on the start date, with the appropriate conditional-access policy in scope from day one. Termination records disable the account within hours, revoke active sessions and free the licence, so the lag from HR action to Entra change is a number you can report rather than a hope. The case-by-case timing lands in the warehouse next to the audit trail.

Pair with Exact Online

Re-allocate Microsoft 365 licence cost per cost centre in Exact Online

Entra group and department attributes drive the cost-centre allocation of monthly Microsoft 365 licence spend in Exact Online, so a finance controller sees the per-cost-centre E3, E5, F3 and Business Premium total without rebuilding the split from a CSV export each month. Movers between business units re-allocate from the next billing cycle, and the previous allocation stays in the warehouse for variance analysis.

Pair with Slack

Post Entra security signals into the right Slack channel

Risky sign-ins from new countries, sudden admin-consent grants on enterprise applications, privileged directory-role changes and disable failures from Entra post a compact alert in the security or IT-ops Slack channel, with user, app, conditional-access result and recent sign-in trail attached. The team triages in the channel they already watch instead of opening the Entra admin center per case.

Pair with Salesforce

Keep Salesforce profiles in step with Entra groups

Group changes in Entra that drive Salesforce profile, role and permission-set assignment land on the matching Salesforce user the same day, with the previous state kept in the warehouse for audit. Sales ops stops reconciling territories by hand at quarter-end, and a leaver loses the Salesforce seat the moment Entra disables the account rather than at the next manual cleanup.

Pair with HubSpot

Keep HubSpot users and teams aligned with Entra

Entra group and department changes propagate to HubSpot user, team and ownership rotation, so a new account manager inherits the right HubSpot pipeline on day one and a leaver releases their HubSpot seat the moment Entra disables them. Sales ops stops cleaning HubSpot user lists at quarter-end, and the lag between a HiBob change and the matching HubSpot change is visible per case.

Pair with monday.com

Mirror Entra groups into monday.com teams

Entra group and department changes flow into monday.com team and board membership, so project boards reflect the current org without a board owner chasing managers per move. New hires in HiBob land on the right monday.com boards through their Entra group membership, and leavers fall off the same day they are disabled in Entra. The audit trail of who got added to which board, when and why is in the warehouse rather than in monday.com activity logs alone.

Data model

Tables we make available.

These are the 2 tables we currently pull from Microsoft Entra into your warehouse. Query them directly in SQL, join them to the rest of your stack, or build reports on top.

  • Group Members
  • Groups

Missing a table you need? We can extend the sync. Tell us what is missing and we will build it for you.

Your existing tools

Your data lands in a warehouse. Your BI tools read from it.

You keep the reporting tool you already have. We connect it to the warehouse where your Microsoft Entra data lives.

Power BI logo
Power BI Microsoft
Microsoft Fabric logo
Fabric Microsoft
Snowflake logo
Snowflake Data warehouse
Google BigQuery logo
BigQuery Google
Tableau logo
Tableau Visualisation
Microsoft Excel logo
Excel Sheets & pivots
Three steps

From Microsoft Entra to answers in three steps.

01

Connect securely

OAuth authentication. Read-only by default. We sign a DPA and your admin keeps the keys.

02

Land in your warehouse

Data flows into your warehouse on your schedule. Near real time or nightly, your call. You own the data.

03

Reporting, automation, AI

We build the first dashboard, workflow or AI feature with you, then hand over the keys. Or we stay on for ongoing delivery.

Two ways to work with us

Pick the track that fits how you work.

Track 01

Self-serve

We set up the foundation. Your team builds on top.

  • Microsoft Entra connector configured and running
  • Warehouse set up in your cloud account
  • Clean access for your Power BI, Fabric or Tableau team
  • Documentation on what's in the data model
  • Sync monitoring so you're warned before reports break

Best fit Teams that already have a BI analyst or data engineer and want to own the build.

Track 02

Done for you

We build the whole thing, end to end.

  • Everything in Self-serve
  • Dashboards built to the questions your team actually asks
  • Automations between your systems
  • AI workflows scoped to real tasks your team runs
  • Custom apps where a dashboard does not cut it
  • Ongoing delivery at a pace that fits your team

Best fit Teams without in-house BI or dev capacity. You tell us what you need and we deliver it.

Before you book

Frequently asked questions.

Who owns the data?

You do. It lands in your warehouse, on your cloud account. We don't resell or aggregate it. If you stop working with us, the warehouse stays yours and keeps running.

How fresh is the data?

Near real time for most operational systems. For heavier sources we schedule hourly or nightly. You pick based on what the reports need.

Do I need a warehouse already?

No. If you don't have one, we help you pick one and set it up as part of the first delivery. Common starting points are Snowflake, Microsoft Fabric, or a small Postgres start.

Is Microsoft Entra the same thing as Azure Active Directory?

Entra ID is the renamed Azure AD, with the broader Microsoft Entra brand introduced in 2022 and the rename of Azure AD to Entra ID rolled out across the portal during 2023. Microsoft Entra as a brand is the umbrella that also covers Entra ID Governance, Entra Permissions Management, Entra Verified ID and Entra External ID. The directory tenant, the user object IDs and the Microsoft Graph endpoints stayed the same across the rename, so an existing Azure AD integration keeps working under the Entra name without re-implementation.

How does the connector pull Entra data, through Microsoft Graph or admin-center exports?

Through Microsoft Graph, the same API the Entra admin center itself sits on. We pull users, groups, applications, servicePrincipals, directoryRoles, sign-in and audit logs, conditionalAccess policies, authentication-method registrations, devices and subscribedSkus, with delta queries where Graph supports them and incremental cursors on the log endpoints. Admin-center CSV exports are not used, because they break on tenant size and lose the relational structure once they hit a spreadsheet.

What is the retention window on Entra sign-in and audit logs?

Microsoft retains Entra sign-in and audit logs in the directory for 7 days on the Entra ID Free plan and 30 days on Entra ID P1 and P2, and customers typically route the logs to Azure Monitor or Log Analytics when they need a longer horizon. We pull the logs incrementally on each sync window, so once the data is in your warehouse it stays there for as long as you want to keep it, independent of the in-product Microsoft retention. We agree the warehouse retention horizon per use case rather than holding everything indefinitely.

GDPR-compliant
Data stays in the EU
You own the warehouse

A first deliverable live in four to six weeks.

We review your Microsoft Entra setup and the systems around it. Together we pick the first thing worth building.

Book a call See our other connectors