Microsoft Sync - Entra ID and Azure

Updated at May 12th, 2025

+ More

Table of Contents

Method 1: OAuth Method 2: Enterprise App Step 1: Create an Enterprise App 2. App Registration 3. Add a Scope 4. Add a Client Application 5. Add a Client Secret 6. Importing Users Into the Team Management Portal Another Method to Compete Steps 1-5: 1. Automate the Process with PowerShell Scripts

Your users in BrainStation can be imported or synced from your Microsoft 365 tenant using our integration with Entra ID.

There are two methods for syncing your Microsoft users to BrainStation:

OAuth
Enterprise App

The OAuth mechanism is easier and is generally recommended.

Both methods are available on the Azure Entra Sync page in the Team Management portal:

Anyone with Team Leader access can reach this page from their normal BrainStation account by choosing the Team Leader menu, then “Manage Team”

Method 1: OAuth

Using the OAuth sync is very simple:

Be logged into Microsoft 365 as a user with admin rights. (If you have multiple Microsoft 365 tenants, make sure you are logged into the correct one. If you were initially logged into the incorrect tenant, refresh the Azure Entra Sync page after logging in with the correct account).
From the Azure Entra Sync page, click on “Connect Microsoft OAuth”
A Microsoft authentication window will appear, asking you to choose which Microsoft account to use for the sync.
Microsoft will ask you to Accept the permissions requested from the Bigger Brains UMS (User Management System):

On returning to the Azure Entra Sync page, you should see a large green checkmark next to the Connect OAuth button:

Use the “Sync Group” selector to choose which Azure Group you wish to sync to this Bigger Brains team. In some cases you may want to create a specific “Training” group in Azure/Microsoft 365, so that any users assigned to that group will automatically be added to your Bigger Brains team. In other cases there may already be an Azure Group that you wish to use.
Whichever group you choose here will be the one that syncs with your BrainStation team.
Once a Group is selected, a “Sync Users” field will appear:

By default “All Users” will be selected, but you can click the drop-down to see all users and their sync status between Azure and Bigger Brains:

Note there is also a search box to search for specific users if your group list is very large. Users who are already part of this team will show a red “X” since they cannot be added again.

How you proceed from here depends on what you want to accomplish:

If you just want to import certain users, you can select them here, choose “Save”, and then “Sync” and those users will be added to your Bigger Brains team.
If you wish to sync all users from this group on a continual basis, there is no need to select users. Leave “All Users” selected, and from the Azure Entra Sync page check the “Synchronize users with this group daily” checkbox.

The two checkboxes on the Azure Entra Sync screen give you control over how your sync with Azure will work:

Auto Sync: If this checkbox is checked, the selected group will automatically add members to your Bigger Brains team anytime they are added in the selected Azure group. Although the text indicates this is daily, OAuth will generally sync within a few minutes.

Allow Deletion: If this checkbox is checked, then when a member of your Bigger Brains team does NOT exist in the Azure group, the Bigger Brains user will be deleted. If your Team in BrainStation includes users that are not part of the Azure group, it will be best to leave this box unchecked so those users are not removed.

If both checkboxes are selected, then your Bigger Brains/BrainStation team membership should always match the chosen Azure group.

Method 2: Enterprise App

Step 1: Create an Enterprise App

Start by logging into the Azure portal for your Microsoft 365 tenant. Once you have logged in, click into the search bar and search for Enterprise Applications as seen below.

In your Entra portal, create an enterprise application by selecting New Application and then Create your own Application.

You can give the application a name of your choice, but for easy reference, let’s call it BiggerBrainsUsers. Select Register an application to integrate with Azure AD (App you’re developing).

Protect access to this application to be within the account by choosing the option Accounts in this organizational directory only (single tenant). After complete of the configuration, you will be provided with the required tokens/ IDs to authenticate and access it from outside the account.

You do not need to change anything in the Redirect URI section of this page. Once you have made the proper actions, click the Register button from the bottom left corner.

The above three steps created an Enterprise Application, and we now need to configure it to say what this application should do. In Entra terms, this is known as App Registration.

2. App Registration

In the search bar at the top of the screen, search for App Registration as seen below. Click on App registrations from the search menu.

From the App registrations page, you should be able to see the application, BiggerBrainsUsers, under the Owned Applications tab.

Select the application and click on API Permissions from the Manage menu on the left side of the screen. Here, we can choose the access level this application will have.

To choose and add permissions, click on Add a permission, and from the pop out screen, select Microsoft Graph.

In the next screen choose Application permissions.

In the Select Permissions list that appears, search for User in the search bar. Then open the drop down list under the title User to select the options below.

User.Read.All – This will permit the application to read all user information.
User.Export.All – This will permit the application to export all user information.

Similarly, we need to allow access to Group information by searching for Group in the search bar. Open the drop down list under the tile Group and select Group.Read.All.

Finally, we will also need Group Members information, and to enable the access search for GroupMember and select GroupMember.Read.All. When complete, click the App Permissions button to add all the previously selected permissions to this application.

Ensure the application can access the configured permissions by checking the status column. As highlighted below, you may see a warning message indicating that consent is needed to grant access.

To Grant Access you can click on Grant admin consent for <Application Name> (<Application Name> is the placeholder here). A pop-up box will ask for confirmation of this action. Select Yes. Upon granting access, the status should change and inform you that access has been granted for Bigger Brains.

3. Add a Scope

We now need to add a scope to restrict access to data and functionality protected by the API. Click on Expose an API from the Manage menu in the left sidebar. Further, click on Add a Scope. You will be presented with an Application ID URI from a popout menu. Select Save and Continue and proceed.

Give the scope a name, as programmatically this name will be presented to the client internally. For easier reference, you can use BiggerBrainsUsers.Read as scope name, BiggerBrainsUsers as Admin consent display name, and Allow BiggerBrainsUsers Read access as Admin consent description. Select Add scope to enable these restrictions.

We are now almost ready with the configuration. To make things work, we need to know the ID of the application which can be obtained from the Overview tab in the left sidebar menu.

The Overview tab can be found below the search box in the left sidebar menu. Make a note of the Application (client) ID, and Directory (tenant) ID as these will be important later. You can copy these items to your clipboard by hovering your cursor over the information until a Copy to Clipboard options pops up.

4. Add a Client Application

Click on Expose an API from the Manage menu in the left sidebar and click on Add a client Application.

Paste the Application (client) ID copied in the previous step and select the Authorized scope. Select Add Application.

5. Add a Client Secret

We now move to the final few steps to configure a certificate and associate it to the application to ensure the connections are securely established.

Click on Certificates and secrets in the Manage menu on the left sidebar. Select New client secret.

In the pop out menu, you can add a Description and an Expiry date. Enter a Client secret name in the Description field, in this case we are using BiggerBrainsUsers Certificate. Choose the Expiry date to be the maximum possible days/months, so that you don’t have to renew it often. In most cases, this will be the 730 days (24 months) option. Select Add from the bottom left.

Upon creating the certificate secret, it will display a Secret ID. Copy it over to a safe location, as you will need this secret value to be entered in the Bigger Brains Team Management Portal to import users. You can copy this value by clicking the Copy to clipboard button next to the Secret ID.

6. Importing Users Into the Team Management Portal

Once the previous step is completed, open the Bigger Brains Team Management Portal and browse to the Azure Entra Sync page for the team you wish to sync (see guidance under the OAuth method above).

For this Method we will skip the Connect Microsoft OAuth button and select “Create Your Own Enterprise App” instead. Check this box to proceed.

From here, enter the Tenant ID, Client ID, and the Client Secret Value to the correlating field and select Load Groups

Remember, the Tenant ID and Client ID can be accessed through the Overview tab from the left side menu in Entra. Additionally, the Client Secret Value can be found in the Certificate & secrets tab under the Manage menu on the left sidebar.

Choose the “Sync Group” drop-down to choose which Azure Group you wish to sync or import. Once a group is selected, a “Sync Users” field will appear:

Note there is also a search box to search for specific users if your group list is very large. Users who are already part of this team (or another team) and will show a red “X” since they cannot be added again.

How you proceed from here depends on what you want to accomplish:

If you just want to import certain users, you can select them here, choose “Save”, and then “Sync” and those users will be added to your Bigger Brains team.
If you wish to sync all users from this group on a continual basis, there is no need to select users. Leave “All Users” selected, and from the Azure Entra Sync page check the “Synchronize users with this group daily” checkbox.

The two checkboxes on the Azure Entra Sync screen give you control over how your sync with Azure will work:

Auto Sync: If this checkbox is checked, the selected group will automatically add members to your Bigger Brains team anytime they are added in the selected Azure group. Azure Enterprise Apps are synced to Bigger Brains daily.

If both checkboxes are selected, then your Bigger Brains/BrainStation team membership should always match the chosen Azure group.

This completes the process for importing users in the Bigger Brains Team Management Portal if the user information is incorrect you can navigate to your organization’s Members tab to edit user information.

Another Method to Compete Steps 1-5:

1. Automate the Process with PowerShell Scripts

Bigger Brains provides the PowerShell script below as a way to automate the Azure App creation process described in this document. This PowerShell script is provided as a ‘beta’ feature with no warranty, so proceed with caution, however in our internal testing it has worked well.

The basic flow is simple: Run the PowerShell script, enter your tenant ID if prompted, enter a name for the app, and the script will do everything in steps 1-5 in this guide, delivering the IDs needed for step 6.

1. Download this PowerShell script and save to your hard drive in an easy-to-remember path.

Note: The download is zipped for safety, unzip the file and us the .ps1 file as the script. If the above link does not work, copy and paste this into your browser:

https://www.dropbox.com/scl/fi/qjhgisr0cx8hbewtausd1/RegisterAdApp_v1.2-powershell-script.zip?rlkey=jinhv4k8kogfzv8y3iojtbjtm&dl=1

2. Run PowerShell on your Windows computer. For PowerShell on other platforms, see this page.

Note: It is generally NOT necessary to “Run As Administrator” with this script, however if you run into difficulties you might try that.

3. Because this script is unsigned, you likely need to set the PowerShell Execution Policy to run unsigned apps.

Do this by typing this command in PowerShell: Set- ExecutionPolicy -ExecutionPolicy Bypass

4. Run the script by typing the path and file name.

If the script file is saved in the root folder of your C: drive, you would type: c:\RegisterAdApp.ps1

5. The script will now run. Note there may be long pauses as the script downloads and installs PowerShell modules for Microsoft Graph and Azure AD cmdlets. You may see notifications that these items are being installed.

6. When prompted, enter a name for your App. The actual name is not important, we recommend something descriptive like “Bigger Brains Azure Import App”.

7. The script will try to detect your Azure tenant ID if you are logged in. If a tenant ID is detected, it will prompt you to confirm the tenant ID. If it is unable to find a tenant ID, it will prompt you for yours.

To find your tenant ID, login to https://portal.azure.com, search for “tenant properties”, and in that page you will find your tenant ID.

8. The script will continue running after the tenant ID is entered. Various progress or error messages may appear.

9. When the script completes successfully, you will find the three key credentials needed for the Azure AD Import (Entra ID Import) displayed in green:

10. At this point the script is completed and PowerShell may be closed (after you copy those credentials!) and you can proceed with step 6 in this Guide.

For any support question please contact support@bigger-brains.com

cloud integration