> For the complete documentation index, see [llms.txt](https://prohelp.assetpanda.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://prohelp.assetpanda.com/integrations-store/user-management/microsoft-entra-id-integration.md). # Microsoft Entra ID Integration You can integrate Microsoft Entra ID with Asset Panda Pro to streamline employee and user management. With this integration, you can sync user data from Azure directly into Asset Panda Pro, simplifying the onboarding process and reducing manual data entry. You can use the integration in the following ways: * Import records into the People collection to enable users to check out items in Asset Panda Pro. * Import records into User Configuration to grant users access to log in to the system. You can use one or both options based on your needs. This improves efficiency, reduces check-out times, and keeps employee data synchronized, offering a seamless experience between the two platforms. When importing user logins, you must create a separate Active Directory group for each Asset Panda Pro permission level. Your organization must configure these groups because Asset Panda Pro does not manage external system settings. {% hint style="info" %} In addition to the steps described here, you must contact your Implementation Specialist or the Support Team to activate this integration on your Asset Panda Pro account. {% endhint %} ## Prerequisites * Active Asset Panda Prosubscription with Administrative access * Microsoft Entra ID deployment within your organization with Administrative access * Relevant collections and fields in Asset Panda Pro to map the imported data *** ## Microsoft Entra ID tasks To connect Microsoft Entra ID (formerly Azure AD) with Asset Panda Pro, complete the following tasks in the [Azure Portal](https://portal.azure.com/). ### Register a new application 1. In the **Azure Portal,** search for **App registrations.** 2. Click **New registration.** 3. Enter a **Name** for the app (for example, `Asset Panda Pro Integration`). 4. Under **Supported account types**, select **Accounts in this organizational directory only (Single tenant)**. 5. Click **Register.** *** ### Gather Required IDs After the app is registered, copy the following details and paste them into the corresponding fields in Asset Panda Pro: * **Application (client) ID**: Paste into **Client ID** * **Object ID**: Paste into **Application Object ID** * **Directory (tenant) ID**: Paste into **Tenant ID** * **Client Secret Value**: Paste into **Client Secret** *** ### Create a Client Secret 1. Go to **Certificates & secrets.** 2. Click **New client secret.** 3. Add a **Description** and select an **Expiration** period. 4. Click **Add.** 5. Copy the **Client Secret Value** (not the Secret ID) of the newly created client secret and paste it into the **Client Secret** field in Asset Panda Pro. {% hint style="danger" %} When creating the **Client Secret**, make sure to copy the **Value** immediately after it is generated. This value is only displayed once. If you navigate away or forget to copy it, you will need to generate a new client secret to proceed with the integration. {% endhint %} *** ### Add API permissions You must add permissions to allow Asset Panda Pro to read data from Microsoft Entra ID: #### API Permissions 1. Navigate back to your registered application. 2. Go to **API Permissions.** 3. Confirm that **User.Read** (delegated) is listed. #### Delegated permissions 1. Click **Add a permission.** 2. Select **Microsoft Graph.** 3. Select **Delegated permissions.** 4. Expand **OpenId** and select:\ \ `email` \ `profile` \ `offline_access`
5. Click **Add permissions.** #### Application permissions 1. Click **Add a permission**. 2. Select **Microsoft Graph.** 3. Select **Application permissions.** 4. Expand and add the following: * **Application** → `Application.Read.All` * **Directory** → `Directory.Read.All` * **Group** → `Group.Read.All` * **User** → `User.Read.All` * **GroupMember** → `GroupMember.Read.All` 5. Click **Add permissions.** *** ### Grant Admin Consent 1. In the **API Permissions** page, click **Grant admin consent for \[Your Directory Name]**. A confirmation message is displayed. 2. Click **Yes.** 3. Ensure the **Status** column shows all permissions as **Granted for admin consent.** *** ## Asset Panda Pro tasks ### Set up the Microsoft Entra ID integration 1. Log into Asset Panda Pro with an administrator account 2. Navigate to Settings icon

**Settings** > **Account Management**. 3. Expand the appropriate account and module. 4. Click **Manage** in the **Integrations** card. 5. Select **Integrations Store**. 6. In the **Microsoft Entra ID** tile, click **Add**. The **Integrations in this module** tab is displayed. 7. In the **Microsoft Entra ID** tile, click **Configure**. 8. Enter the following Azure details: * **Client ID**: Azure Application (client) ID * **Client Secret**: Azure Client Secret Value * **Application Object ID**: Azure Object ID * **Tenant ID**: Azure Directory (tenant) ID 9. Click **Test and Save Connection** to verify the authentication. 10. Click **Continue with mapping**. 11. Click **Add Mapping Option**. The Mapping Option view is displayed. 12. Select one of the following mapping options: * **To create users with login access:** 1. Click **Create Asset Panda users from Microsoft Entra ID with login access**. 2. Enter a name in the **Mapping Name** field. 3. For **External Entity**, select the entity type (for example, Mobile Devices). 4. For **Collection**, select a collection (for example, Azure Users). 5. [Map fields](#mapping-fields) from Microsoft Entra ID to the corresponding Asset Panda Pro fields.
* **To import users as reference records without login access:** 1. Click **Create Microsoft Entra ID users as collection records without login access**. 2. Enter a name in the **Mapping Name** field. 3. For **Organizational Unit** field, select the relevant unit from Microsoft Entra ID. 4. For **User Role** field, assign a role. 5. [Map fields](#mapping-fields) from Microsoft Entra ID to the corresponding Asset Panda Pro fields.
13. To add more fields, click **Add More** and repeat the previous step. 14. Click **Save**. {% hint style="info" %} You can set up an automation to ensure data stays up to date by syncing records at scheduled intervals.
{% endhint %} *** ### Map fields In the **Mapping** section, select fields from Microsoft Entra ID and map them to fields in Asset Panda. #### Unique identifiers Select one of the following fields as your **Unique Identifier** to ensure proper record matching and avoid duplication.

Field	Recommended?	Why
User Principal Name	Yes	Typically in `user@domain.com` format. Globally unique, stable, and used for login. Ideal for most organizations.
Object ID	Yes (alternative)	A static, system-generated GUID that never changes. Best for long-term consistency.
Email	Conditional	Use only if all users have a unique and permanent primary email address. Not ideal in environments with aliases.

#### User de-provisioning & Status handling (Login users only) Asset Panda Pro does not independently delete users. All de-provisioning actions depend on the user data exposed by Microsoft Entra ID. If users are created with login access via the Microsoft Entra ID integration, Asset Panda Pro manages user deactivation based on the user’s status in Microsoft Entra ID and the availability of user data through Entra ID APIs. * **Deactivated users:**\ If a user is disabled in Microsoft Entra ID (accountEnabled = false), the corresponding Asset Panda login user is automatically deactivated during the next sync. * **Deleted users:** * If a deleted user is still available in the **Deleted Users** list in Microsoft Entra ID, Asset Panda Pro can retrieve the record and **deactivate the user**. * If the user is **permanently deleted** and no longer accessible via APIs, Asset Panda Pro cannot retrieve or update that user. #### **Microsoft Entra ID fields**

Field Name	Description
Account enabled	Indicates whether the user account is active. Used to filter out deactivated or suspended users.
Age group	Specifies the user's age classification (for example, minor, adult). Used in compliance or filtering scenarios.
Business phone	User’s business contact number. Useful for directories or asset assignment contact fields.
City	City listed in the user's profile. Can be used for location-based mapping.
Company name	Organization name associated with the user. Often used for tenant-level reporting.
Country or region	Geographic country/region the user is assigned to.
Department	Department to which the user belongs (for example, HR, Finance). Useful for role-based mapping.
Display name	Full name displayed in the directory (for example, Jane Doe). Helpful for readable labels.
Email	User's primary email address. May be used for contact or login to ensure uniqueness.
Employee hire date	User’s official date of hire. Can help with lifecycle tracking.
Employee ID	Internal or external employee identifier. Useful if used consistently across systems.
Employee org data	Organization-specific metadata (for example, cost center, division). Customizable use.
Employee type	Indicates employment type (for example, contractor, full-time).
External user state	Status of external (guest) users, such as invited or accepted.
External user state change date time	Date/time of the last state change for external users.
Fax number	Deprecated in most environments. Rarely used.
First name	User’s given name. Can be mapped to standard profile fields.
Integration Status	Automatically created and managed by Asset Panda Pro during sync. No manual mapping needed.
Job title	User's role or position (for example, IT Administrator).
Last name	User’s surname or family name.
Mail nickname	User alias used in email routing (for example, jdoe).
Mobile phone	User’s mobile contact number.
Object ID	Unique system-generated ID for each Entra user. Great for strict identity matching.
Office location	User’s office or desk location.
Other emails	Secondary or alternate email addresses. Not recommended for mapping unique identifiers.
Preferred language	Default language preference for the user.
State or province	State/province portion of the user's address.
Street address	User’s street-level address info.
Usage location	Country where the service is being used. Often used for licensing.
User principal name	Primary login name (for example, `john.doe@domain.com`). Highly recommended as the unique identifier.
User type	Defines whether the user is internal (`Member`) or external (`Guest`).
ZIP or postal code	Postal/ZIP code from the user’s address.

--- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://prohelp.assetpanda.com/integrations-store/user-management/microsoft-entra-id-integration.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.