🇬🇧

Documentation

Microsoft Entra Connection Setup for Production Assist#

This guide explains how to connect a Microsoft Entra tenant to Production Assist so users from a Microsoft Entra group can be synchronized into Production Assist.

The screenshots in this guide show the Microsoft Entra admin center with an app registration named Production-Assist, API permissions for Microsoft Graph, and a tenant named GTG.

Prerequisites#

Before you start, make sure you have:

  1. Access to the Microsoft Entra admin center:

    https://entra.microsoft.com
    
  2. An administrator account with permission to grant Microsoft Graph application permissions. For Graph application permissions, use one of these roles:

    • Global Administrator
    • Privileged Role Administrator
  3. Access to the Production Assist organization settings where the Entra connection will be saved.

  4. A Microsoft Entra group that contains the users who should get access to Production Assist. The group must be named exactly:

    Azure_APP_Production-Assist
    
  5. Users in the group should have a usable email address or user principal name.

Overview#

The setup has four parts:

  1. Create or open the Production-Assist app registration in Microsoft Entra.
  2. Create a client secret for Production Assist.
  3. Grant Microsoft Graph application permissions.
  4. Add the tenant ID, client ID, and client secret in Production Assist.

Production Assist uses the Microsoft Graph API as a background service. This means you must use Application permissions, not Delegated permissions.

1. Open Microsoft Entra Admin Center#

  1. Go to:

    https://entra.microsoft.com
    
  2. Sign in with an administrator account.

  3. In the left sidebar, open:

    Entra ID
    
  4. Make sure you are in the correct tenant. In the tenant overview screen, confirm the tenant name and tenant ID.

Microsoft Entra tenant overview with the tenant ID

The tenant overview confirms that you are working in the correct tenant and shows the tenant ID you need later.

2. Create Or Open The App Registration#

If the app registration already exists, open it:

  1. In the left sidebar, go to:

    Entra ID > App registrations
    
  2. Select:

    All applications
    
  3. Search for:

    Production-Assist
    
  4. Open the app registration.

If the app registration does not exist, create it:

  1. Go to:

    Entra ID > App registrations
    
  2. Click:

    New registration
    
  3. Use this name:

    Production-Assist
    
  4. For supported account types, select:

    Accounts in this organizational directory only
    
  5. Leave redirect URI empty unless your organization requires one.

  6. Click:

    Register
    

3. Copy The Client ID And Tenant ID#

On the app registration overview page, copy these values:

  1. Application (client) ID
  2. Directory (tenant) ID

You will enter both values in Production Assist later.

Production-Assist app registration overview with client ID and tenant ID

Use the Overview page to verify both IDs before you continue.

4. Create A Client Secret#

  1. In the app registration, open:

    Certificates & secrets
    
  2. Open:

    Client secrets
    
  3. Click:

    New client secret
    
  4. Enter a description, for example:

    Production Assist AD Sync
    
  5. Choose an expiration period according to your company policy.

  6. Click:

    Add
    
  7. Copy the secret Value immediately.

Important: copy the secret Value, not the secret ID. Microsoft only shows the secret value once.

You will enter this value in Production Assist as the client secret.

Certificates & secrets in the Production-Assist app registration

The Certificates & secrets area is where you create and later rotate client secrets.

5. Add Microsoft Graph API Permissions#

  1. In the app registration, open:

    API permissions
    
  2. Click:

    Add a permission
    
  3. Select:

    Microsoft Graph
    
  4. Select:

    Application permissions
    

Do not select Delegated permissions. Production Assist runs the sync in the background without a signed-in Microsoft user.

Request API permissions dialog with Application permissions selected

Select Application permissions so the sync can run in the background without a signed-in Microsoft user.

6. Select The Required Permissions#

Production Assist needs permission to find the access group and read its members.

Add these Microsoft Graph Application permissions:

Group.Read.All
GroupMember.Read.All

Add GroupMember.Read.All#

  1. In the permission search field, type:

    group
    
  2. Expand:

    GroupMember
    
  3. Select:

    GroupMember.Read.All
    
  4. Do not select:

    GroupMember.ReadWrite.All
    

Permission search with GroupMember.Read.All selected

Make sure you select GroupMember.Read.All under GroupMember, not GroupMember.ReadWrite.All.

Add Group.Read.All#

  1. In the permission search field, type:

    group
    
  2. Expand:

    Group
    
  3. Select:

    Group.Read.All
    
  4. Click:

    Add permissions
    

After adding the permissions, they appear in the configured permissions table.

If your app registration already shows a default delegated permission such as User.Read, you can leave it in place. Production Assist only relies on Group.Read.All and GroupMember.Read.All as Application permissions for the background sync.

Adding permissions is not enough. An administrator must grant tenant-wide consent.

  1. Stay on:

    API permissions
    
  2. Click:

    Grant admin consent for <tenant name>
    
  3. Confirm the consent dialog.

  4. Check the Status column. The permissions should show admin consent granted for the tenant.

If the button is disabled, your account probably does not have enough administrative rights.

Configured Microsoft Graph permissions and the Grant admin consent action

The configured permissions view should show Group.Read.All and GroupMember.Read.All under Microsoft Graph and let an administrator grant tenant-wide consent.

8. Create The Production Assist Access Group#

Production Assist looks for a group with this exact display name:

Azure_APP_Production-Assist

To create or verify the group:

  1. In Microsoft Entra, go to:

    Entra ID > Groups
    
  2. Select:

    All groups
    
  3. Search for:

    Azure_APP_Production-Assist
    
  4. If the group does not exist, click:

    New group
    
  5. Use:

    Group type: Security
    Group name: Azure_APP_Production-Assist
    
  6. Add all users who should get access to Production Assist.

  7. Save the group.

Important: Production Assist reads direct group members. Avoid relying on nested groups unless the sync implementation has been changed to support them.

9. Configure Production Assist#

In Production Assist, open the organization or tenant settings for the customer that should be connected to Microsoft Entra. In the section Configure an AD Server for authentication, enter these values:

Production Assist fieldValue from Microsoft Entra
AD Master Tenant IdDirectory (tenant) ID
AD Master Client IdApplication (client) ID
AD Master Client SecretClient secret Value

Production Assist configuration form for Microsoft Entra authentication

Use Refresh AD preview to check the current result before you click Save configuration.

Save the configuration.

If Production Assist shows a preview, verify that the listed users match the members of:

Azure_APP_Production-Assist

10. Run And Verify The Sync#

After the connection is saved, run the Azure AD sync in Production Assist or wait for the scheduled sync.

The expected result is:

  1. Production Assist finds the Microsoft Entra group.
  2. Production Assist reads the group members.
  3. Production Assist creates users that do not exist yet.
  4. Production Assist adds the users to the connected Production Assist tenant.

In the server logs, a successful sync should look similar to:

Fetched <number> users from tenant <tenant-id>
Processed <number> users for tenant <tenant-id>
Updated tenant <production-assist-tenant-id> with <number> users

Troubleshooting#

Request failed with status code 403#

The app does not have the required Microsoft Graph application permissions, or admin consent has not been granted.

Check:

  1. Group.Read.All is added as an Application permission.
  2. GroupMember.Read.All is added as an Application permission.
  3. Admin consent has been granted.
  4. The token was refreshed after consent was granted.

Group Not Found#

Production Assist could not find:

Azure_APP_Production-Assist

Check:

  1. The group name is exactly correct.
  2. The group exists in the same tenant as the app registration.
  3. You copied the correct Directory (tenant) ID into Production Assist.

Users Are Not Created#

Check:

  1. The users are direct members of Azure_APP_Production-Assist.
  2. The users have a usable email address or user principal name.
  3. The group is not empty.
  4. The sync logs show Fetched users and Processed users.

If the logs show users fetched but zero users processed, the Microsoft Graph response may not contain usable email information for those users.

Invalid Client Secret#

Check:

  1. You copied the client secret Value, not the secret ID.
  2. The secret has not expired.
  3. The secret belongs to the same app registration whose client ID was entered in Production Assist.

Use an account with one of these roles:

Global Administrator
Privileged Role Administrator

Then reload the app registration and try again.

Maintenance#

Client secrets expire. Before the secret expires:

  1. Create a new client secret in Microsoft Entra.
  2. Update the secret in Production Assist.
  3. Run the sync and verify it works.
  4. Remove the old secret from Microsoft Entra.

Security Notes#

  1. Store the client secret securely.
  2. Do not send the secret by email or chat.
  3. Grant only the required Microsoft Graph permissions.
  4. Remove unused client secrets.
  5. Review group membership regularly.