Microsoft Graph Service Principal
DataCentral relies on the Microsoft Graph API to perform critical identity and access management tasks, such as inviting external guest users to your directory and synchronizing Entra ID (Azure AD) security groups with DataCentral Organizational Units (OUs).
To authorize DataCentral to perform these actions, you must configure a Microsoft Graph Service Principal.
1. What is a Service Principal?
A Service Principal is an identity created for use with applications, hosted services, and automated tools to access Azure resources. Think of it as a "service account" for DataCentral.
By creating an App Registration in your Entra ID tenant and granting it specific Microsoft Graph API permissions, you securely authorize DataCentral to read group memberships or invite users without requiring a human administrator to log in.
2. Inheriting vs. Overriding
Depending on your DataCentral deployment model:
- Inherited: If you are a Tenant on a shared Host Instance, your Host Administrator may have already configured a global Graph Service Principal. In this case, you do not need to configure your own unless you require strict isolation.
- Overridden (Dedicated): If you require DataCentral to interact with your organization's specific Entra ID directory (e.g., to sync your internal security groups), you must create and configure your own dedicated Graph Service Principal.
3. Required API Permissions
When creating the App Registration in Entra ID, you must grant it Application Permissions (not Delegated Permissions) for the Microsoft Graph API.
The specific permissions required depend on the features you intend to use:
| Feature | Required Graph API Permission |
|---|---|
| Syncing Security Groups to OUs | GroupMember.Read.All (Allows DataCentral to read the members of the groups you link to OUs) |
| Inviting External Guest Users | User.Invite.All (Allows DataCentral to send B2B collaboration invites) |
| Reading User Profiles | User.Read.All (Allows DataCentral to read user details like Display Name and Email) |
Important: After adding these permissions in the Azure Portal, an Entra ID Global Administrator must click "Grant admin consent for [Your Organization]".
4. Configuring DataCentral
Once the App Registration is created and consented to in Azure, you must provide the credentials to DataCentral.
- Log in to DataCentral as a Tenant Administrator.
- Navigate to Administration > Settings > Integrations.
- Locate the Microsoft Graph section.
- Enter the following details from your Azure App Registration:
- Tenant ID: Your Entra ID Directory (Tenant) ID.
- Client ID: The Application (Client) ID of the App Registration.
- Client Secret: A valid client secret generated for the App Registration.
- Click Save and then Test Connection to verify the configuration.
5. Security Considerations
- Secret Rotation: Client Secrets expire (typically after 1-2 years). You must proactively generate a new secret in Azure and update it in DataCentral before the old one expires to prevent service disruption.
- Least Privilege: Only grant the specific Graph API permissions listed above. Do not grant
Directory.ReadWrite.Allor other overly broad permissions.