EntraCP

Register your application

You need to create an app registration in your Entra ID tenant, to allow EntraCP to query it.
This article will guide you through the steps to create it.

Permissions required

EntraCP connects to your tenant to search for users, groups, and to get the group membership of the users.
To achieve this, it needs the application permissions (not delegated) GroupMember.Read.All and User.Read.All.

Create the app registration

  1. Connect to your Entra ID tenant.
  2. Under Entra ID, expand Applications and click App Registrations > New registration > Type the following information:
    • Name: EntraCP
    • Supported account types: Accounts in this organizational directory only (Single tenant)
  3. Click Register
  4. Click API permissions
    • Remove the default permission.
    • Click Add a permission > Select Microsoft Graph > Application permissions, and select GroupMember.Read.All and User.Read.All.
    • Click Grant admin consent for TenantName > Yes.
  5. Click on Certificates & secrets: EntraCP supports both a certificate and a secret, choose either option depending on your needs.

m365 cli makes the registration very simple: It takes a single command to create the application, create a secret, set the permissions and grant the admin consent:

m365 login
# The command will print all the information that EntraCP needs to connect.
m365 aad app add --name "EntraCP" --withSecret --apisApplication 'https://graph.microsoft.com/User.Read.All,https://graph.microsoft.com/GroupMember.Read.All' --grantAdminConsent

This bash script creates the application, adds a secret, sets the permissions and grants the admin consent.
It can be used in Azure cloud shell or in a local shell:

#!/bin/bash

# Sign-in to your Entra ID tenant. Use --allow-no-subscriptions if it doesn't have a subscription
az login #--allow-no-subscriptions

appName="EntraCP shell"
echo "Create application '$appName'..."
appId=$(az ad app create --display-name "$appName" --query 'id' -o tsv)

echo "Create service principal for application id '$appId', and gets its objectId (stored in field id)..."
spObjectId=$(az ad sp create --id $appId --query 'id' -o tsv)
echo "Application '$appName' was created with client id '$appId', and its service principal with objectId '$spObjectId'"

echo "Create client secret for the app id '$appId'..."
appSecret=$(az ad app credential reset --id $appId --query 'password' --only-show-errors -o tsv)

# Retrieve the id of each permission to grant
microsoftGraphId="00000003-0000-0000-c000-000000000000"
userPermName="User.Read.All"
groupPermName="GroupMember.Read.All"
userPermId=$(az ad sp show --id "$microsoftGraphId" --query "appRoles[?value=='$userPermName'].id" --output tsv)
groupPermId=$(az ad sp show --id "$microsoftGraphId" --query "appRoles[?value=='$groupPermName'].id" --output tsv)
msGraphResourceId=$(az ad sp show --id "$microsoftGraphId" --query "id" --output tsv)

# Add the permissions required to the definition of the application (optional as it is just a declaration of the permissions needed)
echo "Grant permissions '$userPermName' and '$groupPermName' to the app id '$appId'..."
az ad app update --id $appId --required-resource-accesses "[{
        \"resourceAppId\": \"$microsoftGraphId\",
        \"resourceAccess\": [{
                        \"id\": \"$userPermId\",
                        \"type\": \"Role\"
                },
                {
                        \"id\": \"$groupPermId\",
                        \"type\": \"Role\"
                }
        ]
        }]"

echo "Grant admin consent to Microsoft Graph permissions $userPermName (id '$userPermId') and $groupPermName (id '$groupPermId') for service principal '$spObjectId'..."
# Grant admin consent by granting permissions to the service principal - https://learn.microsoft.com/en-us/graph/api/serviceprincipal-post-approleassignments
az rest --method POST \
        --uri "https://graph.microsoft.com/v1.0/servicePrincipals/$spObjectId/appRoleAssignments" \
        --body "{
        \"principalId\": \"$spObjectId\",
        \"resourceId\": \"$msGraphResourceId\",
        \"appRoleId\": \"$userPermId\"
        }" 1> /dev/null

az rest --method POST \
        --uri "https://graph.microsoft.com/v1.0/servicePrincipals/$spObjectId/appRoleAssignments" \
        --body "{
        \"principalId\": \"$spObjectId\",
        \"resourceId\": \"$msGraphResourceId\",
        \"appRoleId\": \"$groupPermId\"
        }" 1> /dev/null

echo "Application '$appName' was created successfully with client id '$appId' and client secret '$appSecret'. \
App-only permissions '$userPermName' and '$groupPermName' were granted, and admin consent applied."
Last updated on August 21, 2025
Edit this page on GitHub
Prev
Troubleshooting