Prerequisites
- An Azure AD (Microsoft Entra ID) tenant with an active subscription
- Admin rights to create users, groups, and apps (minimum: Application Developer role)
1. Group Setting
You will have two main options when using an Entra Group for integration. This can either be a new group created specifically for your CSA services or an existing group that is already configured. The steps for each option are outlined below.
a) Creating a New Security Group
- Go to entra.microsoft.com
- Navigate to:
Identity > Groups > All groups > + New group - Set:
- Group type: Security
- Group name: Cyber Security Awareness
-
Membership type: Dynamic User (Recommended for automation, this can also be an Assigned group)
- If using a Dynamic User Group you will need to add a dynamic query:
Click Edit and paste:(user.accountEnabled -eq true) and (user.mail -ne null)in the Rule Syntax popup box.
Note: This dynamic query is a recommended starting point to include active users with a valid email address. You can customise the rule to suit your organisation’s requirements.
- If using a Dynamic User Group you will need to add a dynamic query:
- Click OK, then Save
- Click Create
- The list will populate within 15 minutes with all active users who have email addresses.
b) Use an Existing Group
- Go to entra.microsoft.com
- Navigate to:
Identity > Groups > All groups -
Copy the group name exactly as it appears and include it within the information sent across to the CSA Team.
(In this case you would copy All Company and include this in the information to send across.)
2. Register a New Application
- Go to:
Identity > Applications > App registrations > + New registration - Set:
- Name: Cyber Security Awareness AD
- Supported account types: Choose based on your requirements
-
Redirect URI: Web > Enter the URL(s) provided by CSA (https://satt-dev.co.uk/oauth is only an example. If you have multiple services with us then you will need to enter additional Redirect URIs via the
Overviewsection on your created Application)
- Click Register
- Go to:
API Permissions > Add a permission > Microsoft Graph > Delegated permissions - Search for each of the below and tick the box next to each one by one:
- offline_access
- openid
- User.Read.All
- GroupMember.Read.All
- Then select
Application permissionsand add the following:- User.Read.All
- GroupMember.Read.All
- Once all have been ticked, click Add Permissions
- Go back to
Overviewand copy:- Application (client) ID*
- Directory (tenant) ID*
*Keep these IDs safe to share with CSA later.
3. Create a Client Secret
- Go to:
App registrations > Cyber Security Awareness AD > Certificates & secrets > + New client secret - Description: CSA
- Expiry: Custom
- Start Date: Today's date
- End Date: 2 years on from today's date
- Click Add
-
Copy the value immediately—it will not be shown again*
4. Create a CSA Admin Account
To enable secure and stable integration between Lucy Security and Microsoft Entra ID, a dedicated admin account is required. This account authorises directory-level permissions via OAuth, enabling uninterrupted sync without MFA prompts. Credentials are never stored—access is token-based. We recommend creating a service account with the least privilege required.
- Go to:
All users > New user > Create new user - Set:
- User principal name: csa@yourdomain.com
- Display Name: Cyber Security Awareness Admin
- Copy the generated password
- Under
Assignments > Add role, select: Cloud Application Administrator - Click Review and create
- Copy the username and password and send all of the saved information to CSA (Consult the below checklist to make sure you have everything).
What to Send to Cyber Security Awareness
Once all steps are completed, send the following details to your CSA Technical Contact via the Support Desk:
| Field | Description |
|---|---|
| Client ID | From App Registration |
| Tenant ID | From App Registration |
| Client Secret Value | From Certificates & Secrets (copy immediately) Please ensure this is the value and not Secret ID |
| Group Name | e.g. All Company or Cyber Security Awareness |
| CSA Admin Username | e.g. csa@yourdomain.com |
| CSA Admin Password | From Create new user |
Comments
0 comments
Please sign in to leave a comment.