Entra directory scan tasks support scanning a Microsoft Entra directory.



Windows Firewall Requirements


The Entra directory agent must be able to connect to Microsoft Graph using HTTPS.



Access Settings


The Entra directory agent must have the following delegated permissions when using interactive (MFA) authentication.

    • Agreement.Read.All
    • Directory.Read.All
    • Policy.Read.All


The Entra directory agent must have the following application permissions when using service principal authentication.

    • Agreement.Read.All
    • Directory.Read.All
    • Organization.Read.All
    • Policy.Read.All
    • RoleManagement.Read.Directory



Local Service


Entra directory scan tasks do not support the XIA Configuration Local Service.



Automatic Detection


A Microsoft Entra directory can be automatically scanned by the Microsoft 365 organization scan task.