Azure AD Admin Consent Guide for Ideagen Visitor Management System SSO(Ideagen VMS)
Azure AD Admin Consent Guide for Ideagen Visitor Management System (Ideagen VMS) / v5 Assure
For Azure AD Administrators Granting Permissions to Ideagen Visitor Management System (Ideagen VMS) Application
Introduction
This guide is for Azure AD Administrators who need to grant admin consent for the Ideagen Visitor Management System (Ideagen VMS) (also known as v5 Assure or VMS SSO Application) to enable Single Sign-On (SSO) and user management features for your organization.
If you're reading this, you've been asked to grant admin consent for this application. This guide explains:
- What the application does
- Why these specific permissions are required
- What the application will do with these permissions
- Security considerations
- Step-by-step instructions
Table of Contents
What is Ideagen Visitor Management System (Ideagen VMS)?
Ideagen Visitor Management System (Ideagen VMS) is a Visitor Management System (VMS) that helps organizations manage:
- Visitor and contractor access to sites and facilities
- Site inductions and safety training compliance
- Access control and badge management
- Multi-location workforce management
- Compliance tracking and reporting
How Your Organization Uses It
Your organization uses Ideagen Visitor Management System (Ideagen VMS) to:
- Allow employees, contractors, and visitors to sign in using their Microsoft credentials (SSO)
- Automatically manage access permissions based on Azure AD group membership
- Sync user information from Azure AD to maintain accurate user records
- Automatically remove access when users are disabled or removed from Azure AD
Why Admin Consent is Required
Ideagen Visitor Management System (Ideagen VMS) needs to integrate with your Azure AD to provide SSO and user management features. This requires Application Permissions (not user permissions) that can only be granted by an Azure AD Administrator.
These permissions allow the application to:
- Authenticate users using their Microsoft credentials
- Read user information to create and maintain user accounts
- Read group memberships to automatically assign roles and permissions
- Sync user status to ensure inactive users are removed from the system
Without these permissions, users cannot use SSO login, and the application cannot automatically manage user access based on Azure AD groups.
Required Permissions Explained
The application requires two Application Permissions from Microsoft Graph API. Here's what each permission does and why it's needed:
1. User.Read.All (Application Permission)
What it allows:
- Read all users' profile information (name, email, job title, department)
- Read user account status (enabled/disabled)
- Enumerate users in your organization
Why Ideagen Visitor Management System (Ideagen VMS) needs it:
- Automatic user account creation: When a user logs in for the first time via SSO, the application needs to read their profile to create their account
- User profile synchronization: Keep user information (name, email, job title) up to date in Ideagen Visitor Management System (Ideagen VMS)
- User management: Allow administrators to view and manage users in the Ideagen Visitor Management System (Ideagen VMS) admin dashboard
- Account status checking: Detect when users are disabled in Azure AD so they can be removed from Ideagen Visitor Management System (Ideagen VMS)
What Ideagen Visitor Management System (Ideagen VMS) will do with this permission:
- Read user profiles when users log in via SSO
- Create user accounts in Ideagen Visitor Management System (Ideagen VMS) based on Azure AD user information
- Update user information when it changes in Azure AD
- Check if users are still active in Azure AD
Microsoft Documentation:
2. Group.Read.All (Application Permission) ⭐ CRITICAL
What it allows:
- Read all groups in your organization
- Read group memberships for all users
- Read nested group memberships
Why Ideagen Visitor Management System (Ideagen VMS) needs it:
- Automatic role assignment: Map Azure AD groups to roles in Ideagen Visitor Management System (Ideagen VMS) (e.g., "IT-Admins" group → Admin role)
- Access control: Automatically grant or revoke access based on group membership
- Group synchronization: Keep group information synchronized between Azure AD and Ideagen Visitor Management System (Ideagen VMS)
- Dynamic permissions: Update user permissions automatically when group membership changes
What Ideagen Visitor Management System (Ideagen VMS) will do with this permission:
- Read which Azure AD groups each user belongs to
- Create corresponding groups in Ideagen Visitor Management System (Ideagen VMS)
- Automatically assign roles to users based on their group membership
- Remove access when users are removed from groups
Why this is critical:
Without this permission, users can log in via SSO, but they won't automatically receive the correct roles and permissions. This means users would need manual role assignment, defeating the purpose of SSO integration.
Microsoft Documentation:
Security Considerations
What These Permissions Allow
✅ READ-ONLY Access: All permissions are read-only. The application can:
- Read user information
- Read group memberships
- Read directory structure
❌What the application CANNOT do:
- Cannot modify users, groups, or directory objects
- Cannot delete anything in Azure AD
- Cannot change passwords or security settings
- Cannot create new users or groups in Azure AD
- Cannot access email, files, or other Microsoft 365 data
Data Access and Storage
What data is accessed:
- User profile information (name, email, job title, department)
- Group memberships
- User account status (enabled/disabled)
Where data is stored:
- User information is stored in Ideagen Visitor Management System (Ideagen VMS)'s database (not in Azure AD)
- Data is isolated per organization (multi-tenant architecture)
- Your organization's data is separate from other organizations using Ideagen Visitor Management System (Ideagen VMS)
Data usage:
-
User data is used only to:
- Create and maintain user accounts in Ideagen Visitor Management System (Ideagen VMS)
- Assign roles and permissions based on group membership
- Enable SSO login functionality
- Remove inactive users from Ideagen Visitor Management System (Ideagen VMS)
Data sharing:
- Your organization's data is not shared with other organizations
- Each organization's data is isolated in separate database tenants
Microsoft's Security Standards
These permissions follow Microsoft's recommended practices:
- ✅Application Permissions (not user-delegated) - more secure for service-to-service operations
- ✅ Read-only permissions - cannot modify your Azure AD
- ✅Principle of least privilege - only the minimum permissions needed for functionality
- ✅ Admin consent required - ensures proper oversight and approval
Microsoft Documentation:
Step-by-Step: Granting Admin Consent
Prerequisite: Before you begin, the internal team must add your Azure AD tenant ID in the Ideagen Visitor Management System (Ideagen VMS) manager portal. Once this is configured, you can proceed with the steps below.
Step 1: Initial Login and Permission Request
- Navigate to your Organization Portal (the Ideagen Visitor Management System (Ideagen VMS) login page for your organization)
- Click "Sign in with Microsoft" or the Microsoft SSO login option
- Sign in with your Azure AD Administrator account
-
Review and approve the permissions being requested:
- User.Read.All (Required)
- Group.Read.All (Required) ⭐ CRITICAL
- Click "Accept" to approve the permissions
Important: After approving the permissions in the login flow, you must complete the next step to grant admin consent. User consent alone is not sufficient for Application Permissions.
Step 2: Grant Admin Consent via Azure Portal (Required)
After completing Step 1, you must grant admin consent in Azure Portal to enable full functionality:
-
Sign in to Azure Portal (https://portal.azure.com)
- Use your Azure AD Administrator account
-
Navigate to Azure Active Directory
- Click "Azure Active Directory" in the left menu
- Or search for "Azure Active Directory" in the top search bar
-
Go to Enterprise Applications
- In the left menu, click "Enterprise applications"
- If you don't see this option, you may need to switch to the correct Azure AD tenant
-
Find the Ideagen Visitor Management System (Ideagen VMS) Application
- Search for "Ideagen Visitor Management System (Ideagen VMS)" or the application name provided
- Or search by the Client ID if provided
- Click on the application
-
Go to Permissions
- In the left menu, click "Permissions"
-
You should see the required permissions listed:
- User.Read.All (Required)
- Group.Read.All (Required) ⭐ CRITICAL
-
Grant Admin Consent
- Click the button "Grant admin consent for Ideagen Visitor Management"
- Review the permissions
- Click "Yes" or "Accept" to confirm
-
Verify Consent
-
Required permissions should now show:
- ✅ User.Read.All - Granted for [Your Organization Name]
- ✅ Group.Read.All - Granted for [Your Organization Name] ⭐ CRITICAL
- Green checkmark status for granted permissions
-
Required permissions should now show:
Note: If you don't see the application in Enterprise Applications, it will be created automatically when you complete Step 1 (initial login). After completing both steps, the application will have full access to your Azure AD data.
What Happens After Granting Consent
Immediate Effects
- Service Principal Created: A service principal is automatically created in your Azure AD representing the Ideagen Visitor Management System (Ideagen VMS) application
-
Permissions Activated: The application can now:
- Authenticate users via SSO
- Read user information
- Read group memberships
- Sync user data
- Users Can Now Use SSO: Users in your organization can click "Sign in with Microsoft" on the Ideagen Visitor Management System (Ideagen VMS) login page
Ongoing Operations
The application will:
- Read user profiles when users log in via SSO
- Sync Azure AD groups to Ideagen Visitor Management System (Ideagen VMS)
- Automatically assign roles based on group membership
- Remove users from Ideagen Visitor Management System (Ideagen VMS) when they are disabled in Azure AD
- Keep user information synchronized
All operations are READ-ONLY - the application cannot modify anything in your Azure AD.
Frequently Asked Questions (FAQ)
A: No. All permissions are read-only. The application can:
- ✅ Read user information
- ✅ Read group memberships
- ❌ Cannot create, modify, or delete users in Azure AD
- ❌ Cannot modify groups or directory objects
- ❌ Cannot change passwords or security settings
The application only reads data from Azure AD. Any user management in Azure AD must be done by your Azure AD administrators.
A: The application stores:
- User profile information (name, email, job title) in Ideagen Visitor Management System (Ideagen VMS)'s database
- Group memberships synced from Azure AD
- User roles and permissions assigned based on group membership
Data is stored in Ideagen Visitor Management System (Ideagen VMS)'s database, not in Azure AD. Your organization's data is isolated from other organizations using Ideagen Visitor Management System (Ideagen VMS) (multi-tenant architecture).
A: No. The permissions granted only allow access to:
- User directory information (profiles, groups)
- Directory structure
The application cannot access:
- ❌ Email (Exchange Online)
- ❌ Files (OneDrive, SharePoint)
- ❌ Calendar
- ❌ Teams
- ❌ Any other Microsoft 365 services
A: You can revoke consent at any time:
- Go to Azure Portal → Enterprise Applications
- Find the Ideagen Visitor Management System (Ideagen VMS) application
- Go to Permissions
- Click "Revoke admin consent"
Effects of revoking:
- Users will no longer be able to use SSO login
- The application will lose access to Azure AD data
- Existing users in Ideagen Visitor Management System (Ideagen VMS) will remain, but new logins via SSO will fail
A: No. Admin consent is granted once for your entire organization. After you grant admin consent:
- All users in your organization can use SSO
- The application can read user and group information for all users
- No individual user consent is required
A: Yes, this is secure when following Microsoft's best practices:
Security measures:
- ✅Read-only permissions - cannot modify your Azure AD
- ✅Application permissions - more secure than user-delegated permissions
- ✅Admin consent required - ensures proper oversight
- ✅Multi-tenant isolation - your data is separate from other organizations
- ✅Microsoft's security standards - follows Microsoft's recommended practices
Risks are minimal:
- The application can only read data, not modify it
- Your Azure AD administrators maintain full control
- You can revoke consent at any time
- Data is stored securely in Ideagen Visitor Management System (Ideagen VMS)'s database with tenant isolation
A: The application requires these specific permissions for its functionality:
- User.Read.All: Needed to read user profiles and create accounts automatically
- Group.Read.All: Critical - needed to read group memberships for automatic role assignment
Why not just User.Read?
-
User.Readonly allows reading the signed-in user's own profile - The application needs to read all users' profiles for admin dashboards and user management
Why User.Read.All + Group.Read.All are sufficient:
-
✅ According to latest Azure documentation,
User.Read.AllCAN efficiently perform filtered queries likeGET /users?$filter=accountEnabled eq false -
✅
User.Read.All+Group.Read.Allare sufficient for all current functionality
According to latest Azure documentation, User.Read.All
supports filtered queries on the /users endpoint.
A: Before granting consent, verify:
- Application name: Should be "Ideagen Visitor Management System (Ideagen VMS)" or "VMS SSO Application"
- Publisher: Check with your organization's IT department or the person who requested this
- Client ID: Verify the Client ID matches what was provided by your organization
- Permissions requested: Should match the required permissions listed in this guide (User.Read.All + Group.Read.All are required)
If in doubt, contact your organization's IT department or the person who requested admin consent.
A: If you have security concerns or questions:
- Contact your organization's IT department - they can verify the request
- Review Microsoft's documentation - links provided throughout this guide
- Contact Ideagen Visitor Management System (Ideagen VMS) support - if provided by your organization
- Review the permissions - all are read-only and follow Microsoft's best practices
A: Yes. You can monitor the application's API calls through Azure AD audit logs:
-
Azure Portal →
Azure Active Directory →
Monitoring → Sign-in logs
-
Filter by:
- Application: Ideagen Visitor Management System (Ideagen VMS) / VMS SSO Application
- Service principal: The service principal created when consent was granted
-
Filter by:
-
Azure Portal →
Azure Active Directory →
Monitoring → Audit logs
- Filter by Service principal to see all API calls
What you'll see:
- When API calls were made
-
Which endpoints were accessed (e.g.,
/users,/groups) - Success/failure status
- IP addresses (if available)
Note: Microsoft Graph API calls may appear in audit logs with some delay. For real-time monitoring, consider using Azure AD Conditional Access policies or Microsoft Sentinel.
Reference: Azure AD Audit Logs
A: This is a valid security concern. Here's what you should know:
If credentials are compromised:
- The attacker would have the same read-only access as the application
- They could read user profiles and group memberships
- They could NOT modify, delete, or create anything in Azure AD
- They could NOT access email, files, or other Microsoft 365 data
Mitigation steps you can take:
-
Revoke admin consent immediately if
you suspect compromise:
- Azure Portal → Enterprise Applications → Ideagen Visitor Management System (Ideagen VMS) → Permissions → Revoke admin consent
- Monitor audit logs for suspicious activity
- Contact Ideagen Visitor Management System (Ideagen VMS) support to report the incident
- Require credential rotation - ask Ideagen Visitor Management System (Ideagen VMS) to rotate their Client Secret
Best practices Ideagen Visitor Management System (Ideagen VMS) should follow:
- ✅ Store Client Secret securely (Azure Key Vault, environment variables)
- ✅ Rotate Client Secrets regularly (recommended: every 90 days)
- ✅ Use certificate-based authentication (more secure than secrets)
- ✅ Monitor for credential compromise
- ✅ Implement proper access controls and logging
You can also:
- Set up Conditional Access policies to restrict where the application can authenticate from
- Use IP restrictions if Ideagen Visitor Management System (Ideagen VMS) provides their IP ranges
- Monitor unusual sign-in patterns in Azure AD logs
A: Partially. With Application Permissions, you have limited control:
What you CAN do:
- Conditional Access Policies: You can create Conditional Access policies that apply to the service principal, but this mainly affects authentication, not data access
- Administrative Units: If your organization uses Administrative Units, the application can only access users/groups within the scope of the permissions granted
- Revoke consent: You can revoke consent entirely if needed
What you CANNOT do:
- ❌ Cannot restrict Application Permissions to specific users or groups
- ❌ Cannot use scoped permissions (Application Permissions are tenant-wide)
- ❌ Cannot limit which users the application can read
Why:
Application Permissions are designed for service-to-service operations where the application needs broad access. Microsoft's security model assumes that if you grant Application Permissions, you trust the application with tenant-wide read access.
Alternative approach:
If you need granular control, you could:
- Use Delegated Permissions instead (but this requires each user to consent)
- Implement custom logic in your Azure AD to restrict which users are visible
- Use Administrative Units to limit the scope of directory operations
Reference: Conditional Access for Service Principals
A: The application queries Azure AD in the following scenarios:
On-demand queries (user-initiated):
-
User login: When a user logs in via
SSO, the application queries:
- User profile information (1 API call)
- User's group memberships (1 API call)
Scheduled/background operations:
-
Admin user sync: Typically runs on a
schedule (e.g., daily, weekly) or on-demand
- Queries all users to identify admin users
- Frequency: As configured by your organization
-
Inactive user cleanup: Typically runs
periodically
- Queries disabled users
- Frequency: As configured by your organization
API call patterns:
-
Bulk operations: Uses efficient queries
(e.g.,
GET /users?$filter=...) rather than individual queries - Rate limiting: The application respects Microsoft Graph API rate limits
- Throttling: If rate limits are hit, the application will retry with exponential backoff
Typical usage:
- Low volume: For most organizations, API calls are infrequent (only during logins and scheduled syncs)
- High volume organizations: May see more frequent calls, but still within Microsoft's rate limits
You can monitor this:
- Check Azure AD audit logs to see actual API call frequency
- Request API usage reports from Ideagen Visitor Management System (Ideagen VMS) if needed
Reference: Microsoft Graph Throttling Guidance
A: This is a valid security concern. Here's the reality:
What the application CAN do:
- ✅ Read user profiles (name, email, job title, department)
- ✅ Read group memberships
- ✅ Read directory structure
- ✅ Store this data in Ideagen Visitor Management System (Ideagen VMS)'s database
What this means:
- Yes, the application can read and store your directory data
- Yes, this data is stored outside your Azure AD (in Ideagen Visitor Management System (Ideagen VMS)'s database)
- This is necessary for the application to function (user accounts, role assignment, etc.)
Security considerations:
- Data is stored in Ideagen Visitor Management System (Ideagen VMS)'s database - you're trusting Ideagen Visitor Management System (Ideagen VMS) with your data
- Multi-tenant isolation - your data should be isolated from other organizations
- Access controls - Ideagen Visitor Management System (Ideagen VMS) should have proper access controls on their database
- Encryption - data should be encrypted at rest and in transit
What you can do:
-
Review Ideagen Visitor Management System (Ideagen VMS)'s security practices
- ask about:
- Database security
- Access controls
- Encryption
- Data isolation
- Request a security assessment or SOC 2 report
- Monitor audit logs to see what data is being accessed
- Use Conditional Access to restrict where the application can authenticate from
Risk assessment:
- Low risk: If Ideagen Visitor Management System (Ideagen VMS) is a trusted vendor with proper security practices
- Medium risk: If you have concerns about their security posture
- Mitigation: Request security documentation, audits, or assessments
Recommendation: Treat this like any other SaaS application - ensure Ideagen Visitor Management System (Ideagen VMS) has proper security controls and data protection measures in place.
A: Yes, with limitations. Here's what you can do:
What you CAN do:
-
Service Principal Conditional Access:
- Create Conditional Access policies that apply to the service principal
- Restrict authentication to specific IP addresses (if Ideagen Visitor Management System (Ideagen VMS) provides IP ranges)
- Require specific locations or conditions
-
Authentication restrictions:
- Restrict where the application can authenticate from
- Require specific network locations
- Block authentication from certain countries/regions
What you CANNOT do:
- ❌ Cannot restrict which users the application can read (Application Permissions are tenant-wide)
- ❌ Cannot use user-based Conditional Access policies (Application Permissions don't involve user context)
- ❌ Cannot restrict data access based on user attributes
How to set it up:
- Azure Portal → Azure Active Directory → Security → Conditional Access
- Create a new policy
- Assignments → Service Principals → Select the Ideagen Visitor Management System (Ideagen VMS) service principal
- Conditions: Set your restrictions (IP addresses, locations, etc.)
- Access controls: Grant or block access
Limitations:
- Conditional Access mainly affects authentication, not data access
- Once authenticated, the application can read data based on the permissions granted
- You're primarily restricting where the application can authenticate from, not what it can access
Reference: Conditional Access for Service Principals
A: This is an excellent technical question. Here's the key difference:
Delegated Permissions:
- User context: Acts on behalf of a signed-in user
- User consent: Each user must consent (or admin consent for all users)
- Scope: Limited to what the signed-in user can access
- Use case: User-initiated actions (e.g., "read my profile")
- Limitation: Requires a user to be signed in
Application Permissions:
- App context: Acts as the application itself (no user signed in)
- Admin consent: Only admin consent required (one-time)
- Scope: Tenant-wide access (based on permissions granted)
- Use case: Background operations, service-to-service operations
- Advantage: Can operate without a user being signed in
Why Ideagen Visitor Management System (Ideagen VMS) uses Application Permissions:
- Background operations: Needs to sync users, check account status, etc. without user interaction
- Efficiency: Can perform bulk operations without requiring each user to be signed in
- User lifecycle management: Can detect disabled users and remove them automatically
- Admin user sync: Can sync administrative users without them being signed in
Why not Delegated Permissions:
- ❌ Cannot perform background operations (requires user to be signed in)
- ❌ Cannot sync admin users automatically
- ❌ Cannot detect and remove inactive users
- ❌ Limited scope: Only works for signed-in users
- ❌ Inefficient: Would require each user to consent and be signed in
Security comparison:
- Application Permissions: More powerful but more secure when properly managed (admin consent, read-only)
- Delegated Permissions: Less powerful but requires user context
Microsoft's recommendation: Use Application Permissions for service-to-service operations and background tasks, which is exactly what Ideagen Visitor Management System (Ideagen VMS) needs.
Reference: Delegated vs Application Permissions
A: Yes, with some limitations. Here's how to monitor:
Real-time monitoring options:
-
Azure AD Sign-in Logs:
- Azure Portal → Azure Active Directory → Monitoring → Sign-in logs
- Filter by Application or Service Principal
- Shows authentication attempts in near real-time
-
Azure AD Audit Logs:
- Azure Portal → Azure Active Directory → Monitoring → Audit logs
- Filter by Service Principal
- Shows API calls and operations
- Note: May have a delay (typically 15-30 minutes)
-
Microsoft Graph Activity Logs (if available):
- More detailed API call information
- Requires appropriate permissions to view
Advanced monitoring:
-
Microsoft Sentinel (if you have it):
- Real-time monitoring and alerting
- Custom queries and dashboards
- Alert rules for suspicious activity
-
Azure Monitor:
- Custom alerts based on audit log queries
- Dashboard creation
- Integration with other monitoring tools
What you'll see:
- ✅ Authentication attempts (when the app authenticates)
- ✅ API calls (which endpoints were accessed)
- ✅ Success/failure status
- ✅ Timestamps
- ⚠️ Limited detail: May not show exact data accessed (for privacy/security)
Limitations:
- Audit logs may have a delay (not truly "real-time")
- Some API calls may be batched or aggregated
- Detailed data access logs may be limited for privacy reasons
Recommendation: Set up alerts for unusual activity (e.g., authentication from unexpected locations, high API call volumes).
A: Excellent security practice! Here's how to do it:
Option 1: Use a test Azure AD tenant
- Create or use a test Azure AD tenant
- Grant admin consent in the test tenant first
- Test SSO functionality
- Verify API calls in audit logs
- Once satisfied, grant consent in production tenant
Option 2: Use a pilot group
- Grant admin consent in production
- Enable SSO for a small pilot group first
- Monitor usage and API calls
- Gradually roll out to more users
- Revoke consent if issues are found
What to test:
- ✅ SSO login works correctly
- ✅ User accounts are created properly
- ✅ Group memberships sync correctly
- ✅ Roles are assigned based on groups
- ✅ Audit logs show expected API calls
- ✅ No unexpected data access
Questions to ask Ideagen Visitor Management System (Ideagen VMS):
- Do you support staging/test environments?
- Can we use a test tenant for validation?
- What's your recommended testing approach?
Best practice: Always test in a non-production environment first when possible.
A: You control this. Here's how it works:
Current permissions:
- The permissions you grant are fixed at the time of consent
- The application cannot automatically add new permissions
If new permissions are needed:
- Ideagen Visitor Management System (Ideagen VMS) must request new permissions
- You must grant admin consent again for the new permissions
- You'll see a new consent screen with the additional permissions
- You can review and decide whether to grant them
How to monitor:
- Azure Portal → Enterprise Applications → Ideagen Visitor Management System (Ideagen VMS) → Permissions
- Check the permissions list regularly
- Set up alerts for permission changes (if supported)
What you can do:
- Require notification: Ask Ideagen Visitor Management System (Ideagen VMS) to notify you before requesting new permissions
- Review requests: Always review new permission requests carefully
- Document baseline: Document the current permissions for comparison
- Regular audits: Periodically review the permissions granted
Best practice: Include in your agreement with Ideagen Visitor Management System (Ideagen VMS) that they must notify you before requesting additional permissions.
A: Service Principal is the Azure AD representation of the application in your tenant:
What it is:
- An identity for the application in your Azure AD
- Created automatically when you grant admin consent
- Represents the Ideagen Visitor Management System (Ideagen VMS) application in your tenant
What it can do:
- ✅ Authenticate using Client ID and Secret
- ✅Access Microsoft Graph API based on permissions granted
- ✅ Read data according to the permissions you granted
- ❌ Cannot modify anything (read-only permissions)
- ❌ Cannot access other services (only what permissions allow)
Where to find it:
- Azure Portal → Azure Active Directory → Enterprise Applications
- Find "Ideagen Visitor Management System (Ideagen VMS)" application
- The Object ID is the service principal ID
What you can do with it:
- Monitor: See its activity in audit logs
- Restrict: Apply Conditional Access policies
- Revoke: Remove admin consent to disable it
- Audit: Review what permissions it has
Security considerations:
- The service principal uses Client Credentials flow (app-only authentication)
- It authenticates using Client ID + Client Secret (stored by Ideagen Visitor Management System (Ideagen VMS))
- It operates independently of any user being signed in
Reference: Service Principals in Azure AD
A:Yes, through Azure AD audit logs. Here's how:
How to access:
- Azure Portal → Azure Active Directory → Monitoring → Audit logs
-
Filter by:
- Service Principal: Select the Ideagen Visitor Management System (Ideagen VMS) service principal
- Date range: Select your desired time period
- Activity: Filter by specific activities if needed
What you'll see:
- ✅ Timestamp: When the API call was made
- ✅ Service Principal: The application that made the call
- ✅ Activity: What operation was performed (e.g., "Read user", "Read group")
- ✅ Target: What resource was accessed
- ✅ Status: Success or failure
- ⚠️ Limited detail: May not show exact data returned (for privacy)
Export options:
- Download as CSV: Export audit logs for analysis
-
PowerShell: Use
Get-AzureADAuditDirectoryLogscmdlet - Microsoft Graph API: Query audit logs programmatically
- Microsoft Sentinel: Advanced querying and analysis
Limitations:
- Audit logs are retained for a limited time (typically 30-90 days, depending on your license)
- Some detailed information may be redacted for privacy
- Very high-volume operations may be aggregated
Questions to ask Ideagen Visitor Management System (Ideagen VMS):
- Can you provide API usage reports?
- Do you log API calls on your side?
- Can you provide access logs if requested?
Reference: Azure AD Audit Logs
Microsoft Documentation References
For more information about Microsoft Graph permissions:
- Microsoft Graph Permissions Overview: https://learn.microsoft.com/en-us/graph/permissions-overview
- Microsoft Graph Permissions Reference: https://learn.microsoft.com/en-us/graph/permissions-reference
- User.Read.All Permission: https://learn.microsoft.com/en-us/graph/permissions-reference#user-permissions
- Group.Read.All Permission: https://learn.microsoft.com/en-us/graph/permissions-reference#group-permissions
- Application Permissions Best Practices: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent
Summary
What you're being asked to do:
- Grant admin consent for required read-only Application Permissions (User.Read.All + Group.Read.All are required)
- Enable SSO login for your organization's users
- Allow automatic user and group synchronization
What the application will do:
- ✅ Read user profiles to create and maintain accounts
- ✅ Read group memberships to assign roles automatically
- ✅ Sync user status to remove inactive users
- ❌ Cannot modify, delete, or create anything in Azure AD
Security:
- ✅ All permissions are read-only
- ✅ Follows Microsoft's security best practices
- ✅ You can revoke consent at any time
- ✅ Your data is isolated from other organizations
Next Steps:
- Review this guide
- Use the admin consent URL provided (Option 1) or grant via Azure Portal (Option 2)
- Verify consent was granted successfully
Contact Information
If you have questions or need assistance:
- Contact your organization's IT department
- Contact the person who requested admin consent
- Review Microsoft's documentation (links provided above)