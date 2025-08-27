In the next step, you will be provided with a Entra ID configuration script.

In the Teleport Microsoft Entra ID configuration UI, you will notice a default integration name “entra-id” is already populated for you. You will need to select Teleport user(s) that will be assigned as the default owner of Access Lists that are created for your Entra ID groups.

In the Teleport Web UI, from the side-navigation, select “Add New > Integration”.

The command will generate a configuration script in the current directory from where the tctl is invoked.

You will need to grant Azure Identity with the necessary permissions required for the Entra ID integration.

In the Azure Portal, find the identities linked to your Teleport Auth Service, and copy the Principal ID of the identity you wish to update with the new permissions.

After obtaining the Principal ID, open the Azure Cloud Shell in PowerShell mode and run the following script to assign the required permissions to Principal ID . Assign required permissions to Azure Identity Connect-MgGraph -Scopes 'Directory.ReadWrite.All', 'AppRoleAssignment.ReadWrite.All' $managedIdentity = Get-MgServicePrincipal -ServicePrincipalId ' Principal ID ' $graphSPN = Get-MgServicePrincipal -Filter "AppId eq '00000003-0000-0000-c000-000000000000'" $permissions = @( "Application.ReadWrite.OwnedBy" "Group.Read.All" "User.Read.All" ) $appRoles = $graphSPN.AppRoles | Where-Object Value -in $permissions | Where-Object AllowedMemberTypes -contains "Application" foreach ($appRole in $appRoles) { $bodyParam = @{ PrincipalId = $managedIdentity.Id ResourceId = $graphSPN.Id AppRoleId = $appRole.Id } New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $managedIdentity.Id -BodyParameter $bodyParam }

Your identity principal Principal ID now has the necessary permissions to list Applications, Directories, and Policies.

Now, to begin integration, run the tctl plugins install entraid command.

tctl plugins install entraid \ --name entra-id-default \ --auth-connector-name entra-id \ --default-owner= Access List Owner \ --auth-server example.teleport.sh:443 \ --use-system-credentials

The --name flag specifies the resource name of the Entra ID plugin. The --auth-connector-name flag specifies the name of the auth connector this integration will create. The --default-owner flag specifies default owners for the Access Lists that will be created in Teleport based on the groups imported from the Entra ID. The --use-system-credentials flag specifies the plugin will use the system credential configured for the Auth Service.