Help Center
Open app
Help CenterIntegrationsConnect Microsoft Azure AD

Integrations

Connect Microsoft Azure AD

How to connect Azure Active Directory so Doow can discover your users, groups, and SaaS app sign-ins.

Connecting Azure Active Directory (Azure AD) lets Doow discover which SaaS applications your team uses through Microsoft 365 and Azure AD, who is using them, and how often. Doow requests read-only access and never modifies your directory.

What Doow reads from Azure AD

When you connect Azure AD, Doow pulls:

  • Users — display name, user principal name, department, and account status
  • Groups — group names and memberships, used to map departments and teams
  • Enterprise application sign-ins — sign-in logs for enterprise applications registered in Azure AD
  • App role assignments — which users are assigned to which applications

Doow does not read: passwords, MFA settings, user attributes beyond the fields listed above, conditional-access policies, or device information.

Before you start

You need:

  • A Microsoft Entra ID (Azure AD) tenant with one of these roles: Global Administrator, Application Administrator, or Cloud Application Administrator
  • Permission to grant admin consent for application permissions
  • Azure AD Premium P1 or P2 if you want sign-in log data (standard Azure AD does not include sign-in logs via Microsoft Graph)

Step 1 — Register an application in Azure AD

  1. Sign in to the Azure portal and go to Microsoft Entra ID → App registrations.
  2. Click New registration.
  3. Enter a name (e.g. "Doow integration").
  4. Under Supported account types, select "Accounts in this organisational directory only."
  5. Leave Redirect URI blank.
  6. Click Register.
  7. From the Overview page of your new registration, copy the Application (client) ID and Directory (tenant) ID.

Step 2 — Create a client secret

  1. In your app registration, go to Certificates & secrets → Client secrets.
  2. Click New client secret.
  3. Enter a description (e.g. "Doow read-only access") and choose an expiration (24 months is recommended).
  4. Click Add.
  5. Copy the secret Value immediately — it is only shown once.

Step 3 — Assign API permissions

  1. In your app registration, go to API permissions → Add a permission.
  2. Select Microsoft Graph → Application permissions.
  3. Add the following permissions:
PermissionWhy Doow needs it
User.Read.AllRead user profiles
Group.Read.AllRead group names and memberships
AuditLog.Read.AllRead sign-in logs for utilisation data
Application.Read.AllRead enterprise application details
  1. Click Grant admin consent and confirm.

Step 4 — Enter the details in Doow

  1. In Doow, go to Settings → Integrations.
  2. Click Connect integration and select Microsoft Azure AD.
  3. Enter the Directory (tenant) ID, Application (client) ID, and Client secret.
  4. Click Connect.

Doow validates the credentials and starts an initial sync. The first sync typically takes 5–15 minutes. Sign-in logs can take up to 24 hours to become available in Microsoft Graph after you grant the AuditLog.Read.All permission, so utilisation data may not appear immediately.

Step 5 — Verify the sync

Once the sync completes, applications discovered from Azure AD sign-in logs appear on your Applications page (marked with an SSO badge). The sync status and user count are shown on the integration card in Settings → Integrations.

Rotating the client secret

When your client secret is near expiration, Doow shows a warning on the integration card. To rotate:

  1. Create a new client secret in Azure AD (Step 2 above).
  2. In Doow, go to Settings → Integrations → Azure AD and click Update credentials.
  3. Paste the new secret and click Update.
  4. Once the new secret is working, delete the old secret in Azure AD.