Skip to main content
The Entra ID integration uses the Microsoft Graph API to read and write user data directly against an Entra tenant. It is the right choice for customers whose user directory lives entirely in Entra. For customers running a hybrid setup with an on-premises Active Directory, the Twine SCIM integration should be used instead.

Supported data

The integration covers the Employee domain. Within that domain, three categories of fields can be fetched:
  • Base fields - the standard properties on the Microsoft Graph user resource (display name, mail, job title, department, account status, and so on).
  • Extension attributes - the legacy onPremisesExtensionAttributes (extensionAttribute1 through extensionAttribute15).
  • Custom security attributes - the structured custom attributes feature in Entra.

Configuring what is fetched

Which categories Twine fetches is configured at the System Integration level, separately from property mappings. This is because some categories, in particular custom security attributes, cannot be safely enumerated unless the integration has explicit permission to access them - so they have to be opted into before they become available for mapping. A field that has not been enabled for fetching cannot be referenced in a property mapping for this integration.

Authentication

There are two supported authentication modes. The right choice depends on whether the customer prefers to manage the Entra application themselves or let Twine manage it on their behalf. Certificate-based authentication is not currently supported for Entra.

Customer-managed application

The customer creates an Entra application in their own tenant, grants it the necessary Microsoft Graph permissions, and provides the resulting credentials to Twine. In this mode the customer assumes full responsibility for the application’s lifecycle, including key and secret rotation.
The exact set of fields the configuration form requires will be documented here.

Twine-managed application

Twine creates a custom Entra application in its own tenant, scoped to only the Microsoft Graph permissions needed for the configured fetch configuration. The customer is then redirected to the Microsoft consent flow to approve delegated access on behalf of their tenant. In this mode Twine handles client secret rotation automatically. Secrets are deliberately kept short-lived: they are rotated every 14 days.

Permissions

Only the Microsoft Graph permissions strictly required by the configured fetch settings are requested. Enabling additional categories such as custom security attributes adds the corresponding permissions to the application; disabling them removes those permissions on the next configuration change.

Limitations

  • Only the Employee domain is supported. Groups, administrative units, and other directory objects are not currently fetched or written.
  • Hybrid Active Directory environments (on-premises AD synced into Entra) should not use this integration. Use the SCIM integration instead.
  • Certificate-based authentication is not currently supported.