Documentation/Integrations

Connect Microsoft Entra ID

Step by step, connect your Entra ID tenant to ServiceChanger via OAuth2 with admin consent.

What you need

  • The Global Administrator role in your Entra tenant (to grant admin consent).
  • Your Entra Tenant ID (Azure Portal > Microsoft Entra ID > Overview).
  • A ServiceChanger account.

Step 1. Get your Tenant ID

Log in to portal.azure.com. Go to Microsoft Entra ID > Overview and copy your Tenant ID (looks like 00000000-0000-0000-0000-000000000000).

Step 2. Start the connection

Log in to ServiceChanger. Go to Tenants > Add tenant. Paste your Tenant ID and click Connect. You are redirected to a Microsoft login page.

Step 3. Grant admin consent

Log in with your Global Admin account. Microsoft shows which Graph permissions ServiceChanger requests. The request uses OAuth2 with PKCE; no certificates or passwords are involved. Review the requested permissions (Which permissions ServiceChanger requests) and click Accept.

Behind the scenes an enterprise application (service principal) for ServiceChanger is created in your tenant. All further access runs through it, scoped to the permissions you approved. See OAuth2 app registration.

Step 4. Initial sync

ServiceChanger pulls your users, groups, and licenses immediately. A 200-user tenant takes 1 to 2 minutes, 5000+ users 10 to 20 minutes. Progress is visible on the Dashboard.

Step 5. Verify

Go to Users. Your users are listed with their attributes such as jobTitle, department, and officeLocation. If a large share of the relevant attributes is empty, fill them in Entra first before writing rules.

Go to Groups. Your existing Entra groups appear here. ServiceChanger does not touch them until you actively put a rule on them.

Hybrid environment

Do you also have on-prem AD groups? Then connect the cloud as above and additionally set up a hybrid worker that applies the on-prem changes. See Hybrid and on-prem AD.

What ServiceChanger does not do

  • Never writes to Entra ID without a rule you set.
  • Does not change user attributes, password policies, or authentication settings.
  • Does not touch app registrations other than its own.
  • Does not assign or revoke licenses.

Revoking the connection

In ServiceChanger > Tenants > select your tenant > Disconnect. Or in Azure Portal > Microsoft Entra ID > Enterprise Applications > ServiceChanger > Delete. After that ServiceChanger does nothing with your tenant and existing memberships stay as they are.

Related