Register an Azure Tenant

For EPM to query Entra ID groups, a communication channel between EPM and Entra ID must exist.

There are two key steps to create a channel:

  • Create an app registration in Azure and grant the appropriate permissions. You must also set up an authentication method.
  • Configure EPM with the app registration.

This section details the steps to register an Azure tenant.


  • Microsoft Azure Commercial

Microsoft 365 Government Community Cloud (GCC) High is not supported.

For more information about the differences, please see National cloud deployments at

Register a Tenant

  1. Go to
  2. Select the directory that contains the Entra ID you want to register with EPM.

App registration service in the Azure portal

  1. Search for the App registrations service and select it.


Azure new registration page

  1. Click New registration.


  1. Give the registration a name. For example, EPM Registration.
  2. Select the Supported account types you require for your business needs.
  3. Ignore the setting Redirect URI.
  4. Click Register an application.
  5. Go to Manage > API Permissions and click Add a permission.
  6. Click Microsoft Graph, and then Application permissions.

In the Azure app registration portal, add permissions on the Request API permissions page

  1. Add the following permissions. Search by name, and then select the permission when it displays.
    • Domain.Read.All
    • GroupMember.Read.All
    • User.Read.All


  1. After all 3 permissions are selected, click Add permissions.
  2. Grant the permissions. Click Grant admin consent for (Directory Name).


Configure Authentication

You need to choose an authentication method to create a trust relationship between EPM and Azure. There are two authentication methods available:

  • Certificate authentication
  • Client-secret authentication

Use Certificate Authentication

  1. In the EPM console, select Configuration > Azure AD Settings.
  2. Click the Azure AD tab.
  3. Select User Certificate Authentication, and select Download Certificate.
  4. Go to the Azure app registrations portal, and then select Certificates & secrets.
  5. Click Upload certificate.

Use Clients-Secret Authentication

Certificates & secrets in the Azure app registration portal

  1. In the Azure app registrations portal, select Certificates & secrets.


  1. Select Client-Secret Authentication.
  2. Click New Client Secret.
  3. Select an appropriate expiry time, and click Add.
  4. Copy the value to your clipboard.
  5. Go to the EPM console, select Configuration > Active Directory Settings > Azure AD.
  6. Paste the client secret value into the Client Secret box.
  7. Click Save Changes.

Client and Tenant IDs

Overview tab selected in Azure app registrations

Go to the Overview node and note the Application (client) ID and the Directory (tenant) ID. These are used in the EPM administration console.