Connect Entra ID

This page describes how to connect Entra ID to Agentspace Enterprise.

After you set up your data source and import data the first time, the data store syncs data from that source at a frequency that you select during setup.

Before you begin

Before setting up your connection:

  1. Set up access control for your data source. For information about setting up access control, see Use data source access control.

  2. To obtain the client ID and client secret, do the following:

    1. Create an Entra ID application:

      1. Sign in to Microsoft Entra administrator center and click Application.
      2. In the Application drop-down list, click App registrations.
      3. In the App registrations page, click New registration.
      4. Click Add new registration and do the following:
        • Enter a name for the application.
        • Under Supported account types, select Accounts in the organizational directory only.
        • Under Redirect URI, add a web redirect URI pointing to: https://login.microsoftonline.com/common/oauth2/nativeclient.
      5. Click Register.

    2. Save credentials:

      On your registered application window, save the following values for later use:

      1. Use the Application (client) ID to set the Client ID parameter.
      2. Use the Directory (tenant) ID to set the Azure Tenant parameter.

    3. Create client secret:

      1. Navigate to Certificates & secrets and create a new client secret:
      2. Click New client secret and specify the required duration.
      3. Save the client secret and copy the key value for later use.

Configure Entra ID API permissions

  1. On your registered application window, click API permissions.

  2. Under Configured permissions, select Microsoft Graph and configure the following permission:

    If you want to ingest profileCardAttributes, then configure the following permissions:

  3. Grant admin consent for all the added permissions. An administrator's consent is required to use client credentials in the authentication flow.

Create a Entra ID connector

Console

To use the Google Cloud console to sync data from Entra ID to Agentspace Enterprise, follow these steps:

  1. In the Google Cloud console, go to the Agentspace Enterprise page.

    Agentspace Enterprise

  2. In the navigation menu, click Data stores.

  3. Click Create data store.

  4. On the Select a data source page, scroll or search for Entra ID to connect your third-party source.

  5. Under Authentication settings, enter the client ID and client secret.

  6. In Destinations, if VPC Service Controls is enabled, then select Private. Otherwise, select Public.

  7. Click Continue.

  8. Under Advanced options, enter the Azure tenant ID.

  9. Click Continue.

  10. Under Entities to sync, select User profiles.

  11. Select a synchronization frequency.

  12. Select Enable realtime sync for all entities if you want the data updated in near real-time.

  13. Enter a string value in the Client state field. The client state is used to authenticate change notifications. For webhook authentication on the third-party app, the credentials passed during connector creation are re-used.

  14. Click Continue.

  15. In Configure your data connector, select a region for your data store.

  16. Enter a name for your data connector.

  17. Click Create. Agentspace Enterprise creates your data store and displays your data stores on the Data stores page.

  18. To check the status of your ingestion, go to the Data stores page and click your connector name to see details about it on its Data page. The Connector state changes from Creating to Running when it starts synchronizing data. When ingestion is complete, the state changes to Active to indicate that the connection to your data source is set up and awaiting the next scheduled synchronization.

    Depending on the size of your data, ingestion can take several minutes or several hours.

  19. When the connector state changes to Active, navigate to the Entity tab.

  20. Click userprofiles entity.

  21. Check the number of ingested documents and ensure it matches the number of users in Entra ID.

    If the Entra ID app has the required permissions to ingest custom attributes, it ingests up to 15 profile card attributes per record. By default, the custom attributes are not searchable.

To make the custom attributes searchable, do the following:

  1. In the userprofiles page, navigate to the Schema tab.
  2. Click Edit.

  3. Deselect the attributes, such as address, from being retrievable, searchable, and indexable, then click Save.

    The Edit button remains inactive for a few minutes before reactivating.

  4. When the Edit button is in Active state, click Edit.

  5. Select the retrievable, searchable, and indexable boxes for the required custom attributes.

  6. Enable search.

  7. Click Save.

Test the search engine

After configuring your search engine, test its capabilities. This ensures it returns accurate results based on user access.

  1. Enable web app:

    1. Go to the app integration configurations and toggle to Enable the web app.

  2. Test web app:

    1. Click Open next to the web app link and sign in as a user.

    2. Verify that search results are restricted to items accessible by the user.

Preview people search results

  1. In the search app, navigate to Preview and start searching within the console when using Google IdP.

    • Alternatively, navigate to the provided link and sign in with your IdP to start searching.
    • The search results appear as people cards, displaying user details such as Name, Job title, Email, and Profile picture.

  2. Click a people card to view a detailed profile page, which includes the following:

    • Name
    • Profile picture
    • Job title
    • Department
    • Management chain
    • Direct reports

  3. If custom attributes (profile card properties) are ingested and made indexable, searchable, and retrievable:

    • Searching by a custom attribute value returns only person profiles containing those attributes.
    • Custom attributes appear in search results, but can only be accessed through the API, not the Agentspace Enterprise user interface.

Configure the workforce pool for non-Google IdP without SSO

  1. If your employees use a non-Google IdP, lack SSO with Google, or are not Google Workspace customers, set up a workforce pool as described in Use data source access control to enable the employee search.

    The workforce pool lets you to manage and authenticate users from external identity providers, such as Azure or Okta, within Google Cloud console.

  2. To configure your workforce pool and enable the web app for seamless user access, do the following:

    1. Create workforce pool at the organization level in Google Cloud by following the appropriate setup manual:

      1. Azure OIDC setup
      2. Azure SAML setup
      3. Okta & OIDC setup
      4. Okta & SAML setup

    2. Configure the workforce pool in Agentspace > Settings for the region where you create your app.

Next steps