This guide explains how to integrate your Microsoft Entra ID (formerly Azure Active Directory) tenant with Legora. By the end you will have an application registration in Entra ID and the three credentials our platform needs:
Directory (tenant) ID
Application (client) ID
Client secret
These values are entered into the connector’s setup page on our platform to establish a secure, OAuth 2.0-based connection.
Prerequisites
Azure subscription & Entra ID tenant - The identity directory you will integrate
Directory role: Application Developer or Global Administrator - Required to create app registrations and secrets.
Access to Legora with “Admin” permission - Needed to enter the credentials and complete the connection handshake
Scope
The Azure AD connector currently supports synchronisation of user membership from selected Microsoft Entra ID (Azure AD) groups into Legora. Specifically, the connector:
Synchronises every 15 minutes to keep membership data up to date.
Imports members from selected groups and their subgroups, meaning:
If a group contains other nested groups (subgroups), users from those subgroups are also included.
All users within the group hierarchy are resolved and synced into the corresponding Legora group.
Lets administrators choose which AD groups to sync:
During the integration setup in Legora, you can select one or more groups
from your directory. This can always be changed later.
Only group memberships from these chosen groups (and their nested
subgroups) will be synchronised.
Setup Instructions
Register an application
a. Sign in to the Microsoft Entra admin center (https://entra.microsoft.com).
b. If you belong to multiple tenants, go to ⚙ Settings → Switch directory and select the correct tenant.
c. Navigate to Entra ID → App registrations → New registration.
d. Enter a clear Name (e.g.,“Legora Connector”).
e. Under Supported account types: select Accounts in this organisational directory only (single-tenant) unless multi-tenant access is required.
f. Leave Redirect URI empty (our backend flow doesn’t require it).
g. Click Register.
h. On the Overview blade, copy:
- Directory (tenant) ID
- Application (client) ID
Create a client secret
a. In the same app, open Certificates & secrets.
b. Under Client secrets, select + New client secret.
c. Provide a description (e.g., “Prod Connector”) and choose an expiry period (maximum is 24 months by default).
d. Click Add.
e. Immediately copy the Value column (this is the secret); it is hidden once you leave the page.
Note: be sure to copy the secret value, not the secret ID.
Grant permissions
a. Having the Azure app open, navigate to API permissions → + Add a permission → Microsoft Graph → Application permissions.
b. Select the required scopes for the integration to work:
- User.ReadBasic.All
- Group.Read.All
- GroupMember.Read.All
c. Click Add permissions → Grant admin consent.
Send credentials to Legora
a. Send the tenant ID, client ID, and client secret via your preferred secure method.
The Legora team completes the setup on our side, and as soon as that's done, you are able to synchronise groups from Azure AD into Legora.
FAQs
How do I sync additional Azure AD groups after setup?
You can sync more groups at any time from your Legora settings.
To add a new group:
Go to Profile → Integrations → Azure AD
Go to the Unsynced section
Find the Azure AD group you want to sync
Click Sync to Legora to create the corresponding group in Legora
The new group will sync automatically and will follow the regular 15-minute sync cycle.
Can I sync an Azure AD group to an existing group in Legora (merge)?
No. Syncing does not merge into an existing Legora group. Each Azure AD group you sync creates a separate group in Legora. If you have duplicates, you can delete the unwanted Legora group after syncing.
How often does the sync run?
The connector synchronises group membership every 15 minutes. This applies to both the selected Azure AD groups and all nested subgroups.
What happens if I accidentally delete a synced group in Legora?
Deleting the Legora group does not affect Azure AD. However, the next sync will recreate the group if it is still selected in the connector settings.
Support
If you encounter any issues during setup or have questions not covered in this guide, please contact us at: [email protected]