Overview

Microsoft Entra ID is a comprehensive identity management platform that helps organizations manage access to applications and resources in a secure manner. Integrating Microsoft Entra ID with Persona enables businesses to leverage Persona's identity verification capabilities within the Microsoft ecosystem to manage employee authentication and account recovery workflows.

Prerequisites

To set up the Microsoft Entra ID integration with Persona, you need:

• A Microsoft Entra tenant configured for service.
• Completion of the onboarding process with Persona. You can create an account by registering through the Persona Dashboard.

Connect Microsoft Entra ID to your Persona account

Visit the Marketplace integrations in your Persona dashboard and select Microsoft Entra ID.

Microsoft Entra ID supports two authentication methods:

1. Delegated permissions (default) — allows full user authentication method management
2. Application permissions (app-only) — allows limited authentication method operations

To learn more about the differences between these permission types, see Microsoft's documentation on delegated and application permissions.

Option 1: Delegated permissions

Delegated permissions allow Persona to act on behalf of a signed-in user and access the full range of Microsoft Graph authentication methods APIs.

Supported operations:

• Get user
• Get user by email
• List authentication methods
• Delete authentication method
• Reset password
• Create Temporary Access Pass

Setup steps:

1. Choose + Add credential
2. Provide a name for this credential (e.g., "Persona")
3. Sign in to your Microsoft account

The user you sign in with must have the following permissions: User.Read.All and UserAuthenticationMethod.ReadWrite.All. If these permissions are not provided, the integration setup will fail with the message "Need admin approval: Persona needs permission to access resources in your organization that only an admin can grant."

Option 2: Application permissions (app-only)

Application permissions allow Persona to authenticate with its own identity (client credentials) rather than on behalf of a user. This is useful for automated, unattended scenarios.

Supported operations:

• Get user
• Get user by email
• List authentication methods
• Delete authentication method
• Create Temporary Access Pass

Unsupported operations:

• Reset password — Microsoft does not support this operation with application-only permissions

Setting up app-only permissions

1. In the Azure/Entra portal, navigate to App registrations (not Enterprise Applications)
2. Select your Persona application or create a new app registration
3. Under Certificates & secrets, create a new client secret and save it securely
4. Under API permissions, add the following Application permissions (not Delegated):
   • User.Read.All
   • UserAuthenticationMethod.ReadWrite.All
5. Click Grant admin consent for your tenant
6. In your Persona dashboard, navigate to Marketplace Integrations and search Microsoft Entra.
7. Choose + Add credential
8. Provide a name for this credential (e.g., "Persona App-Only")
9. Enter your:
   • Tenant ID
   • Client ID (Application ID)
   • Client Secret

Your employee's experience

To help an employee reset their password, you'll need to pre-fill their Entra ID—typically their work email address—as part of the inquiry URL. Your helpdesk can generate a Persona inquiry link that includes the employee's Entra ID in the URL.

Persona uses this to fetch employee data from Microsoft Entra—such as name and date of birth—so we can verify the correct individual before proceeding with any account updates.

With delegated permissions: Once verified, the employee will be shown a temporary password. They can use this to sign in at https://entra.microsoft.com, where they'll be prompted to set a new password.

With app-only permissions: Once verified, the employee will be shown a Temporary Access Pass. They can use this to sign in at https://entra.microsoft.com, where they can set up their permanent authentication method.

For more on what the employee will see, visit What to expect when verifying your identity with Persona to reset your Microsoft Entra ID password.

Frequently Asked Questions

What permissions and scopes are required?

You must create a Microsoft Entra API credential with the appropriate scopes. These include User.Read.All and UserAuthenticationMethod.ReadWrite.All. If these permissions are not provided, the integration setup will fail with the message "Need admin approval: Persona needs permission to access resources in your organization that only an admin can grant."

For delegated permissions: The signed-in user must have these delegated permissions and appropriate admin privileges.

For app-only permissions: The application must be granted these application permissions in the App registration, and admin consent must be granted.

How can I get my user a verification link?

In many cases, employees may reach out to a helpdesk via ServiceNow or similar tools. The helpdesk can pre-fill the employee's Entra ID in the inquiry URL before sharing it. Persona will then pull data from Entra to verify identity before performing the configured authentication method operation. Microsoft Entra will enforce a password change the next time the employee signs in (when using password reset).