Overview

Microsoft Entra ID is a identity management platform that helps organizations manage access to applications and resources in a secure manner. Integrating Microsoft Entra ID with Persona enables businesses to leverage Persona's identity verification capabilities within the Microsoft ecosystem to manage employee authentication and account recovery workflows.

Prerequisites

To set up the Microsoft Entra ID integration with Persona, you need:

• A Microsoft Entra tenant configured for service.
• Completion of the onboarding process with Persona. You can create an account by registering through the Persona Dashboard.

Connect Microsoft Entra ID to your Persona account

Visit the Marketplace integrations in your Persona dashboard and select Microsoft Entra ID.

Microsoft Entra ID supports two authentication methods:

1. Delegated permissions (default) — allows full user authentication method management
2. Application permissions (app-only) — allows limited authentication method operations

To learn more about the differences between these permission types, see Microsoft's documentation on delegated and application permissions.

Option 1: Delegated permissions

Delegated permissions allow Persona to act on behalf of a signed-in user and access a range of Microsoft Graph authentication methods APIs. The authorizing user’s permissions will determine the Microsoft Entra ID operations Persona can make on behalf of the user.

Supported operations and associated permissions:

• Get user - User.Read.All, CustomSecAttributeAssignment.Read.All
• Get user by email - User.Read.All
• Create a user - User.ReadWrite.All
• Update a user - User.ReadWrite.All, User-PasswordProfile.ReadWrite.All
• List authentication methods - UserAuthenticationMethod.ReadWrite.All
• Delete authentication method - UserAuthenticationMethod.ReadWrite.All
• Reset password - UserAuthenticationMethod.ReadWrite.All
• Create temporary access pass - UserAuthenticationMethod.ReadWrite.All

Setup steps:

1. Choose + Add credential and select Microsoft Entra Authorization
2. Provide a name for this credential (e.g., "Persona")
3. Sign in to your Microsoft account

Note that the offline_access permission is required to enable Persona to maintain access to Graph APIs.

Option 2: Application permissions (app-only)

Application permissions allow Persona to authenticate with its own identity (client credentials) rather than on behalf of a user. This is useful for automated, unattended scenarios. The app’s permissions will determine the Microsoft Entra ID operations Persona can make.

Supported operations and associated permissions:

• Get user - User.ReadWrite.All
• Get user by email - User.ReadWrite.All
• Create a user - User.ReadWrite.All
• Update a user - User.ReadWrite.All, User-PasswordProfile.ReadWrite.All
• List authentication methods - UserAuthenticationMethod.ReadWrite.All
• Delete authentication method - UserAuthenticationMethod.ReadWrite.All
• Create temporary access pass - UserAuthenticationMethod.ReadWrite.All

Unsupported operations:

• Reset password — Microsoft does not support this operation with application-only permissions

Setting up app-only permissions

1. In the Azure/Entra portal, navigate to App registrations (not Enterprise Applications)
2. Select your Persona application or create a new app registration
3. Under Certificates & secrets, create a new client secret and save it securely
4. Under API permissions, add the relevant Application permissions (not Delegated).
5. Click Grant admin consent for your tenant
6. In your Persona dashboard, navigate to Marketplace Integrations and search Microsoft Entra.
7. Choose + Add credential
8. Provide a name for this credential (e.g., "Persona App-Only")
9. Enter your:
   • Tenant ID
   • Client ID (Application ID)
   • Client Secret

Your employee's experience

To help an employee reset their password, you'll need to pre-fill their Entra ID—typically their work email address—as part of the inquiry URL. Your helpdesk can generate a Persona inquiry link that includes the employee's Entra ID in the URL.

Persona uses this to fetch employee data from Microsoft Entra—such as name and date of birth—so we can verify the correct individual before proceeding with any account updates.

Once verified, the employee will be shown a temporary password. They can use this to sign in at https://entra.microsoft.com, where they'll be prompted to set a new password.

For more on what the employee will see, visit What to expect when verifying your identity with Persona to reset your Microsoft Entra ID password.

Frequently Asked Questions

What minimum permissions and scopes are required?

You must create a Microsoft Entra API credential with the appropriate scopes. These include User.Read.All and UserAuthenticationMethod.ReadWrite.All. If these permissions are not provided, the integration setup will fail with the message "Need admin approval: Persona needs permission to access resources in your organization that only an admin can grant."

For delegated permissions: The signed-in user must have these delegated permissions and appropriate admin privileges.

For app-only permissions: The application must be granted these application permissions in the App registration, and admin consent must be granted.

How can I get my user a verification link?

In many cases, employees may reach out to a helpdesk via ServiceNow or similar tools. The helpdesk can pre-fill the employee's Entra ID in the inquiry URL before sharing it. Persona will then pull data from Entra to verify identity before performing the configured authentication method operation. Microsoft Entra will enforce a password change the next time the employee signs in (when using password reset).