Skip to main content
The Microsoft Entra ID Attribute Provider connector retrieves user attributes from Microsoft Entra ID (formerly Microsoft Entra ID) using the Microsoft Graph API — enriching session claims with directory data beyond what authentication alone provides.
Console terminology: In the Maverics Console, this section is called Identity Fabric. The YAML configuration uses the connectors key to define attribute provider integrations.

Overview

The Entra ID Attribute Provider uses the Microsoft Graph API to look up user profile data, group memberships, and other directory attributes. It shares the same connector type as the Microsoft Entra ID IdP connector, but configured without OIDC authentication fields. This connector is not an identity provider. It does not handle authentication. Instead, it is paired with an IdP connector (such as Okta, ADFS, or Microsoft Entra ID OIDC) to supplement the session with additional attributes from Microsoft Entra ID.

Use Cases

  • Unified SSO with Entra ID attribute enrichment — Enrich sessions with Entra ID profile data (department, job title, manager) so applications receive consistent identity attributes regardless of which IdP handles authentication
  • Cross-IdP authorization with Entra ID groups — Query Entra ID group memberships to drive authorization decisions in Orchestrator policies, even when users authenticate through a non-Microsoft IdP like Okta or ADFS
  • Bridge identity data during IdP consolidation — During migration away from or toward Entra ID, maintain access to Microsoft directory attributes so applications continue to receive the claims they depend on
  • Multi-directory identity enrichment — Combine Entra ID attribute lookups with authentication from any supported IdP, bridging identity data across organizational boundaries such as post-acquisition environments

Configuration

To create a Microsoft Entra ID Attribute Provider connector in the Maverics Console:
  1. Navigate to Identity Fabric in the Console sidebar.
  2. Click Create and select Microsoft Entra ID Attribute Provider.
  3. Enter a Name — this is the friendly name that identifies your provider.
  4. Enter the Microsoft Graph URL — this defines the endpoint used to make calls to the Microsoft Graph API. Use https://graph.microsoft.com/v1.0 for the stable API version.
  5. Optionally enter the OIDC Well Known URL — the URL that returns OpenID Connect metadata about the Entra ID authorization server. This follows the pattern https://login.microsoftonline.com/{tenant-id}/v2.0/.well-known/openid-configuration.
  6. Enter the OAuth Client ID — the client ID of the Maverics application registered in the Entra ID organization.
  7. Enter the OAuth Client Secret — the client secret of the Maverics application registered in the Entra ID organization.
  8. Click Save.

Troubleshooting

  • Verify the graphURL is reachable from the Orchestrator host — the standard endpoint is https://graph.microsoft.com/v1.0
  • Ensure the app registration has the correct Graph API permissions — without User.Read.All or similar scopes, attribute lookups will fail with 403 errors
  • Check that the oauthClientSecret reference resolves correctly via your secret provider — Entra ID client secrets expire and need periodic rotation
  • Confirm the tenant ID in the oidcWellKnownURL matches the directory where the app registration and target users reside

Microsoft Entra ID

OIDC identity provider connector for Microsoft Entra ID

Identity Fabric

Overview of all identity providers and attribute providers

Okta

OIDC connector for Okta — commonly paired with this attribute provider

ADFS

OIDC connector for ADFS — another common pairing for Entra ID attributes