> ## Documentation Index
> Fetch the complete documentation index at: https://docs.oleria.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Microsoft Entra ID and M365 SharePoint

Oleria provides identity security and access management teams with visibility and intelligence into who has access to what, where they got that access, how they use it, and if they should even have it. As part of that promise, we integrate applications such as Microsoft Entra ID and M365 SharePoint into the Oleria platform. We provide multiple options for each integration and this document provides step-by-step guidance for integrating Entra ID and M365 SharePoint with your Oleria workspace.

## Prerequisites

* The user granting these permissions must have Global Admin privileges.

<Note>
  Standard integrations are configured with read-only permissions. If you would like to take advantage of Oleria's access remediation capabilities, which are completely optional, you need to configure additional privileges required for write access.

  Use a service account (and not an employee account) with the suggested privileges for the integration to ensure continuity.
</Note>

## Integration Approaches

Oleria currently supports three approaches. Follow the one that is most appropriate for your organization.

1. [Authenticate via Microsoft (automated configuration via OAuth)](#authenticate-via-microsoft-oauth)
2. [Client Secret Authentication (manual configuration)](#client-secret-authentication)
3. [Client Certificate Authentication (manual configuration)](#client-certificate-authentication)

## Authenticate via Microsoft (OAuth)

<Steps>
  <Step title="Open the integration">
    Log in to your Oleria workspace and select **Integrations**.

    * Select **Microsoft Entra ID** to integrate Entra ID, or
    * Select **Microsoft SharePoint and OneDrive** to integrate Entra ID, SharePoint, and OneDrive.

          <img src="https://mintcdn.com/oleria/JQNzbB9a7dBTORxV/images/integrations/microsoft-entra-id/step-1.png?fit=max&auto=format&n=JQNzbB9a7dBTORxV&q=85&s=fb084058cef4d6c01b63a569930a71a7" alt="Select Microsoft SharePoint and OneDrive to integrate Entra ID, SharePoint, and OneDrive." width="1391" height="425" data-path="images/integrations/microsoft-entra-id/step-1.png" />

    A side panel opens.

    <img src="https://mintcdn.com/oleria/JQNzbB9a7dBTORxV/images/integrations/microsoft-entra-id/step-2.png?fit=max&auto=format&n=JQNzbB9a7dBTORxV&q=85&s=a9af52cd2e4000c6d62479c8698ef3fa" alt="Step 2: A side page opens." width="1600" height="966" data-path="images/integrations/microsoft-entra-id/step-2.png" />
  </Step>

  <Step title="Choose permission scope">
    The screen shows an option to enable write permissions to allow Oleria to perform select remediations. The Oleria remediation feature is optional.

    To enable remediations, select the checkbox. Otherwise, select **Authenticate** to proceed with the standard read-only permissions scope.

    <img src="https://mintcdn.com/oleria/JQNzbB9a7dBTORxV/images/integrations/microsoft-entra-id/step-3.png?fit=max&auto=format&n=JQNzbB9a7dBTORxV&q=85&s=6e8c346cd8a27062ac026bc191735638" alt="Oleria integration screen with optional write permissions checkbox for remediations" width="1288" height="519" data-path="images/integrations/microsoft-entra-id/step-3.png" />
  </Step>

  <Step title="Select your Microsoft account">
    Select your Microsoft account and complete authentication.
  </Step>

  <Step title="Complete the initial consent form">
    A consent form appears to grant permissions for the Oleria application to view your basic profile and read access. Complete the consent form by selecting **Accept**.

    <img src="https://mintcdn.com/oleria/JQNzbB9a7dBTORxV/images/integrations/microsoft-entra-id/step-4.png?fit=max&auto=format&n=JQNzbB9a7dBTORxV&q=85&s=40236c584a5aa7f4cedb00fe10aa4943" alt="Microsoft consent form for Oleria application read permissions" width="383" height="706" data-path="images/integrations/microsoft-entra-id/step-4.png" />
  </Step>

  <Step title="Complete the application consent form">
    Microsoft's application consent form will appear with a list of requested permissions, which varies depending on your selected application and whether you chose to enable optional remediation capabilities. Complete the consent form by selecting **Accept**.

    The permissions vary by integration type:

    1. Standard read-only permissions for Entra ID integration (without optional remediations)

           <img src="https://mintcdn.com/oleria/JQNzbB9a7dBTORxV/images/integrations/microsoft-entra-id/step-5.png?fit=max&auto=format&n=JQNzbB9a7dBTORxV&q=85&s=9d19bf93871ce72288ac4eb15bfec8e4" alt="Microsoft consent form showing standard read-only permissions for Entra ID integration" width="455" height="846" data-path="images/integrations/microsoft-entra-id/step-5.png" />

    2. Standard read-only permissions for SharePoint and OneDrive integration (without optional remediation)

           <img src="https://mintcdn.com/oleria/JQNzbB9a7dBTORxV/images/integrations/microsoft-entra-id/step-6.png?fit=max&auto=format&n=JQNzbB9a7dBTORxV&q=85&s=5333dcc6cb074d8a0923d821fd43c676" alt="Microsoft consent form showing standard read-only permissions for SharePoint and OneDrive" width="341" height="723" data-path="images/integrations/microsoft-entra-id/step-6.png" />

    3. Permissions for Entra ID integration with optional remediation capabilities (includes some write permissions)

           <img src="https://mintcdn.com/oleria/JQNzbB9a7dBTORxV/images/integrations/microsoft-entra-id/step-7.png?fit=max&auto=format&n=JQNzbB9a7dBTORxV&q=85&s=b46b57468931167ed4f8787c3b3f9902" alt="Microsoft consent form showing Entra ID permissions with optional write access for remediations" width="392" height="766" data-path="images/integrations/microsoft-entra-id/step-7.png" />

    4. Permissions for SharePoint and OneDrive integration with optional remediation capabilities (includes some write permissions)

           <img src="https://mintcdn.com/oleria/JQNzbB9a7dBTORxV/images/integrations/microsoft-entra-id/step-8.png?fit=max&auto=format&n=JQNzbB9a7dBTORxV&q=85&s=48976cc24eb5ca849cbf8ced31ff4174" alt="Microsoft consent form showing SharePoint and OneDrive permissions with optional write access" width="389" height="894" data-path="images/integrations/microsoft-entra-id/step-8.png" />
  </Step>

  <Step title="Confirm the connection">
    Find the newly integrated Entra ID and M365 SharePoint instances in your Oleria workspace connected integrations.

    <img src="https://mintcdn.com/oleria/JQNzbB9a7dBTORxV/images/integrations/microsoft-entra-id/step-9.png?fit=max&auto=format&n=JQNzbB9a7dBTORxV&q=85&s=579c01df5f01bc8f8661e1e7921da610" alt="Oleria workspace Connected Integrations showing Entra ID and M365 SharePoint instances" width="1600" height="645" data-path="images/integrations/microsoft-entra-id/step-9.png" />
  </Step>
</Steps>

## Client Secret Authentication

<Steps>
  <Step title="Create an app registration in Entra ID">
    Log in to Microsoft Entra ID, navigate to **App registrations**, and select **New registration**.

    <img src="https://mintcdn.com/oleria/JQNzbB9a7dBTORxV/images/integrations/microsoft-entra-id/step-10.png?fit=max&auto=format&n=JQNzbB9a7dBTORxV&q=85&s=3686b6557088a98ea9fe118bfa9f68a6" alt="Log in to Microsoft Entra ID, navigate to the App registrations, and select New registration." width="897" height="487" data-path="images/integrations/microsoft-entra-id/step-10.png" />
  </Step>

  <Step title="Configure the registration">
    Give a name to the application (e.g., **Oleria**) and select **Accounts in any organization directory (Any Microsoft Entra ID tenant - Single tenant)**. Select **Register**.

    <Note>If you add any tenants in the future, you must add another App registration for each individual tenant. Alternatively, select **Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant)** to cover all tenants by default.</Note>

    <img src="https://mintcdn.com/oleria/JQNzbB9a7dBTORxV/images/integrations/microsoft-entra-id/step-11.png?fit=max&auto=format&n=JQNzbB9a7dBTORxV&q=85&s=effe2c85fbe997565e9fdc2ae57b042d" alt="Entra ID App Registration with single tenant option selected" width="1020" height="789" data-path="images/integrations/microsoft-entra-id/step-11.png" />
  </Step>

  <Step title="Open API permissions">
    Open the application and select **Manage** → **API permissions**. Select **Add permission**.

    <img src="https://mintcdn.com/oleria/JQNzbB9a7dBTORxV/images/integrations/microsoft-entra-id/step-12.png?fit=max&auto=format&n=JQNzbB9a7dBTORxV&q=85&s=7785996fb9e9a3436de4901181b263ab" alt="Step 3: Open the application and select Manage → API permissions. Select Add permission" width="909" height="706" data-path="images/integrations/microsoft-entra-id/step-12.png" />
  </Step>

  <Step title="Add Microsoft Graph permissions">
    Select **Microsoft Graph** and select **Application permissions**. Add the permissions appropriate for your integration:

    <img src="https://mintcdn.com/oleria/JQNzbB9a7dBTORxV/images/integrations/microsoft-entra-id/step-13.png?fit=max&auto=format&n=JQNzbB9a7dBTORxV&q=85&s=cb7a84b308af590866f10588b8dd966b" alt="Step 4: Select Microsoft Graph and select Application permissions. Add permissions" width="1330" height="774" data-path="images/integrations/microsoft-entra-id/step-13.png" />

    1. Standard read-only permissions for Entra ID integration (without optional remediations)

    | API / Permissions name            | Type        | Permission                                |
    | --------------------------------- | ----------- | ----------------------------------------- |
    | Microsoft Graph (15)              |             |                                           |
    | Agreement.Read.All                | Application | Read all terms of use agreements          |
    | Application.Read.All              | Application | Read all applications                     |
    | AuditLog.Read.All                 | Application | Read all audit log data                   |
    | Directory.Read.All                | Application | Read directory data                       |
    | EntitlementManagement.Read.All    | Application | Read all entitlement management resources |
    | Group.Read.All                    | Application | Read all groups                           |
    | GroupMember.Read.All              | Application | Read all group memberships                |
    | IdentityRiskEvent.Read.All        | Application | Read all identity risk event information  |
    | LifecycleWorkflows.Read.All       | Application | Read all lifecycle workflows resources    |
    | Policy.Read.All                   | Application | Read your organization's policies         |
    | profile                           | Delegated   | View users' basic profile                 |
    | RoleManagement.Read.Directory     | Application | Read all directory RBAC settings          |
    | User.Read                         | Delegated   | Sign in and read user profile             |
    | User.Read.All                     | Application | Read all users' full profiles             |
    | UserAuthenticationMethod.Read.All | Application | Read all users' authentication methods    |

    2. Standard read-only permissions for SharePoint and OneDrive integration (without optional remediation)

    | API / Permissions name            | Type        | Permission                                |
    | --------------------------------- | ----------- | ----------------------------------------- |
    | Microsoft Graph (16)              |             |                                           |
    | Agreement.Read.All                | Application | Read all terms of use agreements          |
    | Application.Read.All              | Application | Read all applications                     |
    | AuditLog.Read.All                 | Application | Read all audit log data                   |
    | Directory.Read.All                | Application | Read directory data                       |
    | EntitlementManagement.Read.All    | Application | Read all entitlement management resources |
    | Group.Read.All                    | Application | Read all groups                           |
    | GroupMember.Read.All              | Application | Read all group memberships                |
    | IdentityRiskEvent.Read.All        | Application | Read all identity risk event information  |
    | LifecycleWorkflows.Read.All       | Application | Read all lifecycle workflows resources    |
    | Policy.Read.All                   | Application | Read your organization's policies         |
    | profile                           | Delegated   | View users' basic profile                 |
    | RoleManagement.Read.Directory     | Application | Read all directory RBAC settings          |
    | Sites.Read.All                    | Application | Read items in all site collections        |
    | User.Read                         | Delegated   | Sign in and read user profile             |
    | User.Read.All                     | Application | Read all users' full profiles             |
    | UserAuthenticationMethod.Read.All | Application | Read all users' authentication methods    |
    | Office 365 Management APIs (1)    |             |                                           |
    | ActivityFeed.Read                 | Application | Read activity data for your organization  |
    | SharePoint (2)                    |             |                                           |
    | Sites.FullControl.All             | Application | Have full control of all site collections |
    | Sites.Read.All                    | Application | Read items in all site collections        |

    3. Permissions for Entra ID integration with optional remediation capabilities (includes some write permissions)

    | API / Permissions name            | Type        | Permission                                |
    | --------------------------------- | ----------- | ----------------------------------------- |
    | Microsoft Graph (16)              |             |                                           |
    | Agreement.Read.All                | Application | Read all terms of use agreements          |
    | Application.Read.All              | Application | Read all applications                     |
    | AuditLog.Read.All                 | Application | Read all audit log data                   |
    | Directory.Read.All                | Application | Read directory data                       |
    | EntitlementManagement.Read.All    | Application | Read all entitlement management resources |
    | Group.Read.All                    | Application | Read all groups                           |
    | GroupMember.Read.All              | Application | Read all group memberships                |
    | IdentityRiskEvent.Read.All        | Application | Read all identity risk event information  |
    | LifecycleWorkflows.Read.All       | Application | Read all lifecycle workflows resources    |
    | Policy.Read.All                   | Application | Read your organization's policies         |
    | profile                           | Delegated   | View users' basic profile                 |
    | RoleManagement.Read.Directory     | Application | Read all directory RBAC settings          |
    | User.EnableDisableAccount.All     | Application | Enable and disable user accounts          |
    | User.Read                         | Delegated   | Sign in and read user profile             |
    | User.Read.All                     | Application | Read all users' full profiles             |
    | UserAuthenticationMethod.Read.All | Application | Read all users' authentication methods    |

    4. Permissions for SharePoint and OneDrive integration with optional remediation capabilities (includes some write permissions)

    | API / Permissions name            | Type        | Permission                                   |
    | --------------------------------- | ----------- | -------------------------------------------- |
    | Microsoft Graph (20)              |             |                                              |
    | Agreement.Read.All                | Application | Read all terms of use agreements             |
    | Application.Read.All              | Application | Read all applications                        |
    | AuditLog.Read.All                 | Application | Read all audit log data                      |
    | Directory.Read.All                | Application | Read directory data                          |
    | EntitlementManagement.Read.All    | Application | Read all entitlement management resources    |
    | Files.ReadWrite.All               | Application | Read and write files in all site collections |
    | Group.Read.All                    | Application | Read all groups                              |
    | Group.ReadWrite.All               | Application | Read and write all groups                    |
    | GroupMember.Read.All              | Application | Read all group memberships                   |
    | GroupMember.ReadWrite.All         | Application | Read and write all group memberships         |
    | IdentityRiskEvent.Read.All        | Application | Read all identity risk event information     |
    | LifecycleWorkflows.Read.All       | Application | Read all lifecycle workflows resources       |
    | Policy.Read.All                   | Application | Read your organization's policies            |
    | profile                           | Delegated   | View users' basic profile                    |
    | RoleManagement.Read.Directory     | Application | Read all directory RBAC settings             |
    | Sites.Read.All                    | Application | Read items in all site collections           |
    | User.EnableDisableAccount.All     | Application | Enable and disable user accounts             |
    | User.Read                         | Delegated   | Sign in and read user profile                |
    | User.Read.All                     | Application | Read all users' full profiles                |
    | UserAuthenticationMethod.Read.All | Application | Read all users' authentication methods       |
    | Office 365 Management APIs (1)    |             |                                              |
    | ActivityFeed.Read                 | Application | Read activity data for your organization     |
    | SharePoint (2)                    |             |                                              |
    | Sites.FullControl.All             | Application | Have full control of all site collections    |
    | Sites.Read.All                    | Application | Read items in all site collections           |
  </Step>

  <Step title="Grant admin consent">
    After adding all application permissions, select **Grant admin consent** to complete the consent.

    <img src="https://mintcdn.com/oleria/JQNzbB9a7dBTORxV/images/integrations/microsoft-entra-id/step-14.png?fit=max&auto=format&n=JQNzbB9a7dBTORxV&q=85&s=3884f0312890511880f0d607d6c4dcd9" alt="Microsoft Entra ID API permissions page with Grant admin consent button highlighted" width="1331" height="792" data-path="images/integrations/microsoft-entra-id/step-14.png" />
  </Step>

  <Step title="Confirm admin consent">
    Successful completion of admin grant consent should mark granted status green.

    <img src="https://mintcdn.com/oleria/JQNzbB9a7dBTORxV/images/integrations/microsoft-entra-id/step-15.png?fit=max&auto=format&n=JQNzbB9a7dBTORxV&q=85&s=3a06a8826515e9fc461bc2858bf0321f" alt="Step 6: Successful completion of Admin grant consent should mark granted status green." width="1334" height="784" data-path="images/integrations/microsoft-entra-id/step-15.png" />
  </Step>

  <Step title="Create a client secret">
    Navigate to **Certificates & Secrets** and create a client secret.

    <img src="https://mintcdn.com/oleria/JQNzbB9a7dBTORxV/images/integrations/microsoft-entra-id/step-16.png?fit=max&auto=format&n=JQNzbB9a7dBTORxV&q=85&s=1eb72ae565b491e386d2ce5bb1235ede" alt="Step 7: Navigate to Certificates & Secrets, and create a client secret as shown below" width="1571" height="789" data-path="images/integrations/microsoft-entra-id/step-16.png" />
  </Step>

  <Step title="Copy the client secret value">
    The generated client secret will be shown. Copy the **Client Secret Value**.

    <img src="https://mintcdn.com/oleria/JQNzbB9a7dBTORxV/images/integrations/microsoft-entra-id/step-17.png?fit=max&auto=format&n=JQNzbB9a7dBTORxV&q=85&s=4badbe57bdf82f37c928c7c2ba0350dc" alt="Step 8: The generated client secret will be shown as follows. Copy the Client Secret Value." width="1142" height="748" data-path="images/integrations/microsoft-entra-id/step-17.png" />
  </Step>

  <Step title="Capture Client ID and Tenant ID">
    Capture your **Client ID** and **Directory (tenant) ID**.

    <img src="https://mintcdn.com/oleria/JQNzbB9a7dBTORxV/images/integrations/microsoft-entra-id/step-18.png?fit=max&auto=format&n=JQNzbB9a7dBTORxV&q=85&s=e8e62f062b6dc31abc24179047e2fea1" alt="Step 9: Capture your Client ID and Directory tenant ID" width="963" height="364" data-path="images/integrations/microsoft-entra-id/step-18.png" />
  </Step>

  <Step title="Open the integration in Oleria">
    Log in to Oleria workspace → select **Integrations** → select **Microsoft SharePoint and OneDrive**.

    <img src="https://mintcdn.com/oleria/JQNzbB9a7dBTORxV/images/integrations/microsoft-entra-id/step-19.png?fit=max&auto=format&n=JQNzbB9a7dBTORxV&q=85&s=6630e4740f3c8d908ed0e40bbcc2fa94" alt="Oleria workspace Integrations page with Microsoft SharePoint and OneDrive selected" width="1001" height="510" data-path="images/integrations/microsoft-entra-id/step-19.png" />

    A side panel opens.
  </Step>

  <Step title="Authenticate with Client Secret">
    Select the **Authentication Method** dropdown and select **Client Secret Authentication**.

    Provide the **Client Secret Value**, **Tenant ID**, and **Client ID** captured in the previous steps.

    <img src="https://mintcdn.com/oleria/JQNzbB9a7dBTORxV/images/integrations/microsoft-entra-id/step-20.png?fit=max&auto=format&n=JQNzbB9a7dBTORxV&q=85&s=d705511615b4238d4fc7f67c2ec241b1" alt="Provide Client Secret Value captured in step 8, Tenant ID and Client ID captured in step 9." width="1168" height="902" data-path="images/integrations/microsoft-entra-id/step-20.png" />
  </Step>

  <Step title="Confirm the connection">
    Find the newly integrated Entra ID and M365 SharePoint instances in your Oleria workspace connected integrations.

    <img src="https://mintcdn.com/oleria/JQNzbB9a7dBTORxV/images/integrations/microsoft-entra-id/step-21.png?fit=max&auto=format&n=JQNzbB9a7dBTORxV&q=85&s=52887c309f01a5b47d26bad2fc1000b4" alt="Oleria workspace Connected Integrations showing newly added Entra ID and SharePoint instances" width="1600" height="645" data-path="images/integrations/microsoft-entra-id/step-21.png" />
  </Step>
</Steps>

## Client Certificate Authentication

Client certificate authentication uses a certificate uploaded to your Oleria app registration in Entra ID and a base64-encoded private key stored by Oleria. Use this method when your security policy requires certificate-based service principal authentication instead of a client secret.

<Note>
  This flow reuses the Oleria app registration and API permissions you create in the [Client Secret Authentication](#client-secret-authentication) section. Complete the steps from **Create an app registration in Entra ID** through **Confirm admin consent**, then return here. Skip the **Create a client secret** step.
</Note>

<Steps>
  <Step title="Prepare your certificate files">
    Place the following files in a single working directory:

    * `certificate.pem` - the public certificate in PEM format
    * `private_key.txt` - the matching unencrypted private key in PEM format
    * `certificate_chain.txt` - the intermediate certificate chain in PEM format

    If your organization does not issue these files through an internal PKI, generate a self-signed certificate using the tooling of your choice (for example, AWS Certificate Manager Private CA or `New-SelfSignedCertificate` on Windows) and export it in the formats above.

    <Note>
      The private key must be unencrypted. If `private_key.txt` is passphrase-protected, decrypt it first with `openssl rsa -in private_key.txt -out private_key.txt` (or the equivalent for your key type) before continuing.
    </Note>
  </Step>

  <Step title="Generate the base64-encoded private key">
    Oleria expects a single base64 string that decodes to the certificate, chain, and unencrypted private key concatenated as PEM blocks. Run the commands for your operating system from the directory that holds the files prepared in the previous step.

    <Tabs>
      <Tab title="macOS or Linux">
        ```bash theme={null}
        cat certificate.pem certificate_chain.txt private_key.txt > generated_cert.pem
        base64 < generated_cert.pem | tr -d '\n' > base64_generate_cert.pem
        ```
      </Tab>

      <Tab title="Windows (PowerShell)">
        ```powershell theme={null}
        Get-Content certificate.pem, certificate_chain.txt, private_key.txt |
            Set-Content generated_cert.pem
        [Convert]::ToBase64String([IO.File]::ReadAllBytes("generated_cert.pem")) |
            Set-Content base64_generate_cert.pem -NoNewline
        ```
      </Tab>
    </Tabs>

    The contents of `base64_generate_cert.pem` is the value you will paste into Oleria in the final step.
  </Step>

  <Step title="Upload the certificate to Entra ID">
    Sign in to your Entra ID tenant and navigate to **Microsoft Entra ID** -> **Manage** -> **App registrations**. Open your Oleria app registration.

    <Note>
      If the app is not visible under **Owned applications**, switch to **All applications** and search for it by name.
    </Note>

    Select **Manage** -> **Certificates & secrets** -> **Certificates** and upload `certificate.pem`.

    <img src="https://mintcdn.com/oleria/cmgpTKddsC-m7XBy/images/integrations/microsoft-entra-id/cert-upload.png?fit=max&auto=format&n=cmgpTKddsC-m7XBy&q=85&s=93c6797c239ea67d055c971c6227ca31" alt="Entra ID app registration Certificates and secrets page with Upload certificate button and an uploaded certificate listed" width="1082" height="545" data-path="images/integrations/microsoft-entra-id/cert-upload.png" />
  </Step>

  <Step title="Open the integration in Oleria">
    Log in to your Oleria workspace and navigate to **Workspace** -> **Integrations**.

    * For a new integration, select **Microsoft Entra ID** or **Microsoft SharePoint and OneDrive** to open the side panel.
    * To migrate an existing integration from client secret to client certificate, select **Connected**, then select the edit icon on your Entra ID integration to open the side panel.
  </Step>

  <Step title="Authenticate with the client certificate">
    From the **Authentication Method** dropdown, select **Client Certificate Authentication**.

    Provide the following:

    | Field       | Notes                                                                |
    | :---------- | :------------------------------------------------------------------- |
    | Tenant ID   | Your **Directory (tenant) ID** from the app registration overview.   |
    | Client ID   | Your **Application (client) ID** from the app registration overview. |
    | Private Key | The contents of `base64_generate_cert.pem` from the previous step.   |

    Select **Update** to save the integration.

    <img src="https://mintcdn.com/oleria/cmgpTKddsC-m7XBy/images/integrations/microsoft-entra-id/cert-private-key.png?fit=max&auto=format&n=cmgpTKddsC-m7XBy&q=85&s=4d65f9708328fdbc813401cd9d8e03d6" alt="Oleria Workspace Integrations Connected view with the Update Microsoft Entra ID side panel showing Client Certificate Authentication selected and Tenant Id, Client Id, and Private Key fields" width="1565" height="852" data-path="images/integrations/microsoft-entra-id/cert-private-key.png" />
  </Step>

  <Step title="Clean up generated files">
    `generated_cert.pem` and `base64_generate_cert.pem` both contain the unencrypted private key inline. Delete them from the working directory now that the integration is connected. Your original `certificate.pem`, `certificate_chain.txt`, and `private_key.txt` files are unchanged and can stay in your existing key store.

    <Tabs>
      <Tab title="macOS or Linux">
        ```bash theme={null}
        shred -u generated_cert.pem base64_generate_cert.pem 2>/dev/null || \
          rm -P generated_cert.pem base64_generate_cert.pem
        ```
      </Tab>

      <Tab title="Windows (PowerShell)">
        ```powershell theme={null}
        Remove-Item generated_cert.pem, base64_generate_cert.pem -Force
        ```

        For a stronger overwrite guarantee on a spinning disk, run `cipher /w:<directory>` against the working directory from an elevated command prompt. On an SSD this is a no-op due to wear leveling.
      </Tab>
    </Tabs>

    If your shell records command history, clear it to remove references to the key file paths: `history -c` on Bash or Zsh, `Clear-History` on PowerShell.
  </Step>
</Steps>

### How Oleria handles the private key

The **Private Key** field in the integration form is masked to prevent shoulder-surfing during entry. The value is transmitted to Oleria over TLS and persisted in AWS Secrets Manager, which provides encryption at rest with KMS-managed keys and audit logging on every access. Access to the secret is scoped to the Oleria service that authenticates to Entra ID; no human operator and no other Oleria service can read it.

Oleria does not write the private key to application logs, databases, or temporary files. It is read from AWS Secrets Manager into process memory only when authenticating to Entra ID, and is held in memory only for the duration of that authentication.

## Check the Oleria App in Your Entra ID Instance

<Steps>
  <Step title="Find the Oleria app in Enterprise applications">
    Log in to your Entra ID instance, navigate to **Enterprise applications** → select **All applications**.

    You will find the Oleria application in the Enterprise applications list.

    <img src="https://mintcdn.com/oleria/JQNzbB9a7dBTORxV/images/integrations/microsoft-entra-id/step-22.png?fit=max&auto=format&n=JQNzbB9a7dBTORxV&q=85&s=6511004432bd6b210a2bdcda132169bc" alt="You will find the Oleria application in the Enterprise applications." width="856" height="339" data-path="images/integrations/microsoft-entra-id/step-22.png" />
  </Step>

  <Step title="View granted permissions">
    Select **Permissions** to view the read permissions granted to the Oleria application.

    <img src="https://mintcdn.com/oleria/JQNzbB9a7dBTORxV/images/integrations/microsoft-entra-id/step-24.png?fit=max&auto=format&n=JQNzbB9a7dBTORxV&q=85&s=c6b3468bbd2a01bf13bd57b604d5a193" alt="Select permissions to view the read permissions granted to the Oleria application" width="1002" height="663" data-path="images/integrations/microsoft-entra-id/step-24.png" />
  </Step>
</Steps>

## Contact us

For questions about this integration, contact us at [support@oleria.com](mailto:support@oleria.com).
