Microsoft Entra Group Sync
Connect your Microsoft Entra tenant so device group membership flows automatically into TridentStack Control tags. Map an Entra group to a tag once, and every enrolled endpoint in that group carries the tag, now and as membership changes. Because tags drive policy targeting in TridentStack Control, your update policies, configuration policies, and compliance baselines follow the groups you already maintain in Entra without re-tagging endpoints by hand.
The connection is read-only and inbound only: TridentStack Control reads group membership from Entra and never writes anything back to your directory.
This is separate from single sign-on. SSO controls how administrators log in to TridentStack Control. Entra Group Sync mirrors your device groups onto endpoint tags. You can use either, both, or neither.
How it works
- You connect your Entra tenant with a one-time administrator consent (read-only).
- You create mappings, each pairing one Entra group with one TridentStack Control tag.
- TridentStack Control reconciles membership on a schedule (about once an hour) and whenever you click Sync now. Enrolled endpoints that belong to the group receive the tag; endpoints that leave the group have that tag removed.
Only endpoints already enrolled in TridentStack Control are affected. The sync matches Entra device group members against your enrolled endpoints. It does not enroll new devices or change anything in Entra.
Prerequisites
- A Microsoft Entra tenant with the device groups you want to mirror.
- An account that can grant administrator consent for the tenant (for example, Global Administrator or Privileged Role Administrator). This is needed once, at connection time. Day-to-day mapping management afterward needs only TridentStack Control permissions.
- The Manage integrations permission in TridentStack Control (included in the Administrator role).
- Endpoints enrolled in TridentStack Control that correspond to the devices in your Entra groups.
Connecting your tenant
- Go to Settings > Integrations.
- On the Microsoft Entra card, click Connect.
- You are redirected to Microsoft to sign in and grant consent. Review the requested read-only permissions and approve.
- After consent, you return to TridentStack Control and the card shows Connected, along with your tenant and the last sync time.
If consent is declined or interrupted, the card shows Consent pending or Error. Click Reconnect to try again.
Mapping a group to a tag
With the tenant connected, open Settings > Integrations and use the Group to tag mappings section.
- Click Add mapping.
- Include nested group members (on by default) controls whether members of nested groups count toward the mapping.
- Choose the Entra group. The group picker is searchable and shows, for each group, how many of its devices are managed by TridentStack Control alongside its total device count, so you can judge the impact before mapping. Turn on Hide groups with no devices to filter out groups that have no managed endpoints.
- Choose the Tag to apply.
- The dialog previews the immediate impact, for example "This will tag 12 agents now."
- Click Create mapping.
The tag is applied to matching endpoints on the next sync. You can trigger that immediately with Sync now.
Managing mappings
The Group to tag mappings table lists every mapping and its current state:
| Column | Meaning |
|---|---|
| Entra group | The source group in your directory |
| Tag | The TridentStack Control tag applied to that group's members |
| Nested | Whether nested group members are included (toggle) |
| Enabled | Whether the mapping is active (toggle) |
| Matched | How many enrolled endpoints matched at the last reconcile |
| Last sync | When this mapping last reconciled |
Each mapping has three actions:
- Preview shows how many enrolled endpoints currently match, without making any change.
- Sync now reconciles this mapping immediately. The reconcile runs in the background, so the updated match count and last sync time appear a few seconds after you start it.
- Delete removes the mapping and the tags it applied. You are asked to confirm, because removing the mapping removes the tag from the endpoints it tagged.
Turning Enabled off pauses a mapping without deleting it: it stops applying and maintaining the tag until you turn it back on.
Sync behavior and timing
- The scheduled reconcile runs about once an hour across all mappings.
- Sync now runs on demand for a single mapping.
- Reconcile is membership-driven. At each run, endpoints currently in the group receive the tag, and endpoints no longer in the group have that mapping's tag removed.
Because a tag applied by a mapping is maintained by the sync, manage who has the tag by managing the Entra group, rather than adding or removing that tag by hand on individual endpoints.
Disconnecting
To disconnect, click Disconnect on the Microsoft Entra card. This removes all group mappings and the tags they applied. The connection and the consent it relied on are removed from TridentStack Control.
You can also revoke consent at any time from the Microsoft Entra admin center under Enterprise applications. Revoking consent in Entra stops all syncing; the integration shows a Revoked state until you reconnect or disconnect.
Security and privacy
- Read-only, inbound only. TridentStack Control requests only the permissions needed to read your groups, their members, and device records. It never modifies your Entra directory.
- Tenant-level consent. Consent is granted once by an administrator and applies to your tenant. You remain in control and can revoke it at any time.
Map the groups you already use to organize devices, such as by department, location, hardware class, or risk tier. Your TridentStack Control policies then inherit that structure automatically, and new devices pick up the right tags as soon as they join the group and enroll.