ArdSaor

AI Clearance Microsoft Entra Connector Setup Guide

Configure AI Clearance to create, bind, test, and manage Microsoft Entra group membership for approved AI tool access.

Overview

The Microsoft Entra connector lets AI Clearance automate group membership after a Jira approval. AI Clearance controls membership in configured entitlement groups. It does not assign enterprise applications, app roles, licenses, or Microsoft 365 resources to those groups.

Use this guide when Microsoft Entra groups are the source of truth for access to AI tools or AI platforms.

Before you begin

  • You must be a Jira admin for the site where AI Clearance is installed.
  • You must have Microsoft Entra permissions to register applications and grant API permissions.
  • Confirm which Entra group controls each AI tool or AI platform entitlement.
  • Decide whether AI Clearance should create new entitlement groups or bind to existing Entra groups.
  • Have a test Jira user and matching Entra user available before enabling the connector for production requests.

Required Microsoft Entra information

Value Where to find it Notes
Tenant ID Microsoft Entra admin center - tenant overview Use the directory tenant where the target groups and users live.
Client ID The application ID from the app registration used by AI Clearance Use a dedicated app registration for connector operations.
Client secret Certificates and secrets on the app registration Copy the secret value when created. Microsoft does not show it again later.
Group-management permissions API permissions on the app registration, with admin consent granted The app must be able to read users and groups, create groups if you use group creation, and add or remove members from target groups.

Step-by-step setup

  1. Open the Microsoft Entra admin center.
  2. Go to Identity - Applications - App registrations.
  3. Create a new app registration for AI Clearance connector operations.
  4. Record the Application (client) ID and Directory (tenant) ID.
  5. Create a client secret under Certificates and secrets. Save the secret value in your approved secret-handling process.
  6. Add Microsoft Graph application permissions required for your connector mode. At minimum, plan for user read, group read, group membership write, and group creation if AI Clearance will create groups.
  7. Grant admin consent for the application permissions.
  8. Create or confirm the Entra groups that will control access to each AI tool. Use clear names such as AI Clearance - ChatGPT Enterprise - Users.
  9. Assign each Entra group to the real enterprise application, app role, license, or resource outside AI Clearance.
  10. In Jira, open Jira admin - Apps - AI Clearance - Connectors.
  11. Select Set up on the Microsoft Entra row or choose Add connector and set the type to Microsoft Entra.
  12. Enter a connector ID, name, optional description, and the configuration JSON or approved secret reference.
  13. Save the connector, then use Test connection from the connector actions menu.
  14. Add identity mappings for Jira users whose Entra UPN or email does not resolve automatically.
  15. When adding or editing catalog tools, choose the Microsoft Entra connector and create or bind the entitlement group for that tool.

Configuration example

Use placeholders only. Never paste real client secrets into documentation, Jira issue comments, screenshots, or support tickets.

{
  "tenantId": "<microsoft-entra-tenant-id>",
  "clientId": "<application-client-id>",
  "clientSecret": "<client-secret-value>"
}

If your ArdSaor deployment supports a backend secret reference, enter the approved reference instead of raw JSON. The connector test should still pass before you assign the connector to catalog tools.

Testing the connector

  1. Open AI Clearance - Connectors.
  2. Find the Microsoft Entra row and open its actions menu.
  3. Select Test connection.
  4. Confirm the test succeeds before using the connector for live approvals.
  5. Create a low-risk test catalog tool, bind a test Entra group, submit a test request, approve it, and confirm the test user is added to the group.
  6. Remove the test access and confirm deprovisioning behavior before production rollout.

Troubleshooting

Connector test fails

  • Confirm the tenant ID and client ID belong to the same tenant.
  • Confirm the client secret value, not the secret ID, was entered.
  • Confirm Microsoft Graph application permissions have admin consent.

Groups cannot be created or updated

  • Confirm the app registration has the required group permissions.
  • Confirm the target groups are cloud-managed groups that can have membership managed by API.
  • Confirm the group is assigned to the real application, app role, license, or resource in Microsoft Entra. AI Clearance does not do app assignment.

User provisioning needs manual follow-up

  • Confirm the Jira user has an admin-managed identity mapping or an Entra UPN/email that can be matched exactly.
  • Check for duplicate or guest users with similar UPNs or email addresses.
  • Add an explicit identity mapping in AI Clearance when automatic matching is ambiguous.

Security recommendations

  • Use least-privilege Microsoft Graph application permissions where possible.
  • Use a dedicated app registration so connector activity is auditable.
  • Store secrets only in approved secret storage or in the AI Clearance connector configuration field.
  • Rotate client secrets before expiry and immediately after personnel or vendor-access changes.
  • Do not paste client secrets into Jira issue comments, support tickets, chat messages, or documentation.
  • Disable or delete stale connectors that are no longer used by catalog tools.