Microsoft Entra ID
Manage Entra ID users, groups, licenses, and sign-in risk through Microsoft Graph.
Dex connects to Microsoft Entra ID (formerly Azure AD) via Microsoft Graph and lets admins and employees run day-to-day identity operations — creating users, managing group memberships, resetting passwords and MFA, unblocking risky sign-ins, updating profile photos — with policy gates driven by directory roles and IT security groups.
What Dex does with Microsoft Entra ID
Dex handles both admin workflows and employee self-service — all policy-guardrailed and audit-logged.
For admins (CoAdmin)
- Create Entra ID users with full profile (name, department, job title, manager, office, phones, usage location)
- Search users by name, UPN, email, department, job title, or account status
- List and remediate locked (disabled) user accounts in bulk
- Update any user property — job info, contact info, account enabled flag, password policies
- Manage membership of security groups and Microsoft 365 groups (add, remove, check)
- Reset user passwords with auto-generated strong passwords and forceChangePasswordNextSignIn
- Reset MFA methods and unblock users blocked by Identity Protection risk
- Update profile photo, phone, office location, and job title on behalf of users
- Discover directory roles (Global Admin, Helpdesk Admin, User Admin) and infer approver groups
For employees (self-service)
- Reset your own Entra ID password
- Unblock your own sign-in when flagged by risk detection
- Reset your own MFA methods (authenticator app, phone) when you replace your device
- Update your own profile photo, phone number, office location, and job title
- Request to join a security group or Microsoft 365 group
- View your own profile, directory roles, and group memberships
Just ask Dex
Your team types a request in plain language. Dex investigates, plans, and executes — with the right guardrails.
Admin prompts
- >Create a new Entra user for noa.levi@acme.com as Software Engineer in R&D, manager is david@acme.com, send credentials to david
- >Show me every locked Entra account in the Sales department and unlock the ones on this list
- >Add sarah@acme.com to the "Finance-Admins" security group and the "Finance-M365" group
- >Reset the password for a user named "John Smith" — generate a strong one and force change on next login
- >Who belongs to the "IT Support" group? And which groups is alice@acme.com a member of?
- >Reset MFA for tom@acme.com — he got a new phone and can't sign in
Employee prompts
- >Reset my Microsoft 365 password
- >I got a new phone, reset my MFA so I can set up the authenticator again
- >Change my profile picture to the one I just attached
- >Update my mobile number to +1 415 555 0123 and office to "SF HQ - Floor 4"
- >Request access to the "All-Engineering" Teams group
Policy actions
Every action Dex can take on Microsoft Entra ID is declared, scoped, and guardrailed. Admins control which apply, who approves them, and whether they're limited to self-service.
| Action | What it does |
|---|---|
password_reset | Reset an Entra ID user password |
unblock_signin | Unblock a sign-in blocked by Identity Protection risk |
mfa_reset | Reset a user's MFA methods (excludes privileged admins) |
update_photo | Update a user's profile photo (Teams, Outlook, SharePoint sync) |
update_user_profile | Update profile fields: phone, office, job title, department |
grant_access | Add a user to a security group, M365 group, or enterprise app |
How to configure Microsoft Entra ID
Onboarding takes minutes. Dex validates your credentials before saving them.
Setup steps
- 1In Dex, start the Microsoft 365 integration flow and click "Connect Microsoft 365".
- 2Sign in with a Global Administrator (or Privileged Role Administrator) account of your tenant.
- 3Review the consent screen — Dex requests User.ReadWrite.All, Group.ReadWrite.All, GroupMember.ReadWrite.All, Directory.ReadWrite.All, and UserAuthenticationMethod.ReadWrite.All.
- 4Click "Accept" to grant admin consent — this provisions the Dex enterprise application in your tenant.
- 5Dex validates the token with a GET /me call and caches the refresh token. No manual tenant ID, client ID, or secret to copy.
- 6Run Entra ID discovery in Dex — it enumerates security groups, directory roles, enterprise apps, and subscribed licenses, then proposes approver groups from Global Admin and Helpdesk Admin members.
No extra credentials
This integration is covered by your Microsoft 365 tenant authorization to Dex. There are no per-app credentials to create or rotate.
Requirements
- •Microsoft 365 tenant with Entra ID P1 or P2 licenses recommended (P2 required for risk-based sign-in and MFA policies)
- •Global Administrator or Privileged Role Administrator needed to grant tenant-wide admin consent
- •Credentials are inherited from the Dex Microsoft 365 Graph connection — there is no app-specific setup
- •Password reset and MFA reset require Authentication Administrator or Helpdesk Administrator role on the Dex service principal
- •Self-service password reset requires Entra ID SSPR to be enabled in the tenant
Related integrations
Directory & IdentityOkta
Run Okta user, group, and app-assignment operations in natural language.
Learn more →
CollaborationMicrosoft Teams
Manage Teams membership, route approvals to team owners, and send direct messages.
Learn more →
LicensingMicrosoft 365 Licenses
Assign, reclaim, and forecast Microsoft 365 licenses — no more digging through the admin center.
Learn more →
See Dex run Microsoft Entra ID
Book a 30-minute walkthrough with our team and see how autonomous IT works in your environment — or get started for free.