Azure Active Directory User and Group Sync
How to connect Herd to your Azure Active Directory to automatically sync users and groups.
Overview of Azure AD User Group Sync
This section walks you through connecting Herd to your Azure Active Directory to automatically sync users and groups, so your Herd roster always reflects who is actually in your organization. By using Azure AD as the source of truth for identities and group membership, you can reduce manual user management, keep access tightly aligned with your directory, and support clean onboarding and off-boarding as people join, move, or leave.
You’ll find step-by-step instructions for creating a dedicated app registration in Azure AD, capturing the required tenant and client IDs, generating a secure client secret, and granting the read-only directory permissions needed for sync. Once those values are entered into Herd and the connection test succeeds, Herd will be able to regularly pull in users and groups from your Azure AD tenant; helping you target the right people, avoid stale accounts, and maintain a consistent security posture across your environment.
What You'll Need
Admin access to your Azure AD tenant
About 10 minutes
Step 1: Create an App Registration
Go to Azure Portal
Navigate to Azure Active Directory > App registrations
Click + New registration
Fill in:
Name:
Herd User Sync(or any name you prefer)Supported account types: Select "Accounts in this organizational directory only"
Redirect URI: Leave blank
Click Register
Step 2: Note Your IDs
After creating the app, you'll see the Overview page. Copy these values - you'll need them later:
Application (client) ID
Overview page, top section
Directory (tenant) ID
Overview page, top section
Step 3: Create a Client Secret
In your app registration, go to Certificates & secrets
Click + New client secret
Add a description (e.g., "Herd Sync")
Choose an expiration (recommended: 24 months)
Click Add
Copy the secret value immediately - you won't be able to see it again
Step 4: Add API Permissions
Go to API permissions
Click + Add a permission
Select Microsoft Graph
Select Application permissions (not Delegated)
Search for and add these permissions:
Directory.Read.All
Read directory data
User.Read.All
Read all users
Group.Read.All
Read all groups
GroupMember.Read.All
Read group memberships
Click Add permissions
Step 5: Grant Admin Consent
After adding permissions, you must grant admin consent:
Still on the API permissions page
Click Grant admin consent for [Your Organization]
Click Yes to confirm
Verify all permissions show a green checkmark under "Status"
Step 6: Configure in Herd
Log into Herd as an admin
Go to Settings > Azure AD Sync
Enter:
Tenant ID: From Step 2
Client ID: From Step 2
Client Secret: From Step 3
Click Test Connection
If successful, click Save
Troubleshooting
Error: 403 Forbidden
This means permissions are missing or not consented:
Go back to API permissions in Azure Portal
Verify all 4 permissions are listed
Check that each has Application type (not Delegated)
Click Grant admin consent again
Wait 5-10 minutes for changes to propagate
Retry the connection test
Error: Invalid Client
The Client ID or Client Secret is incorrect:
Double-check the Client ID matches exactly
Create a new Client Secret and try again
Make sure you copied the secret Value, not the Secret ID
Error: Unauthorized Client
Admin consent was not granted:
Go to API permissions
Click Grant admin consent for [Your Organization]
Ensure you're signed in as an Azure AD admin
Security Notes
The app registration only has read permissions - it cannot modify your directory
We recommend setting a calendar reminder to rotate the client secret before it expires
You can revoke access at any time by deleting the app registration
Questions?
Contact support@herdsecurity.io for assistance.
Last updated