Entra ID Directory

TruU integrates with Microsoft Entra ID to authenticate users and manage access. You can set up this integration manually through the Azure portal, or use a PowerShell script to automate the process. Both methods produce the same result.

Prerequisites

Before you begin, confirm you have:

Global Administrator access in Microsoft Entra ID
Admin access to the TruU Admin Console

Step 1: Register TruU in Entra ID

Choose your preferred setup method:

Manual Setup
PowerShell (Quick Setup)

In the Microsoft Entra admin center, go to Applications > App Registrations and click New Registration.
Set the display name to TruU and click Register.
From the app page, go to API permissions, click Add a permission, select Microsoft Graph, then choose Application permissions.
Add the following permissions and grant admin consent for each:
- Device.Read.All
- Group.Read.All
- Directory.Read.All
- User.Read (Delegated — enabled by default; grant admin consent if missing)
- User.Read.All
- UserAuthenticationMethod.Read.All
- Application.Read.All
- UserAuthenticationMethod.ReadWrite.All

Verify all permission names, types, and admin consent status before continuing.

Go to Certificates & secrets, click New client secret, enter “TruU” as the description, and choose an expiry (12 months recommended).
Copy the Value immediately — it will not be shown again. You will need it in Step 2.

This script automates the manual steps. It registers an app named TruUIDS in Entra ID, grants the required Microsoft Graph permissions with admin consent, and outputs the credentials you need for TruU.Requirements:

Global Administrator (or sufficient rights to register apps and grant Microsoft Graph permissions)
Microsoft Graph PowerShell SDK installed

The client secret is displayed only once when the script completes. Copy it to a secure location before closing the terminal.

Run the following in PowerShell as Administrator:

# Define the application name
$appName = "TruUIDS"

# Define required Application permissions
$permissionNames = @(
    "Application.Read.All",
    "Device.Read.All",
    "Group.Read.All",
    "Directory.Read.All",
    "User.Read.All",
    "UserAuthenticationMethod.Read.All",
    "UserAuthenticationMethod.ReadWrite.All"
)

Write-Host "Connecting to Microsoft Graph..." -ForegroundColor Cyan
Connect-MgGraph -Scopes "Application.ReadWrite.All", "AppRoleAssignment.ReadWrite.All"

if (-not (Get-MgContext)) {
    Write-Host "Could not connect. Exiting." -ForegroundColor Red
    exit
}

$graphSP = Get-MgServicePrincipal -Filter "DisplayName eq 'Microsoft Graph'"
$graphResourceId = $graphSP.AppId

Write-Host "Building permission list..." -ForegroundColor Cyan
$resourceAccessList = @()
foreach ($name in $permissionNames) {
    $role = $graphSP.AppRoles | Where-Object { $_.Value -eq $name }
    if ($role) {
        $resourceAccessList += @{ Id = $role.Id; Type = "Role" }
        Write-Host "  Added: $name" -ForegroundColor Gray
    }
}

$requiredAccess = @(@{ ResourceAppId = $graphResourceId; ResourceAccess = $resourceAccessList })

Write-Host "Creating app registration..." -ForegroundColor Cyan
try {
    $app = New-MgApplication -DisplayName $appName -RequiredResourceAccess $requiredAccess
    Write-Host "App created: $($app.AppId)" -ForegroundColor Green
} catch {
    Write-Error $_.Exception.Message; exit
}

Write-Host "Creating service principal..." -ForegroundColor Cyan
$sp = New-MgServicePrincipal -AppId $app.AppId
Write-Host "Service principal created." -ForegroundColor Green

Write-Host "Granting admin consent..." -ForegroundColor Cyan
foreach ($name in $permissionNames) {
    $role = $graphSP.AppRoles | Where-Object { $_.Value -eq $name }
    if (-not $role) { continue }
    $params = @{
        PrincipalId = $sp.Id
        ResourceId  = $graphSP.Id
        AppRoleId   = $role.Id
    }
    try {
        New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $sp.Id -BodyParameter $params
        Write-Host "  Granted: $name" -ForegroundColor Green
    } catch {
        Write-Host "  Failed: $name" -ForegroundColor Red
    }
}

$secretParams = @{
    PasswordCredential = @{
        DisplayName = "TruU"
        EndDateTime = (Get-Date).AddMonths(12)
    }
}
try {
    $secret = Add-MgApplicationPassword -ApplicationId $app.Id -BodyParameter $secretParams
    Write-Host "Client secret created." -ForegroundColor Green
} catch {
    Write-Error $_.Exception.Message; exit
}

$tenantId = (Get-MgContext).TenantId

Write-Host ""
Write-Host "========================================"  -ForegroundColor Cyan
Write-Host "       APPLICATION CREDENTIALS          " -ForegroundColor Cyan
Write-Host "========================================"  -ForegroundColor Cyan
Write-Host "Application Name : $appName"              -ForegroundColor White
Write-Host "Tenant ID        : $tenantId"             -ForegroundColor White
Write-Host "Client ID (AppId): $($app.AppId)"        -ForegroundColor White
Write-Host "Client Secret    : $($secret.SecretText)" -ForegroundColor Yellow
Write-Host "Secret Expires   : $($secret.EndDateTime)" -ForegroundColor White
Write-Host "========================================"  -ForegroundColor Cyan
Write-Host "IMPORTANT: Copy the Client Secret now!"   -ForegroundColor Red

When the script finishes, note the Tenant ID, Client ID, and Client Secret from the output. You will need these in Step 2.

Step 2: Configure in TruU

In the TruU Admin Console, go to Settings > Directory and click + to add a new directory.
Select Entra ID from the drop-down.
Enter a Configuration Name and your Entra ID domain name.
Select whether all users share the same UPN suffix.
Enter the credentials from Step 1:
- Directory (Tenant ID)
- Application Client ID
- Application Client Secret Value
Choose whether TruU should automatically unenroll devices when a user is disabled or removed, then click Save.
When prompted, click Go Now to continue to the Global Attributes tab.
Click the Gear icon, select your Primary User Identifier (typically “mail”), and click Save.

Verification

Once saved, check that the directory shows Active and Healthy in the TruU Admin Console. Initial connectivity after a new configuration may take 3–5 minutes.

​Prerequisites

​Step 1: Register TruU in Entra ID

​Step 2: Configure in TruU

​Verification

Prerequisites

Step 1: Register TruU in Entra ID

Step 2: Configure in TruU

Verification