Identity providers
      Back to home
      1. Home
      2. Integrations
      3. Identity providers

      Microsoft Workspace Integration

      Overview

      Why do you need to connect the integration?

      1. Get a complete view of your organization
        Automatically sync all users, directories, and domains from Microsoft Entra ID. No manual uploads required.
      2. Track app usage with Microsoft SSO
        See which third-party apps employees are signing into with their corporate accounts and when they last accessed them. This helps identify redundant or risky tools.
      3. Manage costs more effectively
        See which third-party apps employees are signing into with their corporate accounts and when they last accessed them. This helps identify redundant or risky tools.
      4. Maintain data accuracy
        User, directory, and audit log data is refreshed daily, so your dashboards always reflect the latest state of your organization.
      5. Ensure secure access
        User, directory, and audit log data is refreshed daily, so your dashboards always reflect the latest state of your organization.
       What data do we pull?
      • Users: names, emails, profile photos
      • Directory structure and domains
      • Audit logs: user sign-ins and app activity via Microsoft SSO
      • Continuous access via refresh tokens (offline access)

      NOTE: This is the read-only integration, a specific plan is needed to collect apps linked by MS Auth 

      IMPORTANT: Please make sure you have Microsoft Entra ID plan on your MS account. Otherwise we won't be able to fetch the data

      How does it work?

      Spendbase connects to Microsoft via Microsoft Graph API in read-only mode.

      • No changes made to your Microsoft account
      • Data is used only for visibility and SaaS cost optimization
      • The initial data import may take up to 30 minutes, depending on the amount of data
      • After the initial sync, data is automatically refreshed once per day

      Connection steps

      1. Open the Integrations tab in Spendbase
      2. Click Connect Microsoft
      3. Sign in with your Admin account
      4. Approve the requested scopes

      Required scopes

      Scope Description Why does Spendbase need it

      offline_access

      Maintain access to data you have given Spendbase permission to use

      Allows Spendbase to refresh tokens and keep the integration connected without requiring manual reconnection

      /graph.microsoft.com/Directory.Read.All

      Read directory data, including users, groups, and domains

      Provides a full view of your organization’s structure in Microsoft Entra ID

      /graph.microsoft.com/User.Read.All

      Read all user profiles in your organization

      Syncs the complete list of users for accurate reporting

      /graph.microsoft.com/ProfilePhoto.Read.All

      Read user profile photos

      Pulls avatars to display users consistently across Spendbase

       

      /graph.microsoft.com/AuditLog.Read.All

      Read audit logs, including sign-in and app usage events

      Tracks user activity and which apps are accessed with Microsoft SSO

       

      How to verify the sync?

      The widget status will show:
      • Getting data – sync in progress
      • Active – data successfully synced
      • You will also receive an in-app notification once the sync is complete
      • The pulled data will appear on the pages Employee, Applications, and Insights
      • From then on, data will be automatically refreshed once per day

      How to disconnect?

      1. Open the Microsoft widget
      2. Click Disconnect 
       

       If you run into issues, our support team is here to help:

      • Contact us directly at support@spendbase.co
      • Or reach out via in-app chat for live assistance