Skip to main content

Microsoft Entra ID Integration – Authentication Methods and Troubleshooting

Ola Stål avatar
Written by Ola Stål
Updated this week

When connecting Microsoft Entra ID (formerly Azure AD) to Substly, there are two authentication methods available:

  1. Delegated authentication – the default method, based on a specific user’s account and its permissions.

  2. Application authentication – an alternative method where Substly is granted the necessary permissions directly, instead of relying on a specific user’s account.


Quick comparison

Delegated authentication

Application authentication

Who authenticates

A specific user in Entra ID

An Entra ID administrator (Global Admin or Privileged Role Admin)

Depends on a user’s role?

Yes – the authenticating user must have sufficient rights

No – permissions are granted to Substly’s application

How to fix issues

Assign the user a suitable role (Global Reader, Reports Reader, Security Administrator, Security Operator, Security Reader)

Ensure the authenticating user is an admin with sufficient rights

How to enable

Available by default

Contact Substly via in-app chat, then re-authenticate


Delegated authentication

How it works and limitations
Delegated authentication depends on the permissions of the user account that connects Substly with Entra ID. If that user doesn’t have the required permissions—or if the user’s permissions change or are removed over time—Substly won’t be able to retrieve usage data.

Troubleshooting delegated authentication
If Substly cannot retrieve usage data when using delegated authentication, it is likely due to missing permissions on the user who activated the integration. Assign that user one of the following Entra ID roles:

  • Global Reader

  • Reports Reader

  • Security Administrator

  • Security Operator

  • Security Reader

No further action is needed after the role assignment; Substly will automatically start retrieving usage data.


Alternatively, you can deactivate the integration and re-enable it using another user who already has one of these roles.


Application authentication

Why use Application authentication
With Application authentication, Substly connects directly to Entra ID through an application registration. This ensures the correct permissions are in place, independent of individual users.

How to activate
There is currently no option in Substly’s interface to switch authentication methods. If you would like to use Application authentication, please contact us via the in-app chat and we will enable it for you. Once activated, you will need to re-authenticate the integration.

Required permissions
To authenticate with the Application authentication flow, the person completing the authentication must be an Entra ID administrator (Global Administrator or Privileged Role Administrator).

Substly requests the following API permissions:

  • Directory.Read.All

  • AuditLog.Read.All

  • Application.Read.All

  • Group.Read.All

  • User.Read.All

These permissions are granted to Substly’s application and are not tied to a specific user account.


Which method should I choose?

  • If delegated authentication works after assigning a qualifying role to the authenticating user, you can continue using delegated.

  • If delegated authentication doesn’t work for your organization—or you prefer a setup that isn’t dependent on a single user’s permissions—use Application authentication.


Need help?

  • For delegated authentication issues, review the troubleshooting steps above.

  • For Application authentication activation or issues, contact us in the in-app chat.


Related Articles

Did this answer your question?