When connecting Microsoft Entra ID (formerly Azure AD) to Substly, there are two authentication methods available:
Delegated authentication – the default method, based on a specific user’s account and its permissions.
Application authentication – an alternative method where Substly is granted the necessary permissions directly, instead of relying on a specific user’s account.
Quick comparison
| Delegated authentication | Application authentication |
Who authenticates | A specific user in Entra ID | An Entra ID administrator (Global Admin or Privileged Role Admin) |
Depends on a user’s role? | Yes – the authenticating user must have sufficient rights | No – permissions are granted to Substly’s application |
How to fix issues | Assign the user a suitable role (Global Reader, Reports Reader, Security Administrator, Security Operator, Security Reader) | Ensure the authenticating user is an admin with sufficient rights |
How to enable | Available by default | Contact Substly via in-app chat, then re-authenticate |
Delegated authentication
How it works and limitations
Delegated authentication depends on the permissions of the user account that connects Substly with Entra ID. If that user doesn’t have the required permissions—or if the user’s permissions change or are removed over time—Substly won’t be able to retrieve usage data.
Troubleshooting delegated authentication
If Substly cannot retrieve usage data when using delegated authentication, it is likely due to missing permissions on the user who activated the integration. Assign that user one of the following Entra ID roles:
Global Reader
Reports Reader
Security Administrator
Security Operator
Security Reader
No further action is needed after the role assignment; Substly will automatically start retrieving usage data.
Alternatively, you can deactivate the integration and re-enable it using another user who already has one of these roles.
Application authentication
Why use Application authentication
With Application authentication, Substly connects directly to Entra ID through an application registration. This ensures the correct permissions are in place, independent of individual users.
How to activate
There is currently no option in Substly’s interface to switch authentication methods. If you would like to use Application authentication, please contact us via the in-app chat and we will enable it for you. Once activated, you will need to re-authenticate the integration.
Required permissions
To authenticate with the Application authentication flow, the person completing the authentication must be an Entra ID administrator (Global Administrator or Privileged Role Administrator).
Substly requests the following API permissions:
Directory.Read.All
AuditLog.Read.All
Application.Read.All
Group.Read.All
User.Read.All
These permissions are granted to Substly’s application and are not tied to a specific user account.
Which method should I choose?
If delegated authentication works after assigning a qualifying role to the authenticating user, you can continue using delegated.
If delegated authentication doesn’t work for your organization—or you prefer a setup that isn’t dependent on a single user’s permissions—use Application authentication.
Need help?
For delegated authentication issues, review the troubleshooting steps above.
For Application authentication activation or issues, contact us in the in-app chat.