Articles in this section

Entra Identity & Risk Intelligence Integration (coming soon!)

Here’s the full documentation article for the Entra Identity & Risk Intelligence Integration in PhishingBox, written to match the style of your other integration guides while accounting for the unique aspects of this integration.

  1. Open the Entra Identity Integration Card
  2. Select Your National Cloud Deployment
  3. Authorize PhishingBox in Microsoft Entra ID
  4. Verify Connection

Entra Identity & Risk Intelligence Integration Guide

The Entra Identity & Risk Intelligence integration connects PhishingBox with Microsoft Entra ID (Azure Active Directory) to enrich Human Risk Scores using Microsoft’s identity risk signals. Unlike other directory integrations, this connection does not push any information back to Entra ID—it is a read-only integration designed to monitor identity-related threats and sync user directory data.


Purpose of the Integration

When connected, PhishingBox will:

  • Sync user directory data from Microsoft Entra ID into PhishingBox (names, emails, group memberships, etc.).
  • Retrieve risk-related identity intelligence via the Microsoft Graph API:
    • Risky Users – users flagged by Entra ID for suspicious sign-ins or activity.
    • Risk Detections – specific events indicating potential compromise (e.g., impossible travel, atypical sign-in location).
  • Factor these risk signals into the Human Risk Score for associated targets in PhishingBox.

No data is pushed back to Entra ID. This is a one-way, read-only integration.


Step-by-Step Configuration


Open the Entra Identity Integration Card

  1. Navigate to Integrations in the PhishingBox platform.
  2. Locate the Entra Identity & Risk Intelligence integration card.
  3. Click Setup.


Select Your National Cloud Deployment

  1. In the Select National Cloud dialog, choose the correct Microsoft Graph service for your organization:
    • Microsoft Graph global service – Standard Microsoft 365 tenants
    • Microsoft Graph for US Government L4
    • Microsoft Graph for US Government L5 (DOD)
  2. Click Authorize.


Authorize PhishingBox in Microsoft Entra ID

You will be redirected to the Microsoft login page.

  1. Log in as an Azure AD Global Administrator.
  2. Review the permissions request. PhishingBox requires:
    • Read audit logs
    • Read devices
    • Read directory and group data
    • Read all identity risk events
    • Read all users’ profiles
    • Sign in and read user profile
  3. Click Accept to grant access for the entire organization.


Verify Connection

  • Once authorized, PhishingBox will complete the OAuth 2.0 authorization code flow and store the necessary tokens.
  • You will be redirected back to the PhishingBox integration store, and prompted to select Entra groups for syncing.
  • Directory sync and risk signal retrieval will begin on the next scheduled sync.

Sync Behavior Summary

Feature Direction Description
Directory Sync Pulls user profiles and group memberships from Entra ID into PhishingBox
Risky Users Retrieves Microsoft-flagged risky users
Risk Detections Retrieves detection events from the riskyDetections endpoint
Human Risk Score Impact Internal Risk signals are factored into Human Risk Score calculations for targets

How Risk Scoring Works with Entra Data

PhishingBox evaluates imported Entra risk intelligence as part of the Human Risk Score algorithm:

  • Active risky user status increases risk score significantly.
  • Recent risk detections (e.g., leaked credentials, unfamiliar sign-in) have weighted impacts depending on severity.
  • Combined with phishing test results and training completion data for a comprehensive risk assessment.

Need Help?

If you encounter issues during setup or need help interpreting Microsoft risk signals:


If you’d like, I can now compile this Entra guide along with BambooHR, Huntress, SentinelOne, CrowdStrike, and NinjaOne into a single integration documentation package so they’re ready for your knowledge base in a consistent format.

Back to top

Was this article helpful?
0 out of 0 found this helpful