How this works:
You register the app once in Drevni's tenant as a multi-tenant app. Then each client's admin grants consent for their tenant. Drevni's single app + secret can then query any consented client tenant.
Drevni Tenant → registers app → App ID + Secret
Client Tenant → admin consents → Client Tenant ID → saved in Client Management
Step 1 — Register the App (One-Time, in Drevni's Tenant)
- Sign in to
portal.azure.com with your Drevni Global Admin account
- Navigate to Microsoft Entra ID → App registrations → + New registration
- Set the following:
- Name:
Drevni Solutions Portal
- Supported account types: Accounts in any organizational directory (Multitenant)
- Redirect URI: Leave blank
- Click Register
- Copy the Application (client) ID from the Overview page — this is your
AZURE_CLIENT_ID
✓ Key point: This app lives in Drevni's tenant only. You never create apps in client tenants. The “Multitenant” setting allows client admins to consent to it.
Step 2 — Add API Permissions
- In the app → API permissions → + Add a permission
- Select Microsoft Graph → Application permissions
- Search for and add these permissions:
SecurityEvents.Read.All
SecurityActions.Read.All
Reports.Read.All
Directory.Read.All
DeviceManagementManagedDevices.Read.All
SecurityAlert.Read.All
- Click Add permissions
- Then click Grant admin consent for Drevni and confirm — this grants consent in your own tenant
Step 3 — Create a Client Secret
- In the app → Certificates & secrets → + New client secret
- Description:
Drevni Portal Key, Expiration: 24 months
- Click Add
- Immediately copy the secret Value — it won’t be shown again!
Step 4 — Set Environment Variables (Vercel)
All three values come from Drevni’s app registration:
AZURE_CLIENT_ID=Application (client) ID from Step 1
AZURE_CLIENT_SECRET=Secret Value from Step 3
AZURE_TENANT_ID=Drevni’s Directory (tenant) ID
All three are from Drevni’s tenant. Client tenant IDs are stored per-client below.
Step 5 — Onboard Each Client
⚠ Requires the client’s Global Administrator to complete.
For each client, send their admin this link (fill in both values):
https://login.microsoftonline.com/{client-tenant-id}/adminconsent?client_id={drevni-app-client-id}
• {client-tenant-id} = the client’s Azure Tenant ID (from their Entra ID Overview page)
• {drevni-app-client-id} = the Application (client) ID from Step 1 (Drevni’s app)
- The client’s Global Admin opens the link above
- They sign in with their admin credentials (not yours)
- They review the permissions and click Accept
- They’ll be redirected — consent is now granted
- Come back here, enter the client’s Tenant ID in the Azure Tenant ID field, and save
✓ Once consented, the Drevni app can pull Secure Score, Defender alerts, and security data from the client’s tenant using the same app credentials.
Fix: Already Registered as Single Tenant?
No need to re-create the app — just change the setting:
- Go to the app in Drevni’s Entra ID → App registrations
- Click the app → Authentication
- Under Supported account types, change to “Accounts in any organizational directory (Multitenant)”
- Click Save