9. Getting Device Information from Entra
9.1 Introduction
From version 3.3.8.0 OVERLAPS now supports the retrieval of Entra-joined/registered devices (organised by Groups) and the retrieval of Entra-registered devices configured to use LAPS.
In order to make use of this functionality, you just need to configure an App in Entra with the correct permissions and an Authentication method (either a shared secret or a certificate) and then setup your Tenant and Client information in Entra.
9.2 Entra Settings
9.2.1 Creating an App
- In Entra Admin, go to Applications -> App Registrations and click New Registration.
- Give it an appropriate name and leave Single Tenant selected.
- In the Overview section, make a note of the Application (client) ID and Directory (tenant) ID, you'll need these later.
9.2.2 App Permissions
OVERLAPS will need certain permissions to access your device information. We're still experimenting with the actual permissions requirements, but settings up the ones below are known to allow OVERLAPS access.
Under API permissions, click Add a permission and grant it the following:
| Permission | Description |
|---|---|
| Group.Read.All | Read all groups |
| GroupMember.Read.All | Read all group memberships |
| Device.Read.All | Read all devices |
| DeviceLocalCredential.Read.All | Read device local credential passwords |
9.2.3 App Authentication
Now you can setup a means for OVERLAPS to authenticate itself in Entra so it can access your device information. This can be done under Certificates & Secrets. OVERLAPS supports both X509 Certificate authentication and Client Secrets, but the former is preferred as it is more secure.
9.2.3.1 Secret Value
To use a Secret Value, click New client secret and make a note of the code it gives you, you'll use this later when setting up OVERLAPS.
9.2.3.2 Certificate
If you have an X509 Private Key certificate you'd rather use, get a copy of the Public Key component and upload it to Entra. Make sure your private key is added to either the OVERLAPS server's Personal or Trusted Root Authority certificate stores so that OVERLAPS can find it.
9.3 OVERLAPS Entra Settings
In OVERLAPS, navigate to Config -> Website Settings -> Microsoft Entra.
9.3.1 Setup Tenant Access
Click Add a New Entra Tenant to setup your tenant access.
9.3.1.1 Display Name
This is how the Tenant will be shown in OVERLAPS.
9.3.1.2 Microsoft Graph Endpoint URL
Where OVERLAPS will attempt to connect to Microsoft Graph for Entra access. This can usually be left as the default.
9.3.1.3 Tenant ID
This is the Directory (tenant) ID you copied from Entra previously.
9.3.1.4 Client ID
The Application (client) ID from Entra.
9.3.1.5 Authentication - Certificate or Secret
Depending on how you configured access to Entra for the app previously, select the appropriate tab here. For certificates, OVERLAPS will search the Local Computer's Personal and Trusted Root Authority certificate stores for valid private keys, just find the one with the matching thumbprint and select it. For Secret Values, simply enter the code generated by Entra.
9.3.1.6 Disable New Groups By Default
OVERLAPS will periodically scan Entra for new or removed groups which is how devices are currently organised. Checking this option means that newly detected groups will default to "disabled" (hidden) so that your admin interface isn't crowded by groups that are not relevant to your computer management duties. Groups can be manually enabled or disabled in the Group Configuration window.
9.3.1.7 Enable Device Cache
Not yet available in the current release
Retrieving lists of devices from the Entra API can be relatively slow, and pagination is done only one page at a time. To combat this, OVERLAPS can periodically scan your enabled groups for devices and store a cached list of these devices. This has the benefit of providing much faster navigation and improved pagination, at the cost of not necessarily seeing "live" information between updates.
9.3.1.8 Group Refresh Interval (minutes)
This controls how often OVERLAPS scans for changes to groups in Entra. Note that this does not check group memberships, only for the new, modified, or deleted groups themselves.
9.3.2 Enable or Disable Groups
In this window you can manually trigger a scan for new/changed groups from Entra, and you can enable or disable (hide) groups by checking the box next to the group name.
Note that we are aware that this is currently not optimised for Entra instances with a large number of groups, this will be addressed in a future update.
9.3.3 Delete a Tenant
Click the Delete Tenant button to remove a tenant, its groups, and its settings. This cannot be undone.
9.4 Usage
9.4.1 Group Navigation
For each Tenant, OVERLAPS creates a root-level virtual directory which will appear in your navigation list. Under this root directory it will add all of your enabled groups.
9.4.2 OVERLAPS Permissions for Entra Groups
Permissions to the root Entra Tenant item and the groups underneath it are handled in exactly the same way as normal Active Directory OUs. For more information on that, see Container Permissions.
This includes the Authorisation and Justification systems, but note that manually expiring passwords is not yet supported for Entra devices.
9.4.3 Retrieving Passwords
Navigating to an Entra Group will give you the same computer list that you will be familiar with, and retrieving passwords works exactly the same as previously.
9.5 Current Limitations
9.5.1 Device Information
The Device Information window is not available for Entra devices due to the limited amount of information available when compared to Active Directory.
9.5.2 Password Expiration
Rotating passwords on Entra managed devices seems to only be possible in the beta version of the API at present. However, it will be added to OVERLAPS once this becomes stable.
9.5.3 Self-Service
We are still searching for the best approach to managing Self-Service for Entra devices.
9.5.4 Computer Search
Searching for Entra-joined devices is not yet supported.