9. Getting Device Information from Entra

9.1 Introduction

From version 3.3.8.0 OVERLAPS now supports the retrieval of Entra-joined/registered devices (organised by Groups) and the retrieval of Entra-registered devices configured to use LAPS.

In order to make use of this functionality, you just need to configure an App in Entra with the correct permissions and an Authentication method (either a shared secret or a certificate) and then setup your Tenant and Client information in Entra.

9.2 Entra Settings

9.2.1 Creating an App

Entra App Registration
Entra App Registration
  1. In Entra Admin, go to Applications -> App Registrations and click New Registration.
  2. Give it an appropriate name and leave Single Tenant selected.
  3. In the Overview section, make a note of the Application (client) ID and Directory (tenant) ID, you'll need these later.

9.2.2 App Permissions

OVERLAPS will need certain permissions to access your device information. We're still experimenting with the actual permissions requirements, but settings up the ones below are known to allow OVERLAPS access.

Under API permissions, click Add a permission and grant it the following:

Permission Description
Group.Read.All Read all groups
GroupMember.Read.All Read all group memberships
Device.Read.All Read all devices
DeviceLocalCredential.Read.All Read device local credential passwords

9.2.3 App Authentication

Now you can setup a means for OVERLAPS to authenticate itself in Entra so it can access your device information. This can be done under Certificates & Secrets. OVERLAPS supports both X509 Certificate authentication and Client Secrets, but the former is preferred as it is more secure.

9.2.3.1 Secret Value

To use a Secret Value, click New client secret and make a note of the code it gives you, you'll use this later when setting up OVERLAPS.

9.2.3.2 Certificate

If you have an X509 Private Key certificate you'd rather use, get a copy of the Public Key component and upload it to Entra. Make sure your private key is added to either the OVERLAPS server's Personal or Trusted Root Authority certificate stores so that OVERLAPS can find it.

9.3 OVERLAPS Entra Settings

In OVERLAPS, navigate to Config -> Website Settings -> Microsoft Entra.

9.3.1 Setup Tenant Access

Click Add a New Entra Tenant to setup your tenant access.

Entra Tenant Configuration
Entra Tenant Configuration

9.3.1.1 Display Name

This is how the Tenant will be shown in OVERLAPS.

9.3.1.2 Microsoft Graph Endpoint URL

Where OVERLAPS will attempt to connect to Microsoft Graph for Entra access. This can usually be left as the default.

9.3.1.3 Tenant ID

This is the Directory (tenant) ID you copied from Entra previously.

9.3.1.4 Client ID

The Application (client) ID from Entra.

9.3.1.5 Authentication - Certificate or Secret

Depending on how you configured access to Entra for the app previously, select the appropriate tab here. For certificates, OVERLAPS will search the Local Computer's Personal and Trusted Root Authority certificate stores for valid private keys, just find the one with the matching thumbprint and select it. For Secret Values, simply enter the code generated by Entra.

9.3.1.6 Disable New Groups By Default

OVERLAPS will periodically scan Entra for new or removed groups which is how devices are currently organised. Checking this option means that newly detected groups will default to "disabled" (hidden) so that your admin interface isn't crowded by groups that are not relevant to your computer management duties. Groups can be manually enabled or disabled in the Group Configuration window.

9.3.1.7 Enable Device Cache

Not yet available in the current release

Retrieving lists of devices from the Entra API can be relatively slow, and pagination is done only one page at a time. To combat this, OVERLAPS can periodically scan your enabled groups for devices and store a cached list of these devices. This has the benefit of providing much faster navigation and improved pagination, at the cost of not necessarily seeing "live" information between updates.

9.3.1.8 Group Refresh Interval (minutes)

This controls how often OVERLAPS scans for changes to groups in Entra. Note that this does not check group memberships, only for the new, modified, or deleted groups themselves.

9.3.1.9 Group Page Size

Sets the Entra Group paging size, which is used both for:

  • Limiting the number of groups returned in each Entra request during a group refresh. This can be used to balance speed and performance of the group refresh operation if you have a lot of Entra groups.
  • Setting how many groups are displayed on each page of the Group Configuration window.

The default setting is 20 groups.

9.3.1.10 Advanced Group Filter

Allows you to restrict the groups that OVERLAPS will retrieve from Entra by some property. You can read more about filters in Microsoft's API documentation (https://learn.microsoft.com/en-us/graph/filter-query-parameter), but some examples are included below.

startswith(displayName, 'computers-')

Returns all groups whose Display Name starts with "computers-", for example "computers-staff", "computers-students", etc.

endswith(description, 'laps')

Gets groups which have "laps" at the end of their description.

contains(description, 'devices')

Only gets groups which have the word "devices" in their description.

OVERLAPS doesn't perform any validation on this filter, so it is always advisable to test it with Entra first. If you find it is not returning any groups, check the OVERLAPS log file for specific error information.

9.3.2 Enable or Disable Groups

Entra Group Configuration
Entra Group Configuration

In this window you can manually trigger a scan for new/changed groups from Entra, and you can enable or disable (hide) groups by checking the box next to the group name.

If there are more Groups than the Group Page Size setting (20 by default), then this list will be broken up into pages for performance reasons.

Saving Changes

When any group is enabled or disabled by changing its checkbox, the "Save Changes" button is enabled. Due to the way data is re-loaded when searching for groups or changing the page, any changes must be saved by clicking the "Save Changes" button before navigating away, failure to do this will lose any changes you have made.

9.3.3 Delete a Tenant

Click the Delete Tenant button to remove a tenant, its groups, and its settings. This cannot be undone.

9.4 Usage

9.4.1 Group Navigation

Entra Group Navigation
Entra Group Navigation

For each Tenant, OVERLAPS creates a root-level virtual directory which will appear in your navigation list. Under this root directory it will add all of your enabled groups.

9.4.2 OVERLAPS Permissions for Entra Groups

Permissions to the root Entra Tenant item and the groups underneath it are handled in exactly the same way as normal Active Directory OUs. For more information on that, see Container Permissions.

This includes the Authorisation and Justification systems, but note that manually expiring passwords is not yet supported for Entra devices.

9.4.3 Retrieving Passwords

Navigating to an Entra Group will give you the same computer list that you will be familiar with, and retrieving passwords works exactly the same as previously.

9.5 Current Limitations

9.5.1 Device Information

The Device Information window is not available for Entra devices due to the limited amount of information available when compared to Active Directory.

9.5.2 Password Expiration

Rotating passwords on Entra managed devices seems to only be possible in the beta version of the API at present. However, it will be added to OVERLAPS once this becomes stable.

9.5.3 Self-Service

We are still searching for the best approach to managing Self-Service for Entra devices.

Searching for Entra-joined devices is not yet supported.