Dawiso integrates with Microsoft Entra ID for two purposes:
- User and group synchronization — Dawiso reads users and group membership from Entra ID on a schedule.
- Authentication — Users sign in to Dawiso through Microsoft Login. Dawiso does not store passwords.
This article is written for customer security, compliance, and IT teams evaluating the integration. For step-by-step configuration, see Microsoft Entra ID synchronization.
Why synchronization is necessary
Dawiso treats Entra ID as the source of truth for user identities and group membership. Without synchronization, a user has no account in Dawiso until they sign in for the first time. That gap is operationally significant: data governance work routinely involves assigning responsibilities to specific people — data owners, stewards, approvers — and those assignments must be possible even for users who have not yet opened Dawiso.
Scheduled pre-synchronization addresses this by ensuring that every relevant Entra ID user exists in Dawiso before they are referenced. Dawiso rejected the alternative — just-in-time provisioning on first login — for two reasons:
- Assignments cannot wait. An administrator preparing a new data domain may need to assign owners to dozens of objects. If those owners have not logged in, just-in-time provisioning leaves them invisible, and the assignment workflow stalls.
- Group-derived roles need group membership upfront. A user’s Dawiso role (admin, contributor, viewer) is derived from their Entra ID group membership. The customer’s chosen group structure must be reflected in Dawiso before users arrive, so that the right role is applied automatically at first login rather than being assigned by hand afterward.
Synchronization is therefore a precondition for the rest of the platform’s user-management features, not an optional optimization.
Deployment modes
Dawiso supports two deployment modes for the synchronization. The choice determines where the synchronization runs and who operates it.
| Mode | Runs in | Operated by | Monitoring & alerting |
|---|---|---|---|
| Pull | Dawiso cloud | Dawiso | Dawiso |
| Push | Customer infrastructure | Customer | Customer |
Pull mode
In Pull mode, the synchronization runs as a service inside Dawiso cloud. Dawiso connects directly to the customer’s Entra ID tenant over the Microsoft Graph API, retrieves users and groups, and writes them into the Dawiso database. The Dawiso platform team operates the service, including monitoring, alerting, and incident response.
Pull mode is the default and requires no infrastructure on the customer side beyond the Entra ID application registration.
flowchart LR
subgraph Customer["Customer infrastructure"]
Entra[("Microsoft Entra ID")]
end
subgraph Dawiso["Dawiso cloud"]
Sync["Sync service<br/>(Dawiso-managed)"]
Monitor["Monitoring &<br/>alerting"]
DB[("Dawiso<br/>database")]
Sync --> DB
Sync -.-> Monitor
end
Sync -->|"Microsoft Graph API<br/>(application permissions)"| Entra
Entra -->|"Users &<br/>group membership"| Sync
Push mode
In Push mode, Dawiso provides a synchronization application — a .NET 10 console app or a Docker image — that the customer deploys in their own infrastructure. The application connects to Entra ID from inside the customer’s network, reads users and groups, and pushes the data to the Dawiso database over HTTPS. The customer is responsible for hosting, scheduling, monitoring, and alerting on the application.
Push mode is intended for organizations that require Entra ID traffic to stay inside their own network, or that prefer to operate the synchronization themselves.
flowchart LR
subgraph Customer["Customer infrastructure"]
Entra[("Microsoft Entra ID")]
App["Dawiso Sync App<br/>(.NET 10 console<br/>or Docker image)"]
CustMon["Customer's<br/>monitoring"]
App -->|"Microsoft Graph API<br/>(application permissions)"| Entra
Entra -->|"Users &<br/>group membership"| App
App -.-> CustMon
end
subgraph Dawiso["Dawiso cloud"]
DB[("Dawiso<br/>database")]
end
App -->|"Push synced data<br/>over HTTPS"| DB
Data flow
The synchronization is one-directional. Data flows from Entra ID into Dawiso. Dawiso never writes back to Entra ID.
What gets synchronized
| Item | Details |
|---|---|
| User profile | First and last name, email, job title, phone, display name, login |
| User role in Dawiso | Viewer, Contributor, or Admin — derived from the user’s assignment to the matching Entra ID group |
| Group membership | The Entra ID groups the customer chooses to mirror to Dawiso (admin, contributor, viewer, and any extra groups configured during SSO setup) |
Synchronization schedule
- Synchronization runs daily.
- Changes in Entra ID appear in Dawiso after the next scheduled run.
- Synchronized users can sign in immediately with the role assigned by their group.
Authentication
Dawiso authenticates users through Microsoft Login using OpenID Connect (OIDC). Credentials never reach Dawiso — Microsoft validates the user and returns an identity token. For protocol details, see Microsoft’s OIDC documentation.
Required Entra ID permissions
The integration requires the following Microsoft Graph permissions on the registered Dawiso application:
- Delegated permissions:
User.Read,User.ReadBasic.All - Application permissions (admin consent required):
GroupMember.Read.All,User.Read.All
Why admin consent is required
Granting tenant-wide admin consent on GroupMember.Read.All and User.Read.All is broader than most administrators would prefer. Ideally, Dawiso would only see the groups it actually mirrors. Entra ID does not currently support that level of scoping for the synchronization use case. The reasoning chain:
- Entra ID exposes two permission models for Microsoft Graph: delegated permissions (the app acts on behalf of a signed-in user) and application permissions (the app acts as itself, with no user present).
- Delegated permissions support per-group scoping through restricted-group features, but they require an interactive browser session every time a token is issued — there must be a user signed in to grant the token.
- The Dawiso synchronization runs unattended on a schedule (daily, no human present) and, in Push mode, from a console application or container with no interactive browser. Delegated permissions are therefore not usable.
- That leaves application permissions. For Graph group reads (
GroupMember.Read.All), Entra ID does not provide a way to restrict an application permission to a specific list of groups — the grant is tenant-wide.
The result: Dawiso must be granted tenant-wide read access to satisfy Entra ID’s permission model, even though the synchronization only stores and uses the groups configured during SSO setup.