Add Enpass to Microsoft Entra ID

Why does Enpass need to be added to Entra ID?

Unlike traditional password managers that store your credentials on their own servers, Enpass follows a data sovereignty model — your encrypted vaults live entirely within your organization's own Microsoft 365 environment (OneDrive and SharePoint). Enpass never stores, accesses, or processes your vault data on its servers.

To make this possible, the Enpass application on each user's device needs permission to interact with Microsoft 365 on the user's behalf — reading and writing encrypted vault files to OneDrive and SharePoint, listing teams and channels for vault sharing, and looking up user profiles for collaboration. These interactions happen through Microsoft Graph APIs, and Microsoft requires that an Entra ID administrator explicitly approve (consent to) the Enpass application before users in the tenant can connect.

This one-time admin consent step registers Enpass as a trusted Enterprise Application in your Entra ID tenant, allowing your users to seamlessly connect their Enpass app to OneDrive without encountering "Need admin approval" or "Approval required" errors.

Before you proceed, you may want to review the permissions Enpass requests and understand how your data is protected:

• Enpass Enterprise App Permissions — All permissions are delegated and used exclusively for vault operations.

• Security of Your Data on Microsoft 365 — How Enpass's zero-knowledge encryption and distributed architecture keep your credentials safe within your own Microsoft 365 tenant.

Prerequisites

• You must be a Global Administrator, Application Administrator, or Cloud Application Administrator in your Microsoft Entra ID tenant.

• Users in your organization must have active Microsoft 365 licenses with OneDrive access.

Step 1: Launch the Enpass authorization flow

Click the link below to begin. This is the same OAuth2 authorization URL that users encounter when they tap "Connect to OneDrive" inside Enpass — by completing it as an admin, you pre-approve the application for your tenant.

Launch Enpass Authorization for Microsoft 365

Sign in with your administrator account when prompted, or select it if you are already signed in with multiple accounts.

Step 2: Grant consent

After authentication, Microsoft will display a Permissions requested screen listing the permissions Enpass needs (see Enpass Enterprise App Permissions for a detailed explanation of each one).

• Check "Consent on behalf of your organisation" to approve Enpass for all users in the tenant, or leave it unchecked to consent for your account only.

• Click Accept.

Tip: You can always adjust the scope of consent later — extending it to additional users or restricting it to specific groups — from the Enpass Enterprise Application settings in Entra ID.

Step 3: Close the authorization window

After you accept, you will be redirected to an "Authorization Finished!" page. You can close this browser window.

Note: This flow's sole purpose is to register Enpass as an Enterprise Application and record your consent. No long-lived access token is generated or stored during this process.

Step 4: Review and manage in Entra ID

1. Open the Azure Portal → Entra ID → Enterprise Applications.

2. Search for and select Enpass.

3. From here you can:

   • Review the granted permissions under the Permissions tab.

   • Click "Grant admin consent for [Your Organization]" if you did not consent organization-wide in Step 2.

   • Use the Users and Groups tab to restrict Enpass access to specific users or security groups.

What's next?

• Enpass Enterprise App Permissions — Understand each Microsoft Graph API permission Enpass requests and why it's needed.

• Security of Your Data on Microsoft 365 — Learn how Enpass's distributed architecture, zero-knowledge encryption, and data sovereignty model keep your credentials safe.

Related topics

• Microsoft "Approval required" or "Need admin approval" error when connecting Enpass to OneDrive

• Provisioning with Entra ID