Integrations

Overview

Validaitor integrations connect external identity, discovery, model, agent, and portfolio systems to an organization. The current setup is integration-target based: administrators start from the integration target, choose the capabilities they need, and complete the required consent or access steps once for the organization.

The main integration targets are:

Target	Capabilities	Primary setup model
Microsoft	SSO, software discovery, Copilot Studio agent discovery, Microsoft AI Foundry model and agent discovery	Recommended: reusable Microsoft tenant connection through the Validaitor multitenant app
OpenID Connect	SSO	Organization-owned OIDC client
LUY	Software discovery and portfolio import	LUY API endpoint and bearer token

Use Integrations in the Validaitor navigation to configure these targets. Only organization administrators can manage integrations.

---

Microsoft Integration Approach

Recommended: Tenant-First Multitenant Setup

The recommended Microsoft setup uses a reusable Microsoft tenant connection. Instead of creating a separate customer-owned app registration for every capability, the Microsoft administrator grants consent to the Validaitor multitenant Microsoft Entra application once for the selected tenant. Validaitor then reuses that tenant connection for the Microsoft capabilities selected by the organization.

This approach is preferred for new setups because it:

• Centralizes admin consent and capability status in one Microsoft tenant connection
• Avoids duplicating client IDs and secrets across SSO, discovery, Copilot Studio, and Foundry setup
• Lets Validaitor track capability-specific follow-up steps, such as Power Platform application-user setup or Azure AI Foundry RBAC assignment
• Supports future Microsoft capabilities without introducing another standalone app registration for the same tenant

Legacy: Separate Entra ID Setup

The legacy setup is still available for organizations that already use, or explicitly require, a customer-owned Microsoft Entra app registration with a tenant ID, client ID, and client secret. Use the legacy path when you need to manage older SSO and discovery records separately from the shared tenant connection.

For the legacy Microsoft SSO setup, see Single Sign-On Configuration.

Configure a Microsoft Tenant Connection

1. In Validaitor, go to Integrations > Microsoft.
2. Select the Microsoft capabilities you want to enable:
3. Microsoft AI Foundry for Foundry project endpoints, model deployments, and Foundry agents
4. SaaS discovery for Microsoft Graph enterprise application discovery
5. Copilot Studio for Power Platform and Dataverse agent discovery
6. SSO reuse when the shared tenant connection should also back Microsoft SSO
7. Enter the tenant-specific Microsoft tenant ID or verified domain.
8. Start the admin consent flow.
9. A Microsoft administrator grants consent for the Validaitor multitenant app in that tenant.
10. Return to Validaitor and complete the capability-specific setup steps shown for the tenant connection.

Note

Do not use common, organizations, or consumers as the tenant value. The tenant connection must target a specific customer tenant.

Microsoft Capability Requirements

Capability	Additional requirements
SSO reuse	Validaitor creates or updates the Microsoft SSO configuration from the shared tenant connection. Review allowed domains and default team assignment before enforcing SSO.
SaaS discovery	Microsoft Graph application permissions are required for enterprise application discovery. Depending on the enabled discovery options, this includes permissions such as Application.Read.All, Directory.Read.All, and AuditLog.Read.All.
Copilot Studio	A Power Platform environment URL is required. The Validaitor app must also be registered as an application user in the Power Platform environment and assigned a role that can read Copilot Studio/Dataverse records.
Microsoft AI Foundry	A Foundry project endpoint is required. For Entra RBAC authentication, the Validaitor enterprise application must be assigned access to the Foundry project or Foundry resource.

---

LUY

The LUY integration imports LUY application portfolio entries into Validaitor's software discovery workflow. It is used when LUY is the authoritative or upstream portfolio source for software and AI-related applications.

How the LUY Sync Works

Validaitor stores one LUY configuration per organization. The configuration contains:

• LUY InformationSystem endpoint URL
• API bearer token
• Whether scheduled checks are enabled
• Sync frequency
• Last sync status, last sync time, and last error message

When Validaitor fetches LUY data, it:

1. Calls the configured LUY applications endpoint.
2. Derives the LUY users endpoint from the applications endpoint by replacing /data/InformationSystem with /administration/users.
3. Sends the configured token in the Authorization header and requests JSON responses.
4. Reads application records from the LUY response result list.
5. Normalizes each application into a provisional software row using the LUY id, name, Vendor, URL, Responsible, and Lifecycle Status fields when available.
6. Resolves the responsible owner email by matching the LUY Responsible login name against the users endpoint response.
7. Records sync status and the number of applications returned.

The LUY applications endpoint must end with:

/data/InformationSystem

The corresponding users endpoint must be available at:

/administration/users

Configure LUY

1. In Validaitor, go to Integrations > LUY.
2. Enter the LUY endpoint URL. The URL should point to the InformationSystem data endpoint.
3. Enter the LUY API token. If the token is already saved, leave the token field blank unless rotating it.
4. Choose whether Validaitor should periodically check LUY for portfolio updates.
5. Choose the sync frequency.
6. Select Save settings to store the configuration, or Fetch and review to immediately load the current LUY portfolio for review.

Review, Match, and Register Software

Fetching LUY data does not blindly register every LUY application. Validaitor loads the LUY applications into a review flow so administrators can decide how each item should enter the software inventory.

During review, Validaitor compares each LUY application against the software library:

• Exact matches are preselected and can be accepted or dismissed.
• Partial matches are shown as suggestions and must be accepted before they are linked.
• No-match rows can be linked manually to a library entry or imported as standalone LUY software.
• Rows that already map to registered software are skipped to avoid duplicate inventory entries.

When the administrator imports the reviewed rows, Validaitor creates software inventory entries in the selected project. Imported rows keep the LUY source_app_id, so future imports can detect the same LUY application. Entries linked to the software library are marked as LUY + Library; standalone entries are marked as LUY.

Scheduled LUY syncs refresh discovery metadata and sync logs. Registration into project inventory remains a reviewed import step so that new or changed LUY applications can be matched before they are added.

LUY Troubleshooting

Symptom	Likely cause	Resolution
LUY endpoint must be a valid URL.	The endpoint is missing a valid http or https scheme.	Enter the full LUY HTTPS URL.
LUY InformationSystem endpoint must end with /data/InformationSystem.	Validaitor cannot derive the users endpoint.	Use the LUY InformationSystem endpoint, not a parent URL or custom route.
LUY applications response must contain a result list.	The applications endpoint returned an unexpected payload shape.	Confirm the endpoint and API token with the LUY administrator.
LUY users response must be a list.	The derived users endpoint returned an unexpected payload shape.	Confirm that /administration/users is reachable with the same token.
No applications returned	LUY returned an empty result after filtering or the token has restricted access.	Verify LUY permissions and the application lifecycle state in LUY.

---

Microsoft Copilot Studio

Validaitor discovers Microsoft Copilot Studio agents through the Power Platform environment's Dataverse API. The integration uses the Microsoft tenant connection credentials and the configured Power Platform environment URL.

What Validaitor Syncs

The Copilot Studio sync reads bot records from Dataverse and stores discovered Copilot Studio agents in Validaitor. The sync includes fields such as agent name, schema name, language, state, status, publication timestamps, owner and maker references, access policy, authentication mode, and solution metadata when available.

After discovery, administrators can review and import selected agents into Validaitor as AI systems.

Prerequisites

• Microsoft tenant connection configured in Validaitor with the Copilot Studio capability selected
• Power Platform environment URL, for example https://org12345.crm.dynamics.com/
• Power Platform administrator access to the target environment
• Permission to create or manage application users in the environment
• The Validaitor Microsoft Entra application visible in the tenant's app registrations or enterprise applications after admin consent

Microsoft references:

• Manage application users in the Power Platform admin center
• Use OAuth authentication with Microsoft Dataverse
• Use server-to-server authentication with Microsoft Dataverse

Add Validaitor as an Application User

The Microsoft admin consent flow makes the Validaitor app available to the Microsoft tenant, but Power Platform environments also require an application user record before the app can read Dataverse data in that environment.

1. Open the Power Platform admin center.
2. Go to Manage > Environments.
3. Select the environment that contains the Copilot Studio agents.
4. Select Settings.
5. Select Users + permissions > Application users.
6. Select + New app user.
7. Select + Add an app and choose the Validaitor Microsoft Entra application. Search by application name or application/client ID if needed.
8. Select the business unit for the application user.
9. Enter an email address for the application user if the form requires one.
10. Assign the Service Reader security role.
11. Save the role assignment and create the application user.

Note

Power Platform allows only one application user per Microsoft Entra registered application in an environment. If an application user for Validaitor already exists, edit its security roles instead of creating another one.

Configure Copilot Studio in Validaitor

1. In Validaitor, go to Integrations > Microsoft.
2. Select or create the Microsoft tenant connection with the Copilot Studio capability enabled.
3. Enter the Power Platform environment URL. The URL must be the Dataverse environment base URL and should end with /.
4. Choose the sync frequency.
5. Save the Copilot Studio configuration.
6. Run or wait for sync, then review discovered Copilot Studio agents in Validaitor.

Copilot Studio Troubleshooting

Symptom	Likely cause	Resolution
Authentication fails	Admin consent is incomplete or the tenant connection is not active.	Revalidate the Microsoft tenant connection and confirm admin consent completed for the correct tenant.
Dataverse returns forbidden errors	The Validaitor app is not an application user in the environment or lacks the required role.	Add the application user and assign the Service Reader role.
No agents are discovered	Wrong environment URL or no readable Copilot Studio bot records in that environment.	Confirm the URL matches the environment that hosts the agents and verify the application user's role.

---

Microsoft AI Foundry

Validaitor connects to Microsoft AI Foundry project endpoints to discover deployments and, with Entra RBAC authentication, Foundry agents.

Authentication Modes

Validaitor supports two Foundry authentication modes:

Mode	Use case	Behavior
Entra RBAC via tenant connection	Recommended for production	Uses the shared Microsoft tenant connection and Azure RBAC assigned to the Validaitor enterprise application. Supports deployment sync and Foundry agent discovery.
Endpoint/key import	Legacy or quick setup	Uses a Foundry API key. Supports deployment import into Validaitor model APIs, but does not provide the same per-principal RBAC control.

Microsoft recommends Microsoft Entra ID for production workloads because it supports RBAC, conditional access, and better auditability. API keys remain available for prototyping and legacy setups.

Microsoft references:

• Create a project in Microsoft Foundry
• Role-based access control for Microsoft Foundry
• Authentication and authorization in Microsoft Foundry
• Get started with Microsoft Foundry SDKs and endpoints

Add Validaitor to the Foundry Project

For Entra RBAC mode, assign the Validaitor enterprise application access to the Foundry project or Foundry resource.

The least-privilege role used by Validaitor is Foundry User. Microsoft previously named this role Azure AI User, and some tenants may still show the old name while the Microsoft rename rolls out. Microsoft lists the Foundry User role definition ID as:

53ca6127-db72-4b80-b1b0-d745d6d5456d

You can grant access from the Foundry portal:

1. Open Microsoft Foundry.
2. Select Operate > Admin.
3. Select the target Foundry project.
4. Select Add user.
5. Search for the Validaitor enterprise application or service principal.
6. Assign Foundry User.
7. Save the assignment.

You can also grant access from the Azure portal:

1. Open the Azure portal.
2. Open the Foundry project or parent Foundry resource.
3. Go to Access control (IAM).
4. Select Add > Add role assignment.
5. Select the Foundry User role.
6. For members, choose User, group, or service principal and select the Validaitor enterprise application.
7. Review and assign the role.

For Azure CLI automation, assign the role at the project scope:

az role assignment create \
  --role "53ca6127-db72-4b80-b1b0-d745d6d5456d" \
  --assignee "<validaitor-service-principal-object-id>" \
  --scope "<foundry-project-resource-id>"

Note

If role assignment fails, confirm that the administrator assigning the role has Owner or User Access Administrator at the selected Azure scope.

Configure Microsoft AI Foundry in Validaitor

1. In Validaitor, go to Integrations > Microsoft.
2. Select or create the Microsoft tenant connection with the Microsoft AI Foundry capability enabled.
3. In the Microsoft AI Foundry setup card, choose Entra RBAC via tenant connection.
4. Select the configured tenant connection.
5. Enter the Foundry project endpoint. The endpoint should use this format:

https://<resource-name>.services.ai.azure.com/api/projects/<project-name>

1. Select the target Validaitor project that should receive synced model APIs.
2. Select Test Connection.
3. Select Add and Sync Deployments.

If you must use the legacy key-based path, choose Endpoint/key import, paste the Foundry project endpoint and API key, select the target Validaitor project, test the connection, and add the resource.

What Validaitor Syncs from Foundry

For deployments, Validaitor:

• Lists Foundry deployments for the configured project endpoint
• Creates or updates Validaitor model API records in the selected project
• Stores deployment metadata such as deployment name, model publisher, model name, resource group, request schemas, and Foundry source metadata
• Uses the Foundry Responses endpoint for Entra RBAC imports and Azure OpenAI-style endpoints for key-based imports

For Foundry agents in Entra RBAC mode, Validaitor:

• Lists agents from the Foundry project
• Stores agent records and their latest version metadata
• Captures definition details such as model, instructions, reasoning effort, tools, knowledge, memory, and guardrails when returned by Foundry
• Lets administrators review and import selected agents as AI systems

Foundry Troubleshooting

Symptom	Likely cause	Resolution
Foundry project endpoint must be a *.services.ai.azure.com project endpoint.	The endpoint is not a Foundry project endpoint.	Use the project endpoint from Foundry, not an Azure OpenAI /openai/v1 endpoint or a regional endpoint.
Connection test fails in Entra RBAC mode	The Validaitor enterprise application lacks Foundry RBAC access.	Assign Foundry User on the Foundry project or resource and retry after RBAC propagation.
403 Forbidden	RBAC assignment is missing or assigned at the wrong scope.	Assign Foundry User at the project scope, or at the parent Foundry resource if multiple projects should be readable.
Deployments sync but agents do not	Foundry agent listing requires Entra RBAC mode.	Use Entra RBAC via tenant connection instead of endpoint/key import.
Duplicate endpoint warning	The Foundry endpoint is already configured in Validaitor.	Replace the existing resource to switch authentication mode or resync the existing resource.

---

References

• Microsoft identity platform admin consent
• Manage application users in the Power Platform admin center
• Use OAuth authentication with Microsoft Dataverse
• Role-based access control for Microsoft Foundry
• Authentication and authorization in Microsoft Foundry