WatchTra is a web application for Microsoft Entra ID that helps organizations enforce compliance in user attributes. It compares values stored in Entra ID user properties against a predefined compliance dictionary and highlights non-compliant entries.
- 🔍 Compliance Monitoring – Detects inconsistent or invalid user attributes.
- 📊 Dashboard – Visualizes only non-compliant users.
- ⚡ Automation – Hourly data fetch from Entra ID and automatic webapp updates.
- 🛠 Configurable Rules – Define your organization’s compliance standards in JSON.
WatchTra is built entirely on Azure:
- Azure Function App – Backend logic, API endpoints, scheduled data fetch, and webapp rebuild.
- Azure Web App – Hosts the Docusaurus-based frontend dashboard.
- Azure Storage Account – Stores compliance dictionaries, processed data, and static assets.
- GitHub Repository – Source of truth for frontend code.
To install WatchTra, follow these steps:
- Active Microsoft Entra ID tenant
- Admin permissions to create App Registrations
- Contributor role on target Azure subscription
- Go to Azure Portal.
- Navigate to Azure Active Directory → App registrations → New registration.
- Enter a name for your app (e.g.,
WatchTraApp). - Create a client secret under Certificates & secrets. (safe it for later...)
- Add Microsoft Graph API permissions:
User.Read.All(Application)Group.Read.All(Application)GroupMember.Read.All(Application)AuditLog.Read.All(Application)
- Grant admin consent for the permissions.
- You must have at least Contributor role on the target subscription.
- Go to the WatchTra GitHub repository.
- Click the “Deploy to Azure” button.
- Fill in required fields:
- Subscription
- Resource Group
- Region
- Site Name (e.g. watchtra - beware a Unique Suffix will be added later, write everything in lowercase)
- Tenant ID, Client ID, Client Secret
- Click Review + Create → Create.
- Deployment Time can be up to 15 Minutes!
The deployment will provision the Azure Function App, Web App, and Storage Account automatically.
Note: This Solution use an App Service Plan B3 that incurs costs approx. 70 USD per month.
- Wait for the successfull Deployment
- Navigate in the created Resource Group
- Open the Storage Account and the Container watchtra
- Start modifiying your
members.jsonandguests.jsonFile- Click on the File
- Switch to the Edit Tab
- Fill out your Compliance Information in the Portal
- Safe the File
- Navigate to the Webapp and click Browse
- To update your Frontend scroll down and click Update Data Button
- Wait a few seconds then the page will automatically refesh and show the new data
Example: Here you see an Example members.json File. If you need further support, please considering reading the Documentation first.
{
"excludeUsers": {
"allowed": ["BreakGlass1@contoso.com", "BreakGlass2@contoso.com"]
},
"companyName": {
"allowed": ["cloudfil.ch", "contoso.com"]
},
"department": {
"allowed": ["IT", "HR", "Finance", "Marketing"]
},
"officeLocation": {
"allowed": ["Bern", "Zurich", "Hamburg"]
},
"city": {
"allowed": ["Zurich", "Bern", "Zurich", "Hamburg"]
},
"country": {
"allowed": ["Switzerland", "Germany", "France"]
}
}This project is licensed under the MIT License.
- Deliver a better Overview "How much WatchTra Costs per month" and "shutdown the service over night to safe money"
- Entra ID App Registration Deployment
- Comos DB, store not compliant Users in DB for over 30 Days (Historie View)
- Alerting, notify a specific admin User with a daily summary of non compliant Users (SendGrid - Azure Monitor Alerts)
- Bicep, Terraform - CI/CD Deployments
- Storage Account Deployment - (Generate a SAS with right priv for ARM Deployment and later on use a SAS on the same container for access data with read priv)
- Create Private Endpoint Storage Account Solution (Security Hardering)