Skip to main content
All CollectionsData ConnectorsHow to connect to…
How to connect to Microsoft Advertising: Information for Entra administrators
How to connect to Microsoft Advertising: Information for Entra administrators
Funnel Support avatar
Written by Funnel Support
Updated this week

In order to create a Microsoft Advertising credential in Funnel, Microsoft work accounts provisioned via Microsoft Entra ID (Entra) must have sufficient Entra privileges to be able to consent to access permissions required by the enterprise application Funnel-Microsoft-Ads-Connector which is hosted on Funnel's own Entra tenant.

Service principals

When a work account with sufficient Entra privileges initially consents to the permissions required by Funnel-Microsoft-Ads-Connector, a service principal is created on the Entra tenant that the consenting work account is associated with. A service principal is not an enterprise application, instead it is an artefact that authorises the Funnel-Microsoft-Ads-Connector enterprise application to access resources on a third-party tenant. See Microsoft's documentation on service principals and applications and on how service principals are created.

Initially, only work accounts with privileges for creating and administering service principals in Entra can consent to the permissions required by Funnel-Microsoft-Ads-Connector. For reference, the following Microsoft Entra built-in roles have sufficient privileges for creating service principals:

  • Application Administrator

  • Cloud Application Administrator

  • Hybrid Identity Administrator

Once a service principal for Funnel-Microsoft-Ads-Connector has been created on a tenant, all work accounts associated with the tenant will be able to consent to access permissions required by Funnel-Microsoft-Ads-Connector via the Microsoft sign-in dialogue displayed when creating credentials in Funnel. Active service principals are listed on the Entra admin centre enterprise applications page.

Creating a service principal for Funnel-Microsoft-Ads-Connector

If an admin consent workflow is enabled in Entra, work accounts attempting to create Microsoft Advertising credentials in Funnel will be able to submit admin consent requests directly from the Microsoft dialogue shown after signing in to Microsoft via Funnel. These can then be approved via the Admin consent requests dashboard in the Microsoft Entra admin center.

If no admin consent workflow is enabled, a work account with sufficient privileges for creating service principals and fulfilling the conditions for connecting to Microsoft Advertising must successfully create a Microsoft Advertising credential in Funnel by consenting to the permissions in the delegated access dialogue displayed after signing in via Funnel.

Authentication flow illustrated

We'll use an example user (Alex) to illustrate the authentication flow between Microsoft Advertising, Entra and Funnel.

Potential pitfalls in the above flow:

  • The organization's Administrator hasn't allowed Alex to connect to new applications (In Microsoft Entra).

  • The organization's administrator tries to set up the data source using their own account but is not registered as a user in Microsoft Advertising (or added to the organization's Microsoft Advertising account).

Did this answer your question?