Skip to main content

Prepare Azure AD connectors

The Azure Active Directory connector directly retrieves information about your organization's users and their user details recorded in Azure AD.

In the Microsoft Azure Portal, you are required to configure a Graph API application, add API access, and grant the application permissions. Copy Directory (tenant) ID and Application (tenant) ID, create and copy client secret, and enter these values in Settings when adding the connector.

Procedure

Prerequisites:

  • The user account used to create the app in Step 2:

    • If Azure AD > User Settings > Users can register applications is Yes, the user account used to create the app does not have to be assigned to a role.

    • If Azure AD > User Settings > Users can register applications is No, the user account used to create the app must be assigned to one of the following roles:

      • Global administrator

      • Application administrator

      • Cloud application administrator

      • Application developer

  • The user who grants administrator consent in Step 3.c must be assigned to the Global administrator role.

  1. Sign in to the Microsoft Azure Portal.

  2. In App registrations, create an Azure Active Directory application.

    1. Set Supported account types to Accounts in this organizational directory only.

    2. Set Redirect URI to Web.

    3. In URI, enter http://localhost.

  3. Add API permissions to Microsoft Graph for the application you created.

    1. Configure Delegated permissions:

      1. Select Delegated permissions.

      2. Select offline_access in the list of permissions.

      3. Clear the User: User.Read permission, if it is selected.

    2. Configure Application permissions:

      1. In the list of permissions, do one of the following:

        • Select Directory: Directory.Read.All.

        • Select User: User.Read.All and Group: Group.Read.All.

      2. Optional: If you want to collect the CredentialUserRegistration report, select Reports: Reports.Read.All in the list of permissions. This step is only required if Collect user credential details report is selected when adding the connector.

    3. Select Grant admin consent for [your company name].

  4. In Certificates & secrets, create a new client secret with the following information:

    1. Enter a Description for the key, for your own reference.

    2. Set Expires to your desired value.

      Note

      The client secret needs to be regenerated after the set expiration time. This also means that the connector needs to be re-configured.

    3. Select Add to display the client secret and copy the value.

  5. Copy Application (client) ID and Directory (tenant) ID for the application.

  6. When adding the connector, in Settings , enter the copied values, together with the Client secret, according to the table.

    Setting

    Value from Microsoft Azure Portal

    Tenant ID

    Directory (tenant) ID

    Client ID

    Application (client) ID

    Client secret

    Client secret

    Collect user credential details report

    Select this checkbox if you want to collect the CredentialUserRegistration report. This requires the permission Report.Read.All in the created app.

After completing this task, follow the general procedure to Add connectors.

The connector makes API calls to the vendor to retrieve data.