Skip to main content

Prepare Microsoft Azure Active Directory connector

The Microsoft Azure Active Directory connector retrieves information about users and their organizational details in Azure AD.

In Microsoft Azure Portal, you are required to configure a Graph API application, add API access, and grant the application permissions. You are required to copy Directory (tenant) ID and Application (tenant) ID, create and copy client secret, and enter these values in Settings when adding the connector.

Prerequisites

The user account used to create the application in Step 2:

  • If Azure AD > User Settings > Users can register applications is Yes, the user account used to create the application does not have to be assigned to a role.

  • If Azure AD > User Settings > Users can register applications is No, the user account used to create the application must be assigned to one of the following roles:

    • Global administrator

    • Application administrator

    • Cloud application administrator

    • Application developer

The user who grants administrator consent in Step 3.c must be assigned to the Global administrator role.

Collection of the CredentialUserRegistration report in Step 6, with application permissions set in Step 3.b.ii, requires a premium tier Azure AD B2C license.

Procedure

  1. Sign in to the Microsoft Azure Portal: https://azure.microsoft.com/

  2. In App registrations, create an Azure Active Directory application.

    1. Set Supported account types to Accounts in this organizational directory only.

    2. Set Redirect URI to Web.

    3. In URI, enter http://localhost.

  3. Add API permissions to Microsoft Graph for the application you created.

    1. Configure Delegated permissions:

      1. Select Delegated permissions.

      2. Select offline_access in the list of permissions.

      3. Clear the User: User.Read permission, if it is selected.

    2. Configure Application permissions:

      1. In the list of permissions, do one of the following:

        • Select Directory: Directory.Read.All.

        • Select User: User.Read.All and Group: Group.Read.All.

      2. Optional: If you want to collect the CredentialUserRegistration report, select Reports: Reports.Read.All in the list of permissions. This step is only required if Collect user credential details report is selected when adding the connector, and you must fullfil the prerequisites.

        The report represents the details of the usage of self-service password reset and multi-factor authentication (MFA) for all registered users. Details include user information, status of registration, and the authentication method used.

    3. Select Grant admin consent for [your company name].

  4. In Certificates & secrets, create a new client secret with the following information:

    1. Enter a Description for the key, for your own reference.

    2. Set Expires to your desired value.

      Caution

      When the client secret expires, the connector will not be able to run.

      Regenerate the client secret when it expires and enter the new value in the connector Settings.

    3. To display the client secret, select Add.

      Copy and save the value. It is used when adding the connector.

  5. Copy Application (client) ID and Directory (tenant) ID for the application. They used when adding the connector.

  6. When adding the connector, in Settings, enter the saved values according to the table.

    Setting

    Value from Microsoft Azure Portal

    Tenant ID

    Directory (tenant) ID

    Client ID

    Application (client) ID

    Client secret

    Client secret

    Domains

    The domains in your organization for which you want to collect data.

    • An asterisk, *, collects data for all domains connected to your organization, including user accounts without email address. This is the default value.

    • One or several domains connected to your organization collects data only for those, and will exclude user accounts without email address. One name per row.

    If you add both an asterisk and names, the asterisk takes precedence and data is collected for all domains.

    Note

    If you also have the SaaS connector for Microsoft 365, you must populate the Domains field in the same way in both settings, otherwise the undesired data is collected anyway from Microsoft.

    Collect user credential details report

    Select this checkbox if you want to collect the CredentialUserRegistration report.

    This requires the permission Report.Read.All in the created application, and you must fullfil the prerequisites.

After completing this task, follow the general procedure to Add connectors.

The connector makes API calls to the vendor to retrieve data.

In this section: