Skip to main content

Preparations

Before the Azure AD Discovery connector can be configured, the following steps must be done in Microsoft Azure.

Prerequisites

An Azure user account with admin privileges is required. To query the necessary Graph endpoints, the Azure application permissions needed include:

  • Read users

  • Read devices

  • Read audit logs

Register an Azure Active Directory application

  1. In Microsoft Azure portal, and in the main menu, select Azure Active Directory, and then select App registrations.

  2. Select New registration.

  3. In Name, enter a suitable name for the app such as Azure AD Discovery SIM app.

  4. Set Supported account types to Accounts in this organizational directory only.

  5. To save the new application, select Register.

Grant Microsoft Graph API permissions to access the Azure Active Directory data

The Azure AD Discovery connector uses a Microsoft Azure application with Graph API access to gather the Azure AD data.

  1. In Microsoft Azure portal, and on the main menu, select Azure Active Directory, and then select App registrations.

  2. Select the app you created in Step 1

  3. Select API Permissions and then select Add a permission in this view.

  4. In Request API permissions, select Microsoft Graph.

  5. Select Application permissions, and configure the list of permissions:

    1. Select UserUser.Read.All (Read all users' full profiles).

    2. Select Device > Device.Read.All (Read all devices).

    3. Select AuditLogAuditLog.Read.All (Read all audit log data).

      This is for getting the SignInActivity field in the user objects and DirectoryAudit objects to find WhenChanged for users and devices.

  6. If the User > User.Read permission is checked in Delegated permissions, then clear the checkbox.

  7. Select Add permissions.

  8. Select Grant admin consent for [your company name].

    Note

    An admin user must perform this step.

Locate Directory (tenant) ID

Locate the ID of the Microsoft Azure Active Directory to retrieve value from. The value is used when configuring the connector.

  1. In Microsoft Azure portal, navigate to the app you created in Step 1

  2. Make a note of the value in the Directory (tenant) ID. This value will be used as the Directory id when configuring the connector.

Locate Application (client) ID

The ID of the application that will connect to Microsoft Azure Active Directory. The value is used when configuring the connector.

  1. In Microsoft Azure portal, navigate to the app you created in Step 1

  2. Make a note of the value of the Application (client) ID field. The value will be used as the Application id when configuring the connector.

Locate client secret

Locate the key that will be used as the secret in the connection to Microsoft Azure. The value is used when configuring the connector.

  1. In Microsoft Azure portal, navigate to the app you created in Step 1

  2. Select Certificates & secrets.

  3. Create a new client secret using the following information:

    1. Select New client secret.

    2. In Add a client secret, enter a suitable Description for the client secret.

    3. In Expires, set a suitable expiration date.

    Note

    The new client secret needs to be regenerated after the set expiration time. This also means that the connector needs to be re-configured.

  4. Select Add. The client secret is shown.

  5. Note the value of the client secret. This value is used as the Application secret when configuring the connector.

After completing this task, follow the general procedure to Configure the connector.

The connector makes API calls to the vendor to retrieve data.

In this section: