Skip to main content

Azure AD

Jasper
Updated

The Azure AD connector for Elimity Insights fetches users, groups, roles and licenses from Azure AD so you can keep in control of your environment. 

Follow the instructions below to set up the connector for your environment.

How it works

  • Elimity Insights periodically fetches users, groups, roles and licenses from Azure AD.
  • Write Elimity Insights queries to review and monitor updates to the data, or leverage existing queries.
  • Configure these stored queries to take action when the Elimity Insights data changes.

Integration requirements

Setting up an Azure AD source in Elimity Insights requires:

  • a user in Azure AD to set up an app registration,
  • a user in Elimity Insights with the role Connector Admin or higher.

Integration instructions

Follow the following steps to set up an Azure AD source in Elimity Insights:

  1. Log in to Azure AD and note down your tenant ID.

  2. Go to "App registrations" and click "New registration".

  3. Choose a name for this integration (e.g., "Elimity Insights integration"). Leave the default for "Supported account types" and "Redirect URI". Click "Register" and note down the application (client) ID.

  4. Next, give the app registration the necessary API permissions. Click "API permissions" in the menu on the left and only add the following permission (Microsoft Graph, application permission): Directory.Read.All. If you have an Azure AD Premium P1/P2 license and would like to import sign-in activity for users, then grant the AuditLog.Read.All permission as well.

  5. Finally, add a secret to the app registration so that Elimity Insights can use the Microsoft API as this app. Click "Certificates & secrets" in the menu on the left and add a new client secret. Immediately note down the value of your new secret.

  6. Provide your Azure AD tenant ID, the application ID and the application secret in the form to the left. Enable 'Import sign-in activity' if you want to import sign-in activity for users. As mentioned in step 4, this requires an Azure AD Premium P1/P2 license the additional AuditLog.Read.All permission.

Troubleshooting

Specified tenant identifier ‘xyz’ is neither a valid DNS name, nor a valid external domain.

The value for the ‘Tenant ID’ field is invalid, make sure you copied it correctly from the Azure AD app registration’s overview page.

Application with identifier ‘xyz’ was not found in the directory ‘abc’.

The value for the ‘Application ID’ field is invalid, make sure you copied it correctly from the Azure AD app registration’s overview page, and that the application is installed for the configured tenant.

Invalid client secret provided.

The value for the ‘Application Secret’ field is invalid, make sure you copied the value from the newly generated client secret, not the ‘Secret ID’!

The provided client secret keys for app ‘xyz’ are expired.

The value for the ‘Application Secret’ field has expired, please create a new client secret and copy its value into the field.

Frequently asked questions

What is the difference between 'client' and 'resource' service principals?

From Azure AD's perspective, these entities both represent the same service principals (a.k.a app registrations). In Elimity Insights, there will always be one client service principal for each resource principal and vice versa. They have exactly the same properties and attribute assignments, the only difference lies in their relationships with other entities. From Elimity Insights' perspective, client service principals represent Azure AD service principals acting as clients. This means they can occur as group members and have their own app roles. Resource service principals on the other hand represent Azure AD service principals acting as resources. These entities have relationships with app roles to indicate who has which level of access within the Azure AD application.

As an example, consider the following situation: the Azure AD connector for Elimity Insights has the `Directory.Read.All` permission in the Microsoft Graph application. This would translate to the following entities and relationships in Elimity Insights:

azure-ad.svg

 

Changelog

v3.22.2

  • The connector now includes several attribute assignments for users and groups that were previously never assigned or defaulted to a fixed value.

v3.24.0

  • This update adds support for importing service principals and their relationships with groups and roles.

v3.25.0

  • The connector now also imports mail nicknames for both users and groups.

v3.25.3

  • This patch fixes an issue related to users with many groups or roles. Previous versions of the connector would consider at most 100 groups or roles per user.

v3.27.0

  • From v3.27.0 onwards, the Azure AD connector supports importing sign-in activity for users, which requires an Azure AD Premium P1/P2 license and additionally granting the AuditLog.Read.All permission.
  • Unused attribute types for users and groups have been archived.
  • The connector now also imports group types for all Azure AD groups.
  • This update includes new entity types and relationship types for app roles. More specifically, the connector now imports roles for users and groups within specific Azure AD applications.

v3.28.0

  • This release fixes missing relationships between 'default access' app roles and their resource service principals.

v3.29.0

  • Azure AD groups now have an attribute type containing the email addresses of their owners.

v3.30.0

  • Azure AD users now have an attribute type containing the identifiers of the groups they own.

Comments

0 comments

Please sign in to leave a comment.

Powered by Zendesk