Azure AD Users Connector

Oomnitza's Azure User Connector allows organizations to pull user information from Azure AD and populate it in Oomnitza. More info in Azure AD can be found here: https://azure.microsoft.com/en-us/services/active-directory/

Standard Mappings

The following fields can be mapped from Azure AD using Oomnitza's User Interface:

• Department
• Given name
• Is account enabled
• Job title
• Mail
• Mail nickname
• Surname
• User principal name

Custom Mappings

Additional fields my be available to may through the config.ini. Please see Creating Custom Field Mappings for more details on adding these mappings. 

Setup

Details on setting up the Oomnitza Connector can be found in Oomnitza's Articles on Connector Setup. 

Azure AD integration requires the following three pieces of information for a Service Principal Application in Azure:

• Tenant ID
• Client ID
• Client Secret

Documentation from Microsoft is available in the articles below, and we've outlined them in the section below.

• https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal
• https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/howto-configure-prerequisites-for-reporting-api

Creating a Service Principal Application in Azure

Notes:

1. You must be an Azure Administrator to complete this process. 
2. The below steps and images are taken from Microsoft's Azure documentation. Though we do our best to keep this document accurate, the interface and the steps involved may change without warning.

Register an Azure AD Application:

1. Sign in to your Azure Account.

2. Select Azure Active Directory.
   

3. Select App registrations.
   

4. Select New registration.
   

5. Name and Register the Application. 
   

Retrieve your Tenant and Client IDs:

1. Select Azure Active Directory.

2. From App registrations in Azure AD, select your application.

3. Copy the Directory (tenant) ID and Application (client) ID. These will be added to the config.ini.
   

Create an Application Secret:

1. Select Azure Active Directory.

2. From App registrations in Azure AD, select your application.

3. Select Certificates & secrets.

4. Select Client secrets -> New client secret.

5. Provide a description of the secret, and a duration. When done, select Add.

6. Save your newly created Secret.

Grant Appropriate Permissions:

The only API permission required is Directory.Read.All (this applies to both Microsoft Graph API as well as the legacy Azure AD Graph API). To grant your application permissions to use the APIs:

1. Select API permissions.
          

2. Select Add a permission.

   

3. On the Request API permissions page, locate Support legacy API Azure Active Directory Graph.

   

4. On the Required permissions page, select Application Permissions, expand Directory checkbox Directory.ReadAll. Select Add permissions.

   

5. On the Reporting API Application - API Permissions page, select Grant admin consent.

   

Config File

The full config file should also contain the following fields:

• Enable - When True, turns the Azure connector on. When False turns the Azure connector off.
• Default_role - The default Role ID for newly created users. By default, 25 will create users with the Employee role.
• Default_position - The default Position for newly created users. Defaults to Employee.

Example Azure AD Config

 More details on creating custom field mappings can be found here.

[azureusers]
enable = True
tenant_id = <tenant-id-from-azure> 
client_id = <client-id-from-azure>
secret = <secret-from-azure>
default_role = 25
default_position = Employee