Oomnitza's Azure User Connector allows organizations to pull user information from Azure AD and populate it in Oomnitza. More info in Azure AD can be found here: https://azure.microsoft.com/en-us/services/active-directory/
Standard Mappings
The following fields can be mapped from Azure AD using Oomnitza's User Interface:
- Department
- Given name
- Is account enabled
- Job title
- Mail nickname
- Surname
- User principal name
Custom Mappings
Additional fields my be available to may through the config.ini. Please see Creating Custom Field Mappings for more details on adding these mappings.
Setup
Details on setting up the Oomnitza Connector can be found in Oomnitza's Articles on Connector Setup.
Azure AD integration requires the following three pieces of information for a Service Principal Application in Azure:
- Tenant ID
- Client ID
- Client Secret
Documentation from Microsoft is available in the articles below, and we've outlined them in the section below.
- https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal
- https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/howto-configure-prerequisites-for-reporting-api
Creating a Service Principal Application in Azure
Notes:
- You must be an Azure Administrator to complete this process.
- The below steps and images are taken from Microsoft's Azure documentation. Though we do our best to keep this document accurate, the interface and the steps involved may change without warning.
Register an Azure AD Application:
-
Sign in to your Azure Account.
-
Select Azure Active Directory.
-
Select App registrations.
-
Select New registration.
- Name and Register the Application.
Retrieve your Tenant and Client IDs:
-
Select Azure Active Directory.
-
From App registrations in Azure AD, select your application.
-
Copy the Directory (tenant) ID and Application (client) ID. These will be added to the config.ini.
Create an Application Secret:
-
Select Azure Active Directory.
-
From App registrations in Azure AD, select your application.
-
Select Certificates & secrets.
-
Select Client secrets -> New client secret.
-
Provide a description of the secret, and a duration. When done, select Add.
- Save your newly created Secret.
Grant Appropriate Permissions:
The only API permission required is Directory.Read.All (this applies to both Microsoft Graph API as well as the legacy Azure AD Graph API). To grant your application permissions to use the APIs:
-
Select API permissions.
-
Select Add a permission.
-
On the Request API permissions page, locate Support legacy API Azure Active Directory Graph.
-
On the Required permissions page, select Application Permissions, expand Directory checkbox Directory.ReadAll. Select Add permissions.
-
On the Reporting API Application - API Permissions page, select Grant admin consent.
Config File
The full config file should also contain the following fields:
- Enable - When True, turns the Azure connector on. When False turns the Azure connector off.
- Default_role - The default Role ID for newly created users. By default, 25 will create users with the Employee role.
- Default_position - The default Position for newly created users. Defaults to Employee.
Example Azure AD Config
More details on creating custom field mappings can be found here.
[azureusers]
enable = True
tenant_id = <tenant-id-from-azure>
client_id = <client-id-from-azure>
secret = <secret-from-azure>
default_role = 25
default_position = Employee
0 Comments