The Identity component of the AzureActiveDirectory connector allows you, as an Identity administrator, to configure AzureActiveDirectory as a connected system and then make Identity users part of the AzureActiveDirectory system. The connector also enables the user or Identity administrator to reset Azure Active Directory account passwords and enable and disable user accounts. The Provisioning component of this connector enables exporting and importing of user accounts and Groups on an AzureActiveDirectory. It also supports exporting roles from an AzureActiveDirectory system.
Functionalities
Provisioning Integration
Data Format |
Export |
Create |
Modify |
Delete |
Trigger |
---|---|---|---|---|---|
User |
Yes |
Yes | Yes | Yes | No |
Group |
Yes |
Yes | Yes | Yes | No |
Role | Yes | No | No | No | No |
Identity Integration
Product Feature | Supported |
Authenticate (Test Connection) | Yes |
Validate User | Yes |
Enable/Disable User |
Yes |
Reset Password | Yes |
Expire Password Immediately | Yes |
Prerequisites
The following pre-requisites need to be satisfied in order to use Fischer Identity's Azure Active Directory connector:
- Create the Application Registration.
- Set the permissions.
- Configure the information required for authentication.
- Configure the required user permissions.
Creating the Application Registration
-
Go to Azure Portal and log in.
- Click on Azure Active Directory on the left-hand side navigation.
- Navigate to App registrations.
- Click on New application registration at the top.
-
Give your application registration a Name that describes your app or purpose.
-
In the Application type drop-down, select Web app / API type of app registration.
-
Type the sign-on URL. This should be your app home page URL. If your app doesn’t have a home page, you can type anything here, as long as it is a valid URL (e.g. https:// anything). The URL is automatically added to the Reply URLs of the app registration. Reply URLs are the locations where the user is allowed to get redirected to after authentication (a security measure). The URLs can include wildcards (*).
Setting the Permissions
- Click on Settings at the top.
- Select Required permissions.
- Click Add.
- Click Select an API, then Windows Azure Active Directory and finally the Select button.
-
In the Select permissions section, tick the checkboxes for the permissions (use least privilege) mentioned in the Graph documentation of the operation you want to use. Make sure you select them in the Delegated permissions section. The permission labels in Azure Active Directory don’t match the ones displayed in the documentation, but if you hover your mouse over them, the tooltip shows the permission value as described in the documentation.
-
Finalize the permission settings by clicking Select, Done and Grant Permissions (if you selected permissions that require admin consent). Note that if you are not an admin, you won’t be able to complete the last step yourself, but need to ask your admin friend for help.
Configuring the information required for authentication
Now our application registration is ready for use and we are able to get authorized to use the API. For that, you need to note down some information from your Azure AD:
- Tenant ID - This can be seen in many places. You can, for example, go to the first blade you opened when you clicked on App registrations, and click on the Endpoints button at the top. There you will see several URLs that contain your tenant ID (GUID).
- Application ID - This you can see in the main view when you navigate to the app registration.
- Application Key - While still in the Azure portal, choose your application, click on Settings. Click on Keys from the Settings menu. Enter a name for the key and choose the desired duration. Click on Save and the key will be displayed. Make sure to copy the value of this key before leaving this screen, otherwise you may need to create a new key. This value is used as the Client Secret in the next step.
- Username & Password of the administrator user - See the next section for the required user privileges for each operation supported by the connector.
Configuring the required user permissions
We connect to the Azure AD REST API using a password grant and on behalf of an administrative user. The user should have one (the least privileged preferably) of the required directory roles for the following connector supported operations. A global administrator user is required if you need to make use of all the connector features.
Operation | API | Required Directory Roles |
Get Users | GET /users?api-version[&$filter] | Directory Readers, Directory Writers, User Administrator, Global Administrator |
Get User | GET /users/{user_id}?api-version | Directory Readers, Directory Writers, User Administrator, Global Administrator |
Create User | POST /users?api-version | User Administrator, Global Administrator |
Update User | PATCH /users/{user_id}?api-version | User Administrator, Global Administrator, Directory Writers |
Reset Non-Admin User Password | PATCH /users/{user_id}?api-version | Helpdesk (Password) Administrator, User Administrator, Global Administrator |
Reset Limited- Admin User Password | PATCH /users/{user_id}?api-version | User Administrator, Global Administrator |
Reset Admin User Password | PATCH /users/{user_id}?api-version | Global Administrator |
Delete User | DELETE /users/{user_id}[?api-version] | User Administrator, Global Administrator |
Get User Manager | GET /users/{user_id}/$links/manager?api- version | User Administrator, Global Administrator, Directory Readers, Directory Writers, |
Assign User Manager | PUT /users/{user_id}/$links/manager?api- version | User Administrator, Global Administrator, Directory Writers |
Get User Direct Reports | GET /users/{user_id}/$links/ directReports?api-version | User Administrator, Global Administrator, Directory Readers, Directory Writers |
Get User memberships | GET /users/{user_id}/$links/ memberOf?api-version | User Administrator, Global Administrator, Directory Readers, Directory Writers |
Assign/Remove/ Update User Licenses | POST /users/{user_id}/assignLicense?api- version | License Administrator, User Administrator, Global Administrator, Directory Writers |
Get Groups | GET /groups?api-version | User Administrator, Global Administrator, Directory Readers, Directory Writers |
Get Group | GET /groups/{object_id}?api-version | User Administrator, Global Administrator, Directory Readers, Directory Writers |
Create Group | POST /groups?api-version | User Administrator, Global Administrator, Directory Writers |
Update Group | PATCH /groups/{object_id}?api-version | User Administrator, Global Administrator, Directory Writers |
Delete Group | DELETE /groups/{object_id}[?api-version] | User Administrator, Global Administrator |
Get Group Members | GET /groups/{object_id}/$links/ members?api-version | User Administrator, Global Administrator, Directory Readers, Directory Writers |
Add Group Members | POST /groups/{object_id}/$links/ members?api-version | User Administrator, Global Administrator, Directory Writers |
Remove Group Members | DELETE /groups/{object_id}/$links/ members/{member_id}?api-version | User Administrator, Global Administrator, Directory Writers |
Get Directory Roles | GET /directoryRoles?api-version | Global Administrator, Privileged Role Administrator |
Get Directory Role | GET /directoryRoles/{object_id}?api- version | Global Administrator, Privileged Role Administrator |
Add/Delete Directory Role Member | POST /directoryRoles/{object_id}/$links/ members?api-version | Privileged Role Administrator, Global Administrator |
Creating the Connected System in the Admin UI
-
Log in to Identity Administration and click the Systems tab.
-
On the Connected System View page, click the Add button and select the Azure connected system from the Type drop-down list. The Connected System Details page displays the default values::
-
Enter the desired information:
Definition Supported Connectors
Displays whether the connected system is Identity only, Provisioning only, or both.
Type
Select the connected system type.
Locale
Select the preferred language (default: English). Locale specific information such as Display Name and Description can be added only while modifying the connected system.
Name
The name for this connected system. Note: The name cannot be modified later.
Display Name
The display name of the new connected system.
Description
The description of the connected system.
Associated With
Select how the connector associated with this system will run:
- Server (default) - Runs locally on the Provisioning/Identity Server.
- Global Identity Gateway - Runs remotely on a Global Identity Gateway cluster member. Note: Only GIG clusters that have at least one registered and enabled member will display in this list. See the appendix Using the Global Identity Gateway with Connected Systems for additional information.
Password Reset By
This definition enables you as an administrator to configure password management functions normally available to Users and OBO (On Behalf Of) Users:
- OBO User Only - Connected system and account association information is displayed only in Self-Service user management (for OBO Users). OBO Users can reset passwords for accounts on this connected system. Administrators can perform all user management functions for this connected system (e.g., enable/disable, validate, associate user, and password reset). End users will not see their accounts on this connected system in Self-Service and Kiosk; therefore, they cannot reset passwords for accounts on this connected system.
- Users and OBO User - Connected system and account association information is displayed in Self-Service password reset, Self-Service - Kiosk, and Self-Service user management. Self-Service users, Kiosk users, and OBO Users can reset passwords for accounts on this connected system. Administrators can perform all user management functions for this connected system (e.g., enable/disable, validate, associate user, and password reset).
- External - Connected system and account association information is not displayed in Self-Service password reset, Self-Service - Kiosk, and Self-Service user management. Self-Service users, Kiosk users, and OBO Users cannot reset passwords for accounts on this connected system.
Note: When user management configuration enables OBO Users to perform password resets, this definition must be set to OBO User Only or Users and OBO User. For connectors that support Provisioning only, there is no password reset capability.
Provisioning Option Select the provisioning option:
- Automated (default) - The connected system functions as a normal connected system; there are no restrictions.
- Administrative - The connected system cannot be used as an object in a workflow.
Enable HPAM Support
Select to make the connected system HPAM enabled (default: cleared).
Note: This can only be set for systems that support Identity.
Enable Transfer Of Accounts Select to make the transfer of Accounts enabled (default cleared). Connection Information Service Account Name Username of the global administrator user. Service Account Password
Password of the global administrator user.
Tenant Id Unique identifier of the directory tenant. Application Id The ID for an application, which is generated by Azure AD when the application is registered. Application Key The secret key of registered application. Password Expiration Support Expiration Options for Admin/OBO User Password Reset Specify password expiration: None or Immediate. -
Click the Test Connection button to test the Connection Information:
- If successful, this message will display:
Message: Connection from Provisioning to the connected system was established successfully.
- If unsuccessful, this message will display:
Error: Failed to establish connection from Provisioning to the connected system.
Error: Failed to establish connection from Identity to the connected system. Import-Module : The specified module 'ActiveDirectory' was not loaded because no valid module file was found in any module directory.Note: If the connection fails, additional messages may display providing more information regarding the failure, and additional information may be posted to the Provisioning logs.
-
System Owner (Optional) Adds or removes users assigned as the owners of the system. Displays the Connected System Owner Search page for selecting users:
-
To select owners of the system, click the System Owner Add button. The Connected System Owner Search page displays:
-
Select the owners and then click the Select button. The system owner displays under the System Owner section:
The HPAM column indicates whether the system owner is authorized to use the HPAM feature. The Approvers column indicates whether the system owner is an approver in the approval process. The Status column indicates whether the system owner is active.
Note: More than one user can be assigned as an owner.
-
To add additional system owners, click the Add button.
-
- On the Connected System Details page, click the Add button to save the configured connected system. The Object Category Association page displays a list of categories that are already associated and/or can be selected to add additional associations to this connected system:
-
Select one or more available object categories or provide search criteria and click the Search button to find specific categories to select. If there are no available categories to select, proceed to Step 7.
-
Click the Add Association button to associate the selected object categories to the connected system.
-
Click the Back button to return to the Connected System View page. The new connected system displays in the list.
See Copying, Modifying, and Deleting Connected Systems for additional information.
Creating the Connected System in the Studio
- Log in to the Workflow and Connectivity Studio and click Connectivity ► Add Systems on the menu bar. The Add Connected Systems window displays.
- Select the Azure Active Directory connected system from the Type drop-down list. The default values display:
-
Enter the desired information:
Definition Type Select the connected system type. Name The name for this connected system.
Note: The name cannot be modified later.
Display Name The display name of the new connected system. Description The description of the connected system. Supported Connectors Displays whether the connected system is Identity only, Provisioning only, or both. Only connectors that support Provisioning are available here. Associated With Select how the connector associated with this system will run: - Server (default) - Runs locally on the Provisioning/Identity Server.
- Global Identity Gateway - Runs remotely on a Global Identity Gateway cluster member. Note: Only GIG clusters that have at least one registered and enabled member will display in this list.
Password Reset By Enables administrators to configure password management functions normally available to Users and OBO (On Behalf Of) Users: - OBO User Only - Connected system and account association information is displayed only in Self-Service user management (for OBO Users). OBO Users can reset passwords for accounts on this connected system. Administrators can perform all user management functions for this connected system (e.g., enable/disable, validate, associate user, and password reset). End users will not see their accounts on this connected system in Self-Service and Kiosk; therefore, they cannot reset passwords for accounts on this connected system.
- Users and OBO User - Connected system and account association information is displayed in Self-Service password reset, Self-Service - Kiosk, and Self-Service user management. Self-Service users, Kiosk users, and OBO Users can reset passwords for accounts on this connected system. Administrators can perform all user management functions for this connected system (e.g., enable/disable, validate, associate user, and password reset).
- External - Connected system and account association information is not displayed in Self-Service password reset, Self-Service - Kiosk, and Self-Service user management. Self-Service users, Kiosk users, and OBO Users cannot reset passwords for accounts on this connected system.
Note: When user management configuration enables OBO Users to perform password resets, this definition must be set to OBO User Only or Users and OBO User. For connectors that support Provisioning only, there is no password reset capability.
Provisioning Option
Select the provisioning option:
- Automated (default) - The connected system functions as a normal connected system; there are no restrictions.
- Administrative - The connected system cannot be used as an object in a workflow.
Enable HPAM Support Select to make the connected system HPAM enabled (default: cleared). Note: This can only be set for systems that support Identity. Connection Information Service Account Name The name of the administrative user account used to connect to the server. Tenant Id Unique identifier of the directory tenant. Application Id
The ID for an application, which is generated by Azure AD when theapplication is registered. Application Key
The secret key of registered application. Password Expiration Support Expiration Options for Admin/OBO User Password Reset Specify password expiration: None or Immediate.
- Click the Connect button to test the Connection Information:
- If successful, this message display:s
Connection from Studio to the connected system was established successfully.
- If unsuccessful, this message displays:
Failed to establish connection from Studio to the connected system.
Note: If the connection fails, additional messages may display providing more information regarding the failure.
-
Click the Apply button to apply changes. The Category Association window displays.
-
Select one or more object categories from the Available Categories list or enter a category name and click the Search button to find a specific category to select. If there are no available categories to select, proceed to Step 6.
-
Click the Add button to associate the selected object categories to the connected system.
-
-
Click OK to accept selected categories.
See Copying, Modifying, and Deleting Connected Systems for additional information.
Using the Connected System for Identity
Perform these procedures to configure the connector:
-
- Connector Details for Identity
- Identity Password Management
Connector Details for Identity
This table lists values to enter when associating the Identity user with an existing user in the connected system:
Field | System Attribute | Example Value |
---|---|---|
Login ID | userPrincipalName | john@fischerqadevoutlook.onmicrosoft.com |
ID | objectId | 8ef02282-206f-4fa6-895e-b4751ad256c8 |
Identity Password Management
See User Management for details on password management.
Using the Connected System for Provisioning
Perform these procedures to configure the connector:
- Configuring for Export
- Configuring for Import
- Connector Details for Provisioning
Note: If the number of records to be processed exceeds one thousand, we recommend configuring the workflow to use bulk mode, which lowers the memory consumption of the system by streaming data to files. Because data is streamed for every task, performance of the workflow execution will be decreased due to increased read-write operations. See the Workflow and Connectivity Studio document for details on how to configure bulk mode.
Configuring for Export
Perform these procedures to configure the connector for data export:
- Configuring the Export Connector
- Configuring the Export Link
From the Workflow and Connectivity Studio, select the AzureAD UserExport workflow listed under the projects folder.
If a workflow does not already exist, create an export workflow. See the Workflow and Connectivity Studio document for details on creating export workflows.
Configuring the Export Connector
- In the Design pane, double-click the export object (the first workflow object after the Start object). The Configure Data Source window displays:
-
From the Configure Plug-In Tab, set these properties as required.
Associated Connected System Select the connected system from the list. The export operation will be done from this connected system. Data Formats Select the type of data format to use: User (default), Group or Role. DeltaExportMode Select the type of attribute to export if a change takes place (this works in conjunction with ExportMode when DeltaExport is selected):
- OnlyChangedAttributes - Performs a partial export of only the changed attributes from the last time the query was run.
- ChangedAndMandatoryAttributes (default) - Performs a partial export of both changed and mandatory attributes from the last time the query was run. Mandatory attributes are exported whether they have been changed or not.
- AllAttributes - Performs a full export of all attributes that contain a value.
DynamicConnectedSystem Select the global variable to use as the dynamic connected system name. This works in conjunction with DynamicConnectedSystemOption when GlobalVariable is selected. DynamicConnectedSystemOption Select how to control Dynamic System Support (DSS): - None - There will not be any Dynamic System Support.
- Transaction-SystemName - The value of the Transaction-SystemName attribute in data will be used as the dynamic connected system. The connected system name must be passed as the value of the attribute Transaction-SystemName; if it is missing in data, the operation will fail.
- GlobalVariable - Select a global variable to use as the dynamic connected system name from the property DynamicConnectedSystem.
ExecuteGIGAssociatedTaskAsynchronously If this property is True, GIG associated tasks will execute asynchronously. ExportEntryByID
Option to fetch the details of an entry by providing objectId. ExportMode
Select the type of data to export:
- FullExport - Exports all attributes.
- DeltaExport - Exports changed, mandatory, or all attributes, depending on the DeltaExportMode property setting.
Filter Specify search criteria to determine the objects to be exported from the container specified in ExportDN. Use the Set Filter button that becomes active to create a filter. See "Set Filter" for additional information. MaxResults
Select the maximum number of results to be returned (this works in conjunction with ExportMode when FullExport is selected). If this is 0, all entries matching the search criteria are returned. ResultsPerPage
Number of entries fetched in a a single call, set this to 0 if paging is not required. This property is available only for User and Group dataformats.
Set Filter
Setting the filter is a means to narrow the search scope and return specific results:
Element | Description |
Attribute |
Select the attribute of the filter. This represents the attribute name for searching the AzureAD system. |
Comparison |
Select the operator value for this filter. |
AND Condition List |
Creates an AND statement comparing selected conditions. If there is more than one condition in this list box, all conditions must be true. |
OR Condition List |
Creates an OR statement comparing selected conditions. If there is more than one condition in this list box, one of the conditions must be true. |
Filter Syntax |
Displays the filter syntax used to retrieve entries from the LDAP directory and to build the export list. |
a. Using logical AND/OR, generate the complex filter to narrow the search result.
b. Click OK when complete to return to the Configure Data Source window.
Configuring the Export Link
-
In the Design pane, double-click the export link between the export object (the first workflow object after the Start object) and the Data Mapper object. The Configure Link window displays:
Element Description Source Attributes Select the attributes to export. Selected Attributes
Displays default attributes and those attributes that have been selected from the Source Attributes.
Note: The check boxes are used only for delta export operations. These checked attributes will always be exported whether they were changed or not. Usually, the attributes that are selected as mandatory attributes help in identifying or verifying an entry when completing mapping functions.
Format Displays the Format Date window to specify a date/time format to be applied to the selected date type attribute, for example, whenChanged. During export, the attribute’s value is converted to the specified format. See the Format Date steps below for additional information.
Notes:- The Format button is only enabled for date attributes.
- The Refresh Schema button on the Configure Data Source window’s Attributes tab must be used to refresh the schema and enable the Format button for date attributes.
Advanced Settings Displays the Configure Attributes window for selecting any attributes that need to be encrypted. -
From the Attribute Selection tab, select attributes to export. Usually, these attributes that are selected (mandatory attributes) help in identifying or verifying an entry when completing Data Mapper functions.
- (Optional) Click the Format button to specify a date/time format to be applied to the selected date type attribute. The Format Date window displays.
-
Select the Include Time check box to add the timestamp with the date.
-
Select the 24 Hour or 12 Hour option button and then select the required date/time format.
- Click OK to save the selected format. The Configure Link window displays.
-
-
Click OK to save any changes and return to the Workflow and Connectivity Studio window.
- Deploy the workflow by selecting Deploy ► New Deployment. See the Workflow and Connectivity Studio documentation for details of deployment options.
- Manage and run the deployed workflow from the Admin UI ► Server tab. See the Identity Suite Administration documentation for details.
Configuring for Import
Perform these procedures to configure the connector for data import:
- Configuring the Import Connector
- Configuring the Import Link
From the Workflow and Connectivity Studio, select the AzureAD UserAdd, UserModify, or UserDelete workflow listed under the projects folder.
If a workflow does not already exist, create an import workflow. See Workflow and Connectivity Studio documentation for details on creating import workflows.
Configuring the Import Connector
-
In the Design pane, double-click the import object (the last workflow object). The Configure Data Source window displays:
-
From the Configure Plug-in tab, set these properties as required:
Associated Connected System Select the connected system from the list. The import operation will be done to this connected system. Data Formats Select the type of data format to use: User (default) or Group. DynamicConnectedSystem Select the global variable to use as the dynamic connected system name. This works in conjunction with DynamicConnectedSystemOption when GlobalVariable is selected. DynamicConnectedSystemOption Select how to control Dynamic System Support (DSS): - None - There will not be any Dynamic System Support.
- Transaction-SystemName - The value of the Transaction-SystemName attribute in data will be used as the dynamic connected system. The connected system name must be passed as the value of the attribute Transaction-SystemName; if it is missing in data, the operation will fail.
- GlobalVariable - Select a global variable to use as the dynamic connected system name from the property DynamicConnectedSystem.
See the Dynamic System Support appendix in the Workflow and Connectivity Studio document for additional information.
ExecuteGIGAssociatedTaskAsynchronously If this property is True, GIG associated tasks will execute asynchronously. Id * Enter the attribute that contains the value used to uniquely identify the user account user ID on the connected system (ACCOUNT_ID column of the FISC_USER_ACCOUNT table). loginId * Enter the attribute that contains the value used to uniquely identify the user account login ID on the connected system (ACCOUNT_USERNAME column of the
FISC_USER_ACCOUNT table).
Notes:
* accountDN, Id, and loginId are used by the Provisioning Policy and IdentityHub features to populate the ACCOUNT_DN, ACCOUNT_ID, and ACCOUNT_USERNAME columns of the FISC_USER_ACCOUNT table of the Product database. See the ‘Provisioning Policy’ and ‘Provisioning Using the IdentityHub’ chapters of the Identity Suite Administration Guide for details.
Hover the pointer over a property to view its description.
Configuring the Import Link
-
In the Design pane, double-click the import link between the Data Mapper object and the import object (the last workflow object). The Configure Link window displays:
Source Attributes Select the attributes to import. Check for attribute-level auditing
If auditing is enabled and these attributes below are checked, Provisioning will log all events for auditing purposes. Selected Attributes Displays default attributes and those attributes that have been selected from the Source Attributes. Note: The default attributes are those that are commonly used to create a new user. Advanced Settings Displays the Configure Attributes window for configuring advanced settings for attributes. Under the Encrypted column, check the box of any attribute that needs to be encrypted.
Under the Diff With Target column, check the box of any attribute to update using differencing (DiffWithTarget, AddDiffWithTarget, and RemoveDiffWithTarget).
Connector Details for Provisioning
The items in the MV (multi-valued) and Export columns have these meanings:
-
Y = Yes (attribute is supported for this operation)
-
N = No (attribute is not supported for this operation)
User Data Format
Name |
Type |
MV |
Export |
Import |
---|---|---|---|---|
accountEnabled |
Boolean |
N |
Y |
Y |
ageGroup |
String |
N |
Y |
Y |
assignedLicenses->disabledPlans |
String |
Y |
Y |
N |
assignedLicenses->skuId |
String |
N |
Y |
N |
assignedPlans->assignedTimestamp |
String |
N |
Y |
N |
assignedPlans->capabilityStatus |
String |
N |
Y |
N |
assignedPlans->service |
String |
N |
Y |
N |
assignedPlans->servicePlanId |
String |
N |
Y |
N |
city |
String |
N |
Y |
Y |
companyName |
String |
N |
Y |
Y |
consentProvidedForMinor |
String |
N |
Y |
Y |
country |
String |
N |
Y |
Y |
createdDateTime |
DateTime |
N |
Y |
N |
creationType |
String |
N |
Y |
Y |
deletionTimestamp |
DateTime |
N |
Y |
N |
department |
String |
N |
Y |
Y |
directReports->accountEnabled |
Boolean |
N |
Y |
N |
directReports->ageGroup |
String |
N |
Y |
N |
directReports->assignedLicenses- >disabledPlans |
String |
Y |
Y |
N |
directReports->assignedLicenses->skuId |
String |
N |
Y |
N |
directReports->assignedPlans- >assignedTimestamp |
DateTime |
N |
Y |
N |
directReports->assignedPlans- >capabilityStatus |
Boolean |
N |
Y |
N |
directReports->assignedPlans->service |
String |
N |
Y |
N |
directReports->assignedPlans- >servicePlanId |
String |
N |
Y |
N |
directReports->city |
String |
N |
Y |
N |
directReports->companyName |
String |
N |
Y |
N |
directReports->consentProvidedForMinor |
String |
N |
Y |
N |
directReports->country |
String |
N |
Y |
N |
directReports->createdDateTime |
DateTime |
N |
Y |
N |
directReports->creationType |
String |
N |
Y |
N |
directReports->deletionTimestamp |
DateTime |
N |
Y |
N |
directReports->department |
String |
N |
Y |
N |
directReports->dirSyncEnabled |
Boolean |
N |
Y |
N |
directReports->displayName |
String |
N |
Y |
N |
directReports->employeeId |
String |
N |
Y |
N |
directReports->facsimileTelephoneNumber |
String |
N |
Y |
N |
directReports->givenName |
String |
N |
Y |
N |
directReports->immutableId |
String |
N |
Y |
N |
directReports->isCompromised |
String |
N |
Y |
N |
directReports->jobTitle |
String |
N |
Y |
N |
directReports->lastDirSyncTime |
DateTime |
N |
Y |
N |
directReports->legalAgeGroupClassification |
String |
N |
Y |
N |
directReports->mail |
String |
N |
Y |
N |
directReports->mailNickname |
String |
N |
Y |
N |
directReports->mobile |
String |
N |
Y |
N |
directReports->objectId |
String |
N |
Y |
N |
directReports->objectType |
String |
N |
Y |
N |
directReports->odata.metadata |
String |
N |
Y |
N |
directReports->odata.type |
String |
N |
Y |
N |
directReports- >onPremisesDistinguishedName |
String |
N |
Y |
N |
directReports->onPremisesSecurityIdentifier |
String |
N |
Y |
N |
directReports->otherMails |
String |
Y |
Y |
N |
directReports->passwordPolicies |
String |
N |
Y |
N |
directReports- >passwordProfile.forceChangePasswordNe xtLogin |
String |
N |
Y |
N |
directReports->passwordProfile.password |
String |
N |
Y |
N |
directReports->physicalDeliveryOfficeName |
String |
N |
Y |
N |
directReports->postalCode |
String |
N |
Y |
N |
directReports->preferredLanguage |
String |
N |
Y |
N |
directReports->provisionedPlans- >capabilityStatus |
String |
N |
Y |
N |
directReports->provisionedPlans- >provisioningStatus |
String |
N |
|
N |
directReports->provisionedPlans->service |
String |
N |
Y |
N |
directReports->provisioningErrors- >errorDetail |
String |
N |
Y |
N |
directReports->provisioningErrors->resolved |
String |
N |
Y |
N |
directReports->provisioningErrors- >serviceInstance |
String |
N |
Y |
N |
directReports->provisioningErrors- >timestamp |
DateTime |
N |
Y |
N |
directReports->proxyAddresses |
String |
Y |
Y |
N |
directReports- >refreshTokensValidFromDateTime |
DateTime |
N |
Y |
N |
directReports->showInAddressList |
String |
N |
Y |
N |
directReports->signInNames->type |
String |
N |
Y |
N |
directReports->signInNames->value |
String |
N |
Y |
N |
directReports->sipProxyAddress |
String |
N |
Y |
N |
directReports->state |
String |
N |
Y |
N |
directReports->streetAddress |
String |
N |
Y |
N |
directReports->surname |
String |
N |
Y |
N |
directReports->telephoneNumber |
String |
N |
Y |
N |
directReports->usageLocation |
String |
N |
Y |
N |
directReports->userIdentities->issuer |
String |
N |
Y |
N |
directReports->userIdentities->issuerUserId |
String |
N |
Y |
N |
directReports->userPrincipalName |
String |
N |
Y |
N |
directReports->userState |
String |
N |
Y |
N |
directReports->userStateChangedOn |
DateTime |
N |
Y |
N |
directReports->userType |
String |
N |
Y |
N |
dirSyncEnabled |
Boolean |
N |
Y |
N |
displayName |
String |
N |
Y |
Y |
employeeId |
String |
N |
Y |
Y |
facsimileTelephoneNumber |
String |
N |
Y |
Y |
givenName |
String |
N |
Y |
Y |
immutableId |
String |
N |
Y |
Y |
isCompromised |
String |
N |
Y |
Y |
jobTitle |
String |
N |
Y |
Y |
lastDirSyncTime |
DateTime |
N |
Y |
N |
legalAgeGroupClassification |
String |
N |
Y |
N |
|
String |
N |
Y |
N |
mailNickname |
String |
N |
Y |
Y |
manager->accountEnabled |
Boolean |
N |
Y |
N |
manager->ageGroup |
String |
N |
Y |
N |
manager->assignedLicenses- >disabledPlans |
String |
Y |
Y |
N |
manager->assignedLicenses->skuId |
String |
N |
Y |
N |
manager->assignedPlans- >assignedTimestamp |
DateTime |
N |
Y |
N |
manager->assignedPlans->capabilityStatus |
Boolean |
N |
Y |
N |
manager->assignedPlans->service |
String |
N |
Y |
N |
manager->assignedPlans->servicePlanId |
String |
N |
Y |
N |
manager->city |
String |
N |
Y |
N |
manager->companyName |
String |
N |
Y |
N |
manager->consentProvidedForMinor |
String |
N |
Y |
N |
manager->country |
String |
N |
Y |
N |
manager->createdDateTime |
DateTime |
N |
Y |
N |
manager->creationType |
String |
N |
Y |
N |
manager->deletionTimestamp |
DateTime |
N |
Y |
N |
manager->department |
String |
N |
Y |
N |
manager->dirSyncEnabled |
String |
N |
Y |
N |
manager->displayName |
String |
N |
Y |
N |
manager->employeeId |
String |
N |
Y |
N |
Manager-> facsimileTelephoneNumber |
String |
N |
Y |
N |
manager->givenName |
String |
N |
Y |
N |
manager->immutableId |
String |
N |
Y |
N |
manager->isCompromised |
String |
N |
Y |
N |
manager->jobTitle |
String |
N |
Y |
N |
manager->lastDirSyncTime |
String |
N |
Y |
N |
manager->legalAgeGroupClassification |
String |
N |
Y |
N |
manager->mail |
String |
N |
Y |
N |
manager->mailNickname |
String |
N |
Y |
N |
manager->mobile |
|
N |
Y |
N |
manager->objectId* |
String |
N |
Y |
Y |
manager->objectType |
String |
N |
Y |
Y |
manager->onPremisesDistinguishedName |
String |
N |
Y |
N |
manager->onPremisesSecurityIdentifier |
String |
N |
Y |
N |
manager->otherMails |
String |
Y |
Y |
N |
manager->passwordPolicies |
String |
N |
Y |
N |
manager- >passwordProfile.forceChangePasswordNe xtLogin |
String |
N |
Y |
N |
manager->physicalDeliveryOfficeName |
String |
N |
Y |
N |
manager->postalCode |
String |
N |
Y |
N |
manager->preferredLanguage |
String |
N |
Y |
N |
manager->provisionedPlans- >capabilityStatus |
String |
N |
Y |
N |
manager->provisionedPlans- >provisioningStatus |
|
N |
Y |
N |
manager->provisionedPlans->service |
String |
N |
Y |
N |
manager->provisioningErrors->errorDetail |
String |
N |
Y |
N |
manager->provisioningErrors->resolved |
String |
N |
Y |
N |
manager->provisioningErrors- >serviceInstance |
String |
N |
Y |
N |
manager->provisioningErrors->timestamp |
DateTime |
N |
Y |
N |
manager->proxyAddresses |
String |
Y |
Y |
N |
manager- >refreshTokensValidFromDateTime |
DateTime |
N |
Y |
N |
manager->showInAddressList |
String |
N |
Y |
N |
manager->signInNames->type |
String |
N |
Y |
N |
manager->signInNames->value |
String |
N |
Y |
N |
manager->sipProxyAddress |
String |
N |
Y |
N |
manager->state |
String |
N |
Y |
N |
manager->streetAddress |
String |
N |
Y |
N |
manager->surname |
String |
N |
Y |
N |
manager->telephoneNumber |
String |
N |
Y |
N |
manager->usageLocation |
String |
N |
Y |
N |
manager->userIdentities->issuer |
String |
N |
Y |
N |
manager->userIdentities->issuerUserId |
String |
N |
Y |
N |
manager->userPrincipalName |
String |
N |
Y |
N |
manager->userState |
String |
N |
Y |
N |
manager->userStateChangedOn |
DateTime |
N |
Y |
N |
manager->userType |
String |
N |
Y |
N |
memberOf->deletionTimestamp |
DateTime |
N |
Y |
N |
memberOf->description |
String |
N |
Y |
N |
memberOf->dirSyncEnabled |
Boolean |
N |
Y |
N |
memberOf->displayName |
String |
N |
Y |
N |
memberOf->isSystem |
String |
N |
Y |
N |
memberOf->lastDirSyncTime |
String |
N |
Y |
N |
memberOf->mail |
String |
N |
Y |
N |
memberOf->mailEnabled |
Boolean |
N |
Y |
N |
memberOf->mailNickname |
String |
N |
Y |
N |
memberOf->objectId |
String |
N |
Y |
Y |
memberOf->objectType |
String |
N |
Y |
Y |
memberOf->onPremisesDomainName |
String |
N |
Y |
N |
memberOf->onPremisesNetBiosName |
String |
N |
Y |
N |
memberOf->onPremisesSamAccountName |
String |
N |
Y |
N |
memberOf->onPremisesSecurityIdentifier |
String |
N |
Y |
N |
memberOf->provisioningErrors->errorDetail |
String |
N |
Y |
N |
memberOf->provisioningErrors->resolved |
String |
N |
Y |
N |
memberOf->provisioningErrors- >serviceInstance |
String |
N |
Y |
N |
memberOf->provisioningErrors->timestamp |
DateTime |
N |
Y |
N |
memberOf->proxyAddresses |
String |
Y |
Y |
N |
memberOf->roleDisabled |
Boolean |
N |
Y |
N |
memberOf->roleTemplateId |
String |
N |
Y |
N |
memberOf->securityEnabled |
String |
N |
Y |
N |
modifyLicenses->addLicenses- >disabledPlans |
String |
Y |
N |
Y |
modifyLicenses->addLicenses->skuId |
String |
N |
N |
Y |
modifyLicenses->removeLicenses |
String |
Y |
N |
Y |
mobile |
String |
N |
Y |
Y |
objectId |
String |
N |
Y |
Y |
objectType |
String |
N |
Y |
Y |
onPremisesDistinguishedName |
String |
N |
Y |
Y |
onPremisesSecurityIdentifier |
String |
N |
Y |
N |
otherMails |
String |
Y |
Y |
Y |
passwordPolicies |
String |
N |
Y |
Y |
passwordProfile.forceChangePasswordNext Login |
String |
N |
Y |
Y |
passwordProfile.password |
String |
N |
Y |
Y |
physicalDeliveryOfficeName |
String |
N |
Y |
Y |
postalCode |
String |
N |
Y |
Y |
preferredLanguage |
String |
N |
Y |
Y |
provisionedPlans->capabilityStatus |
String |
N |
Y |
N |
provisionedPlans->provisioningStatus |
String |
N |
Y |
N |
provisionedPlans->service |
String |
N |
Y |
N |
provisioningErrors->errorDetail |
String |
N |
Y |
N |
provisioningErrors->resolved |
String |
N |
Y |
N |
provisioningErrors->serviceInstance |
String |
N |
Y |
N |
provisioningErrors->timestamp |
DateTime |
N |
Y |
N |
proxyAddresses |
String |
Y |
Y |
N |
refreshTokensValidFromDateTime |
DateTime |
N |
Y |
N |
showInAddressList |
String |
N |
Y |
Y |
signInNames->type |
String |
N |
Y |
Y |
signInNames->value |
String |
N |
Y |
Y |
sipProxyAddress |
String |
N |
Y |
N |
state |
String |
N |
Y |
Y |
streetAddress |
String |
N |
Y |
Y |
surname |
String |
N |
Y |
Y |
telephoneNumber |
String |
N |
Y |
Y |
usageLocation |
String |
N |
Y |
Y |
userIdentities->issuer |
String |
N |
Y |
Y |
userIdentities->issuerUserId |
String |
N |
Y |
Y |
userPrincipalName |
String |
N |
Y |
Y |
userState |
String |
N |
Y |
N |
userStateChangedOn |
DateTime |
N |
Y |
N |
userType |
String |
N |
Y |
Y |
Note: *To remove a manager, the value of manager->objectId should be set as empty. The manager will not be removed if manager->objectId value is sent with changetype="modify" and modifytype="delete".
Group Data Format
Name |
Type |
MV |
Export |
Import |
---|---|---|---|---|
deletionTimestamp |
DateTime |
N |
Y |
N |
description |
String |
N |
Y |
Y |
dirSyncEnabled |
String |
N |
Y |
N |
displayName |
String |
N |
Y |
Y |
lastDirSyncTime |
String |
N |
Y |
N |
|
String |
N |
Y |
N |
mailEnabled |
String |
N |
Y |
Y |
mailNickname |
String |
N |
Y |
Y |
members->accountEnabled |
Boolean |
N |
Y |
N |
members->ageGroup |
String |
N |
Y |
N |
members->assignedLicenses- >disabledPlans |
String |
Y |
Y |
N |
members->assignedLicenses->skuId |
String |
N |
Y |
N |
members->assignedPlans- >assignedTimestamp |
DateTime |
N |
Y |
N |
members->assignedPlans->capabilityStatus |
String |
N |
Y |
N |
members->assignedPlans->service |
String |
N |
Y |
N |
members->assignedPlans->servicePlanId |
String |
N |
Y |
N |
members->city |
String |
N |
Y |
N |
members->companyName |
String |
N |
Y |
N |
members->consentProvidedForMinor |
String |
N |
Y |
N |
members->country |
String |
N |
Y |
N |
members->createdDateTime |
DateTime |
N |
Y |
N |
members->creationType |
String |
N |
Y |
N |
members->deletionTimestamp |
DateTime |
N |
Y |
N |
members->department |
String |
N |
Y |
N |
members->description |
String |
N |
Y |
N |
members->dirSyncEnabled |
Boolean |
N |
Y |
N |
members->displayName |
String |
N |
Y |
N |
members->employeeId |
String |
N |
Y |
N |
members->facsimileTelephoneNumber |
String |
N |
Y |
N |
members->givenName |
String |
N |
Y |
N |
members->immutableId |
String |
N |
Y |
N |
members->isCompromised |
String |
N |
Y |
N |
members->jobTitle |
String |
N |
Y |
N |
members->lastDirSyncTime |
DateTime |
N |
Y |
N |
members->legalAgeGroupClassification |
String |
N |
Y |
N |
members->mail |
String |
N |
Y |
N |
members->mailEnabled |
Boolean |
N |
Y |
N |
members->mailNickname |
String |
N |
Y |
N |
members->mobile |
String |
N |
Y |
N |
members->objectId |
String |
N |
Y |
Y |
members->objectType |
String |
N |
Y |
Y |
members->onPremisesDistinguishedName |
String |
N |
Y |
N |
members->onPremisesDomainName |
String |
N |
Y |
N |
members->onPremisesNetBiosName |
String |
N |
Y |
N |
members->onPremisesSamAccountName |
String |
N |
Y |
N |
members->onPremisesSecurityIdentifier |
String |
N |
Y |
N |
members->otherMails |
String |
Y |
Y |
N |
members->passwordPolicies |
String |
N |
Y |
N |
members->physicalDeliveryOfficeName |
String |
N |
Y |
N |
members->postalCode |
String |
N |
Y |
N |
members->preferredLanguage |
String |
N |
Y |
N |
members->provisionedPlans- >capabilityStatus |
String |
N |
Y |
N |
members->provisionedPlans- >provisioningStatus |
String |
N |
Y |
N |
members->provisionedPlans->service |
String |
N |
Y |
N |
members->provisioningErrors->errorDetail |
String |
N |
Y |
N |
members->provisioningErrors->resolved |
String |
N |
Y |
N |
members->provisioningErrors- >serviceInstance |
String |
N |
Y |
N |
members->provisioningErrors->timestamp |
DateTime |
N |
Y |
N |
members->proxyAddresses |
String |
Y |
Y |
N |
members- >refreshTokensValidFromDateTime |
DateTime |
N |
Y |
N |
members->securityEnabled |
String |
N |
Y |
N |
members->showInAddressList |
String |
N |
Y |
N |
members->signInNames->type |
String |
N |
Y |
N |
members->signInNames->value |
String |
N |
Y |
N |
members->sipProxyAddress |
String |
N |
Y |
N |
members->state |
String |
N |
Y |
N |
members->streetAddress |
String |
N |
Y |
N |
members->surname |
String |
N |
Y |
N |
members->telephoneNumber |
String |
N |
Y |
N |
members->usageLocation |
String |
N |
Y |
N |
members->userIdentities->issuer |
String |
N |
Y |
N |
members->userIdentities->issuerUserId |
String |
N |
Y |
N |
members->userPrincipalName |
String |
N |
Y |
N |
members->userState |
String |
N |
Y |
N |
members->userStateChangedOn |
DateTime |
N |
Y |
N |
members->userType |
String |
N |
Y |
N |
objectId |
String |
N |
Y |
Y |
objectType |
String |
N |
Y |
Y |
onPremisesDomainName |
String |
N |
Y |
Y |
onPremisesNetBiosName |
String |
N |
Y |
Y |
onPremisesSamAccountName |
String |
N |
Y |
Y |
onPremisesSecurityIdentifier |
String |
N |
Y |
N |
provisioningErrors->errorDetail |
String |
N |
Y |
N |
provisioningErrors->resolved |
String |
N |
Y |
N |
provisioningErrors->serviceInstance |
String |
N |
Y |
N |
provisioningErrors->timestamp |
DateTime |
N |
Y |
N |
proxyAddresses |
String |
Y |
Y |
N |
securityEnabled |
Boolean |
N |
Y |
Y |
Role Data Format
Name |
Type |
MV |
Export |
---|---|---|---|
deletionTimestamp |
DateTime |
N |
Y |
description |
String |
N |
Y |
displayName |
String |
N |
Y |
isSystem |
Boolean |
N |
Y |
objectId |
String |
N |
Y |
objectType |
String |
N |
Y |
roleDisabled |
Boolean |
N |
Y |
roleTemplateId |
String |
N |
Y |
Entitlement Support
This connector supports both Static and Dynamic entitlements in the form of Groups and Roles. Entitlements are configured from the Admin UI ' Server ' Resources. See the Resource Management chapter in the Identity Suite Administration Guide for details on resources.
To configure entitlements:
- On the Resource Detail page, under Entitlement Options, click Add button. The Entitlement Search page displays:
-
Click Search which redirects to Provisioning Entitlements View:
-
To add a Static Entitlement, click Add Static Entitlement button in Resource Detail page. Enter a desired Name, Value (existing Group or Role within AzureAD), and a Description, for example:
Lookup Data
To lookup data from AzureAD, use the Data Mapper rule Lookup Data.
- Log in to the Workflow and Connectivity Studio and double-click the Data Mapper object on the Design pane. The Configure Data Mapper window displays.
- Select the Lookup Data rule under the Mapping Rule column, and then click the Source Value. The Configure Lookup window displays.
- Select the AzureAD system from the Select System drop-down list:
- In the Enter Lookup Prefix field, enter the prefix to be added to the Lookup fields.
- Select the Lookup Type from the drop-down list.
-
Click the Build button along the Filter and build a filter to use for lookup and click OK.
-
Click the Fields Pick button to select the attributes to be fetched after a successful lookup.
-
Select the Exit as Mapper Task Failed on Lookup Failure check box to exit the task with Failed status on lookup failure. It will not process the succeeding entries and will ignore the already processed entries and will not return any data. This is selected by default.
- Click OK.