Fact
- PhenixID Identity Provisioning 4.0.0 or later
System Requirements
- Account in Microsoft Azure
Situation
Use PhenixID Identity Provisioning to setup automatic user provisioning to Azure Active Directory.
Solution
This document will show the steps that are necessary to configure Identity Provisioning to automatically provision (create/update/delete) information for Azure AD users and groups.
Download
Download the zip file:
extraactions.MicrosoftAzureAD-6.4.0.zip
For instruction of how to install the action package, read PSD1149.
Account settings
- Sign in to the Azure Portal (https://portal.azure.com/).
- Choose your Azure AD tenant by selecting your account in the top right corner of the page.
- In the left-hand navigation pane, choose More Services, click App Registrations, and click New application registration.
- Enter the following values:
Name: PhenixID Identity Provisioning
Application type: Web app / API
Sign-on URL: http://signin.pip.se - Click Create.
- The Application ID is to be used in the actions in parameter ‘Application Id’.
- Mark the new application to make additional settings, and click on Keys.
- Enter a name for the key: PhenixID IP Key.
- Choose the duration for the key, and click on Save.
- Copy the key value. It will not be available again after you leave this page. This key value is to be used in the actions in the parameter ‘Access Key’.
- Click on Required permissions, click Add and click Select an API.
- Choose the Microsoft Graph API.
- Choose the Application Permissions Read and write directory data, Read and write all groups and Read and write all users’ full profiles.
- Choose the Delegated Permissions Access directory as the signed in user.
- Click on Select and Done.
- Choose the Windows Azure Active Directory API.
- Choose the Application Permissions Read and write directory data.
- Choose the Delegated Permissions Sign in and read user profile, Access directory as the signed in user.
- Click on Grant Permissions.
- Wait some hours before testing the account.
Common Action Parameters
Multiple actions are included in the package, but they all have some parameters in common.
|
Parameter |
Description |
Example |
|
Domain |
[Optional] Your tenant’s domain name e.g. YourCompany.OnMicrosoft.com. Default is the value in global parameter AzureDomain. Supports GLOBAL(). This parameter is set to optional, but if the parameter is blank there must be a valid value in the global parameter AzureDomain. |
YourCompany.OnMicrosoft.com |
|
Application Id |
[Optional] The Application ID obtained from the App configuration done in the Azure Management Portal. Default is the value in global parameter AzureApplicationID. Supports GLOBAL().
This parameter is set to optional, but if the parameter is blank there must be a valid value in the global parameter AzureApplicationID. |
62ca5252-98ca-4d78-943e-94caf9e1c7f8 |
|
Access Key |
[Optional] The Key value obtained from the App configuration done in the Azure Management Portal. Default is the value in global parameter AzureAccessKey. Supports GLOBAL().
This parameter is set to optional, but if the parameter is blank there must be a valid value in the global parameter AzureAccessKey. |
KEV3CrDCwVhcC0QTAcyugY9lcgxAgjl63wAXYFtiIuo= |
|
Error Message Attribute |
The name of the session attribute that will contain the error message, if any. If no error, this attribute will be empty. Default: azureError.
This attribute will be set if any error occurs for the specific session object. |
errorMessage |
Actions for fetching objects from Azure and creating session objects
These actions will fetch all the objects from Azure and create one session object for each object in the result. The actions can typically be used in an Action Data Source.
Common Parameters
|
Parameter |
Description |
Example |
|
Keep Existing Session Objects |
[Optional] If any existing Session Objects should be kept (true) or removed (false). Default value = true. |
false |
Azure Get All Users
Version 1.2
|
Parameter |
Description |
Example |
|
Attributes to fetch |
[Optional] Comma separated list of the attributes to fetch from Azure. To rename the attributes, use | to map the attribute name, e.g. azureAttribute|myAttributeName. Default: givenName,surname,mail. |
id|azureID,mail|azureMail |
Available attributes
accountEnabled, businessPhones, city, country, department, displayName, givenName, id, jobTitle, mail, mailnickName, mobilePhone, officeLocation, onPremisesImmutableId, onPremisesLastSyncDateTime, onPremisesSecurityIdentifier, onPremisesSyncEnabled, passwordPolicies, postalCode, preferredLanguage, proxyAddresses, state, streetAddress, surname, usageLocation, userPrincipalName, userType
Azure Get All Groups
Version 1.2
|
Parameter |
Description |
Example |
|
Attributes to fetch |
[Optional] Comma separated list of the attributes to fetch from Azure. To rename the attributes, use | to map the attribute name, e.g. azureAttribute|myAttributeName. Default: id,displayName. |
id|azureID,displayName|azureDisplayName |
Available attributes
allowExternalSenders, autoSubscribeNewMembers, createdDateTime, description, displayName, groupTypes, id, mail, mailEnabled, mailNickname, onPremisesLastSyncDateTime, onPremisesSecurityIdentifier, onPremisesSyncEnabled, proxyAddresses, securityEnabled, visibility
Actions for fetching additional attribute from Azure
These actions will fetch the configured attributes from Azure and add them to the existing session object.
Azure Add Data From User
Version 1.1
|
Parameter |
Description |
Example |
|
Attributes to fetch |
[Optional] Comma separated list of the attributes to fetch from Azure. To rename the attributes, use | to map the attribute name, e.g. azureAttribute|myAttributeName. Default: givenName,surname,mail. |
givenName,surname,mail|azureMail |
|
User Object Id Attribute |
[Mandatory] The session attribute that contains the objectId or the user principal name for the user. |
azureID |
Available attributes
aboutMe, accountEnabled, birthday, businessPhones, city, country, department, displayName, givenName, hireDate, id, imAdresses, interests, jobTitle, mail, mailnickName, mobilePhone, mySite, officeLocation, onPremisesImmutableId, onPremisesLastSyncDateTime, onPremisesSecurityIdentifier, onPremisesSyncEnabled, passwordPolicies, pastProjects, postalCode, preferredLanguage, preferredName, proxyAddresses, responsibilities, schools, skills, state, streetAddress, surname, usageLocation, userPrincipalName, userType
Azure Add Data From Group
Version 1.1
|
Parameter |
Description |
Example |
|
Attributes to fetch |
[Optional] Comma separated list of the attributes to fetch from Azure. To rename the attributes, use | to map the attribute name, e.g. azureAttribute|myAttributeName. Default: displayName,description. |
displayName,mail|azureMail |
|
Group Object Id Attribute |
[Mandatory] The session attribute that contains the objectId for the group. |
azureID |
Available attributes
allowExternalSenders, autoSubscribeNewMembers, createdDateTime, description, displayName, groupTypes, id, mail, mailEnabled, mailNickname, onPremisesLastSyncDateTime, onPremisesSecurityIdentifier, onPremisesSyncEnabled, proxyAddresses, securityEnabled, visibility
Actions for handling Users
A description of the attributes can be found here at Microsoft.
Other attributes
In order to use attributes that are not listed below, a special syntax can be used where you explicitly state the data type for the attribute:
In order to specify the data type, write an exclamation mark after the “Entra ID attribute”, and then the data type:
- string
- number
- boolean
For lists, add [] after, ex “string[]”
Example of “attributes to fetch”/”attributes to update”:
id,dn,surname,givenName,mail,otherMails!string[]|mails,faxNumber!string
In the example above:
- “otherMails!string[]|mails”:
- Entra ID attribute: “otherMails”
- Data type: string
- “[]” – a list of strings
- session attribute: “mails”
- Entra ID attribute: “otherMails”
- “faxNumber!string”
- Entra ID attribute: “faxNumbers”
- Data type: string
onPremisesExtensionAttributes
Entra ID supports a fixed set of custom extension attributes that resides in the object onPremisesExtensionAttributes on an user object. They are named extensionAttribute1, extensionAttribute2, extensionAttribute3 etc – they are always strings, and are exposed as if they are located directly on the user object, for example:
extensionAttribute11|my-foo-bar-name
Azure Create User
Version 1.1
|
Parameter |
Description |
Example |
|
Attributes to update |
[Mandatory] Comma separated list of the attributes to use for creating a user in Azure. Use | to map the session attribute name with the Azure attribute name, e.g. azureAttribute|myAttributeName. Mandatory attributes: accountEnabled, displayName, mailNickname, password, forceChangePasswordNextSignin, userPrincipalName. |
accountEnabled, displayName, mailNickname, password, forceChangePasswordNextSignin|changePwd, userPrincipalName|upn |
|
Azure ID Attribute Name |
[Optional] The name of the session attribute that will contain the user ID from Azure. If any error occur, this attribute will be empty. Leave blank to not save the id in a session attribute. The ID is created in Azure when the user is created, and the ID is used to identify the user in all the following Azure actions. |
azureID |
Mandatory single value attributes
accountEnabled, displayName, mailNickname, password, forceChangePasswordNextSignin, userPrincipalName
Optional single value attributes
businessPhones, city, country, department, givenName, jobTitle, mobilePhone, officeLocation, onPremisesImmutableId, passwordPolicies, postalCode, preferredLanguage, state, streetAddress, surname, usageLocation, userType
Azure Update User
Version 1.1
|
Parameter |
Description |
Example |
|
Attributes to update |
[Mandatory] Comma separated list of the attributes to update in Azure. Use | to map the session attribute name with the Azure attribute name, e.g. azureAttribute|myAttributeName. Attribute id or userPrincipalName must be entered to identify the user. |
id|azureID, givenName,surname |
Optional single value attributes
accountEnabled, businessPhones, city, country, department,displayName, givenName, jobTitle, mailNickname, mobilePhone, password, forceChangePasswordNextSignin, officeLocation, onPremisesImmutableId, passwordPolicies, postalCode, preferredLanguage, state, streetAddress, surname, usageLocation, userType
Azure Delete User
Version 1.1
|
Parameter |
Description |
Example |
|
User Object Id Attribute |
[Mandatory] The session attribute that contains the objectId or the user principal name for the user. |
azureID |
Actions for handling Managers
Azure Get Manager For User
Version 1.1
|
Parameter |
Description |
Example |
|
Attributes to fetch |
[Optional] Comma separated list of the attributes to fetch from the manager in Azure. To rename the attributes, use | to map the attribute name, e.g. azureAttribute|myAttributeName. Default: id,displayName. |
id|managerID, displayName|managerName |
|
User Object Id Attribute |
[Mandatory] The session attribute that contains the objectId or the user principal name for the user. |
azureID |
Available attributes
aboutMe, accountEnabled, birthday, businessPhones, city, country, department, displayName, givenName, hireDate, id, imAdresses, interests, jobTitle, mail, mailnickName, mobilePhone, mySite, officeLocation, onPremisesImmutableId, onPremisesLastSyncDateTime, onPremisesSecurityIdentifier, onPremisesSyncEnabled, passwordPolicies, pastProjects, postalCode, preferredLanguage, preferredName, proxyAddresses, responsibilities, schools, skills, state, streetAddress, surname, usageLocation, userPrincipalName, userType
Azure Update Manager for User
Version 1.1
|
Parameter |
Description |
Example |
|
User Object Id Attribute |
[Mandatory] The session attribute that contains the objectId or the user principal name for the user. |
azureID |
|
Manager Id Attribute |
[Mandatory] The session attribute that contains the objectId for the manager. |
managerID |
Azure Get Direct Reports for User
Version 1.1
|
Parameter |
Description |
Example |
|
User Object Id Attribute |
[Mandatory] The session attribute that contains the objectId or the user principal name for the user. |
azureID |
|
Direct Reports Attribute Name |
[Optional] The name of the session attribute that will contain the objectId’s for the direct reports. Default: directReports. |
azureDirectReports |
Actions for handling Groups
A description of the attributes can be found here at Microsoft.
Azure Create Group
Version 1.1
|
Parameter |
Description |
Example |
|
Attributes to update |
[Mandatory] Comma separated list of the attributes to use for creating a group in Azure. Use | to map the session attribute name with the Azure attribute name, e.g. azureAttribute|myAttributeName. Mandatory and available attributes: displayName, mailEnabled, mailNickname, securityEnabled. |
displayName|groupName, mailEnabled, mailNickname|groupMail, securityEnabled |
|
Azure ID Attribute Name |
[Optional] The name of the session attribute that will contain the group ID from Azure. If any error occur, this attribute will be empty. Leave blank to not save the id in a session attribute. The ID is created in Azure when the group is created, and the ID is used to identify the group in all the following Azure actions. |
azureID |
Mandatory single value attributes
displayName, mailEnabled, mailNickname, securityEnabled
Azure Update Group
Version 1.1
|
Parameter |
Description |
Example |
|
Attributes to update |
[Mandatory] Comma separated list of the attributes to update in Azure. Use | to map the session attribute name with the Azure attribute name, e.g. azureAttribute|myAttributeName. Attribute id must be entered to identify the group. |
id|azureID, description |
Optional single value attributes
allowExternalSenders, autoSubscribeNewMembers, description,displayName, mailEnabled, mailNickname, securityEnabled, visibility
Azure Delete Group
Version 1.1
|
Parameter |
Description |
Example |
|
Group Object Id Attribute |
[Mandatory] The session attribute that contains the objectId for the group. |
azureID |
Actions for Group Membership
Azure Get Group Members
Version 1.1
|
Parameter |
Description |
Example |
|
Group Object Id Attribute |
[Mandatory] The session attribute that contains the objectId for the group. |
azureID |
|
Group Member Attribute Name |
[Optional] The name of the session attribute that will contain the objectId’s for the members. Default: members. |
groupMembers |
Azure Add User as Member in Group
Version 1.1
|
Parameter |
Description |
Example |
|
Group Object Id Attribute |
[Mandatory] The session attribute that contains the objectId for the group. |
groupID |
|
User Id Attribute |
[Mandatory] The session attribute that contains the objectId for the user who will be added as member. |
userID |
Azure Remove User as Member in Group
Version 1.1
|
Parameter |
Description |
Example |
|
Group Object Id Attribute |
[Mandatory] The session attribute that contains the objectId for the group. |
groupID |
|
User Id Attribute |
[Mandatory] The session attribute that contains the objectId for the user who will be removed as member. |
userID |
DISCLAIMER
Information provided in this document is for your information only. PhenixID makes no explicit or implied claims to the validity of this information. Any trademarks referenced in this document are the property of their respective owners.The origin of this information may be internal or external to PhenixID. PhenixID makes all reasonable efforts to verify this information.
PhenixID - support.phenixid.se