PhenixID

PSD1084 – Azure Active Directory Actions for Identity Provisioning

Fact

  • PhenixID Identity Provisioning 4.0.0 or later

System Requirements

  • Account in Microsoft Azure

Situation

Use PhenixID Identity Provisioning to setup automatic user provisioning to Azure Active Directory.

Solution

This document will show the steps that are necessary to configure Identity Provisioning to automatically provision (create/update/delete) information for Azure AD users and groups.

Download

Download the zip file: MicrosoftAzureGraphAPIActionPackage.zip For instruction of how to install the action package, read PSD1149.

Account settings

  1. Sign in to the Azure Portal (https://portal.azure.com/).
  2. Choose your Azure AD tenant by selecting your account in the top right corner of the page.
  3. In the left-hand navigation pane, choose More Services, click App Registrations, and click New application registration.
  4. Enter the following values: Name: PhenixID Identity Provisioning Application type: Web app / API Sign-on URL: http://signin.pip.se
  5. Click Create.
  6. The Application ID is to be used in the actions in parameter ‘Application Id’.
  7. Mark the new application to make additional settings, and click on Keys.
  8. Enter a name for the key: PhenixID IP Key.
  9. Choose the duration for the key, and click on Save.
  10. Copy the key value. It will not be available again after you leave this page. This key value is to be used in the actions in the parameter ‘Access Key’.
  11. Click on Required permissions, click Add and click Select an API.
  12. Choose the Microsoft Graph API.
  13. Choose the Application Permissions Read and write directory dataRead and write all groups and Read and write all users’ full profiles.
  14. Choose the Delegated Permissions Access directory as the signed in user.
  15. Click on Select and Done.
  16. Choose the Windows Azure Active Directory API.
  17. Choose the Application Permissions Read and write directory data.
  18. Choose the Delegated Permissions Sign in and read user profileAccess directory as the signed in user.
  19. Click on Grant Permissions.
  20. Wait some hours before testing the account.

Common Action Parameters

Multiple actions are included in the package, but they all have some parameters in common.

Parameter

Description

Example

Domain

[Optional] Your tenant’s domain name e.g. YourCompany.OnMicrosoft.com. Default is the value in global parameter AzureDomain. Supports GLOBAL().

This parameter is set to optional, but if the parameter is blank there must be a valid value in the global parameter AzureDomain.

YourCompany.OnMicrosoft.com

Application Id

[Optional] The Application ID obtained from the App configuration done in the Azure Management Portal. Default is the value in global parameter AzureApplicationID. Supports GLOBAL(). This parameter is set to optional, but if the parameter is blank there must be a valid value in the global parameter AzureApplicationID.

62ca5252-98ca-4d78-943e-94caf9e1c7f8

Access Key

[Optional] The Key value obtained from the App configuration done in the Azure Management Portal. Default is the value in global parameter AzureAccessKey. Supports GLOBAL(). This parameter is set to optional, but if the parameter is blank there must be a valid value in the global parameter AzureAccessKey.

KEV3CrDCwVhcC0QTAcyugY9lcgxAgjl63wAXYFtiIuo=

Error Message Attribute

The name of the session attribute that will contain the error message, if any. If no error, this attribute will be empty. Default: azureError. This attribute will be set if any error occurs for the specific session object.

errorMessage

Actions for fetching objects from Azure and creating session objects

These actions will fetch all the objects from Azure and create one session object for each object in the result. The actions can typically be used in an Action Data Source.

Common Parameters

Parameter

Description

Example

Keep Existing Session Objects

[Optional] If any existing Session Objects should be kept (true) or removed (false). Default value = true.

false

Azure Get All Users

Version 1.2

Parameter

Description

Example

Attributes to fetch

[Optional] Comma separated list of the attributes to fetch from Azure. To rename the attributes, use | to map the attribute name, e.g. azureAttribute|myAttributeName. Default: givenName,surname,mail.

id|azureID,mail|azureMail

Available attributes accountEnabled, businessPhones, city, country, department, displayName, givenName, id, jobTitle, mail, mailnickName, mobilePhone, officeLocation, onPremisesImmutableId, onPremisesLastSyncDateTime, onPremisesSecurityIdentifier, onPremisesSyncEnabled, passwordPolicies, postalCode, preferredLanguage, proxyAddresses, state, streetAddress, surname, usageLocation, userPrincipalName, userType

Azure Get All Groups

Version 1.2

Parameter

Description

Example

Attributes to fetch

[Optional] Comma separated list of the attributes to fetch from Azure. To rename the attributes, use | to map the attribute name, e.g. azureAttribute|myAttributeName. Default: id,displayName.

id|azureID,displayName|azureDisplayName

Available attributes allowExternalSenders, autoSubscribeNewMembers, createdDateTime, description, displayName, groupTypes, id, mail, mailEnabled, mailNickname, onPremisesLastSyncDateTime, onPremisesSecurityIdentifier, onPremisesSyncEnabled, proxyAddresses, securityEnabled, visibility

Actions for fetching additional attribute from Azure

These actions will fetch the configured attributes from Azure and add them to the existing session object.

Azure Add Data From User

Version 1.1

Parameter

Description

Example

Attributes to fetch

[Optional] Comma separated list of the attributes to fetch from Azure. To rename the attributes, use | to map the attribute name, e.g. azureAttribute|myAttributeName. Default: givenName,surname,mail.

givenName,surname,mail|azureMail

User Object Id Attribute

[Mandatory] The session attribute that contains the objectId or the user principal name for the user.

azureID

Available attributes aboutMe, accountEnabled, birthday, businessPhones, city, country, department, displayName, givenName, hireDate, id, imAdresses, interests, jobTitle, mail, mailnickName, mobilePhone, mySite, officeLocation, onPremisesImmutableId, onPremisesLastSyncDateTime, onPremisesSecurityIdentifier, onPremisesSyncEnabled, passwordPolicies, pastProjects, postalCode, preferredLanguage, preferredName, proxyAddresses, responsibilities, schools, skills, state, streetAddress, surname, usageLocation, userPrincipalName, userType

Azure Add Data From Group

Version 1.1

Parameter

Description

Example

Attributes to fetch

[Optional] Comma separated list of the attributes to fetch from Azure. To rename the attributes, use | to map the attribute name, e.g. azureAttribute|myAttributeName. Default: displayName,description.

displayName,mail|azureMail

Group Object Id Attribute

[Mandatory] The session attribute that contains the objectId for the group.

azureID

Available attributes allowExternalSenders, autoSubscribeNewMembers, createdDateTime, description, displayName, groupTypes, id, mail, mailEnabled, mailNickname, onPremisesLastSyncDateTime, onPremisesSecurityIdentifier, onPremisesSyncEnabled, proxyAddresses, securityEnabled, visibility

Actions for handling Users

A description of the attributes can be found here at Microsoft.

Azure Create User

Version 1.1

Parameter

Description

Example

Attributes to update

[Mandatory] Comma separated list of the attributes to use for creating a user in Azure. Use | to map the session attribute name with the Azure attribute name, e.g. azureAttribute|myAttributeName.

Mandatory attributes: accountEnabled, displayName, mailNickname, password, forceChangePasswordNextSignin, userPrincipalName.

accountEnabled, displayName, mailNickname, password, forceChangePasswordNextSignin|changePwd, userPrincipalName|upn

Azure ID Attribute Name

[Optional] The name of the session attribute that will contain the user ID from Azure. If any error occur, this attribute will be empty. Leave blank to not save the id in a session attribute.

The ID is created in Azure when the user is created, and the ID is used to identify the user in all the following Azure actions.

azureID

Mandatory single value attributes accountEnabled, displayName, mailNickname, password, forceChangePasswordNextSignin, userPrincipalName Optional single value attributes businessPhones, city, country, department, givenName, jobTitle, mobilePhone, officeLocation, onPremisesImmutableId, passwordPolicies, postalCode, preferredLanguage, state, streetAddress, surname, usageLocation, userType

Azure Update User

Version 1.1

Parameter

Description

Example

Attributes to update

[Mandatory] Comma separated list of the attributes to update in Azure. Use | to map the session attribute name with the Azure attribute name, e.g. azureAttribute|myAttributeName.

Attribute id or userPrincipalName must be entered to identify the user.

id|azureID, givenName,surname

Optional single value attributes accountEnabled, businessPhones, city, country, department,displayName, givenName, jobTitle, mailNickname, mobilePhone, password, forceChangePasswordNextSignin, officeLocation, onPremisesImmutableId, passwordPolicies, postalCode, preferredLanguage, state, streetAddress, surname, usageLocation, userType

Azure Delete User

Version 1.1

Parameter

Description

Example

User Object Id Attribute

[Mandatory] The session attribute that contains the objectId or the user principal name for the user.

azureID

Actions for handling Managers

Azure Get Manager For User

Version 1.1

Parameter

Description

Example

Attributes to fetch

[Optional] Comma separated list of the attributes to fetch from the manager in Azure. To rename the attributes, use | to map the attribute name, e.g. azureAttribute|myAttributeName. Default: id,displayName.

id|managerID, displayName|managerName

User Object Id Attribute

[Mandatory] The session attribute that contains the objectId or the user principal name for the user.

azureID

Available attributes aboutMe, accountEnabled, birthday, businessPhones, city, country, department, displayName, givenName, hireDate, id, imAdresses, interests, jobTitle, mail, mailnickName, mobilePhone, mySite, officeLocation, onPremisesImmutableId, onPremisesLastSyncDateTime, onPremisesSecurityIdentifier, onPremisesSyncEnabled, passwordPolicies, pastProjects, postalCode, preferredLanguage, preferredName, proxyAddresses, responsibilities, schools, skills, state, streetAddress, surname, usageLocation, userPrincipalName, userType

Azure Update Manager for User

Version 1.1

Parameter

Description

Example

User Object Id Attribute

[Mandatory] The session attribute that contains the objectId or the user principal name for the user.

azureID

Manager Id Attribute

[Mandatory] The session attribute that contains the objectId for the manager.

managerID

Azure Get Direct Reports for User

Version 1.1

Parameter

Description

Example

User Object Id Attribute

[Mandatory] The session attribute that contains the objectId or the user principal name for the user.

azureID

Direct Reports Attribute Name

[Optional] The name of the session attribute that will contain the objectId’s for the direct reports. Default: directReports.

azureDirectReports

Actions for handling Groups

A description of the attributes can be found here at Microsoft.

Azure Create Group

Version 1.1

Parameter

Description

Example

Attributes to update

[Mandatory] Comma separated list of the attributes to use for creating a group in Azure. Use | to map the session attribute name with the Azure attribute name, e.g. azureAttribute|myAttributeName.

Mandatory and available attributes: displayName, mailEnabled, mailNickname, securityEnabled.

displayName|groupName, mailEnabled, mailNickname|groupMail, securityEnabled

Azure ID Attribute Name

[Optional] The name of the session attribute that will contain the group ID from Azure. If any error occur, this attribute will be empty. Leave blank to not save the id in a session attribute.

The ID is created in Azure when the group is created, and the ID is used to identify the group in all the following Azure actions.

azureID

Mandatory single value attributes displayName, mailEnabled, mailNickname, securityEnabled

Azure Update Group

Version 1.1

Parameter

Description

Example

Attributes to update

[Mandatory] Comma separated list of the attributes to update in Azure. Use | to map the session attribute name with the Azure attribute name, e.g. azureAttribute|myAttributeName.

Attribute id must be entered to identify the group.

id|azureID, description

Optional single value attributes allowExternalSenders, autoSubscribeNewMembers, description,displayName, mailEnabled, mailNickname, securityEnabled, visibility

Azure Delete Group

Version 1.1

Parameter

Description

Example

Group Object Id Attribute

[Mandatory] The session attribute that contains the objectId for the group.

azureID

Actions for Group Membership

Azure Get Group Members

Version 1.1

Parameter

Description

Example

Group Object Id Attribute

[Mandatory] The session attribute that contains the objectId for the group.

azureID

Group Member Attribute Name

[Optional] The name of the session attribute that will contain the objectId’s for the members. Default: members.

groupMembers

Azure Add User as Member in Group

Version 1.1

Parameter

Description

Example

Group Object Id Attribute

[Mandatory] The session attribute that contains the objectId for the group.

groupID

User Id Attribute

[Mandatory] The session attribute that contains the objectId for the user who will be added as member.

userID

Azure Remove User as Member in Group

Version 1.1

Parameter

Description

Example

Group Object Id Attribute

[Mandatory] The session attribute that contains the objectId for the group.

groupID

User Id Attribute

[Mandatory] The session attribute that contains the objectId for the user who will be removed as member.

userID


DISCLAIMER
Information provided in this document is for your information only. PhenixID makes no explicit or implied claims to the validity of this information. Any trademarks referenced in this document are the property of their respective owners.

The origin of this information may be internal or external to PhenixID. PhenixID makes all reasonable efforts to verify this information.

PhenixID - support.phenixid.se