Skip to main content

Microsoft Azure Active Directory

Legacy connector

This is a legacy connectivity package for Azure Active Directory. To onboard a new Entra ID system and utilize all connectivity features, use the Entra ID connector.

To migrate from the existing Azure Active Directory connector to the new Entra ID connector, see Migrating from the existing Azure Active Directory connector to Entra ID.

The Omada Microsoft Azure Active Directory connectivity is used for governing and managing Microsoft Azure Active Directory instances. It is based solely on Microsoft Graph API. By using this package you can:

  • Register and onboard any number of Azure Active Directory instances.
  • Load information about users, groups, group memberships, and used licenses.
  • Automate the provisioning and de-provisioning of Azure Active Directory users, groups, and memberships.
note

Each Azure Active Directory instance must be onboarded in a separate onboarding process.

Supported objects and operations

This connectivity package allows you to manage both identity data and access rights. However, the default mappings are provided only for access rights as this connectivity is typically used for that type of data.

ObjectPossible operations
UsersCreate, read, update, delete
User passwordsCreate, update
AssignmentsCreate, delete
GroupsCreate, read, update, delete
Group MembershipsCreate, read, update, delete
Directory Rolesread
Directory Roles AssignmentsCreate, read, update, delete

In addition, this connectivity package supports the following scenarios:

  • Extraction of assignments between
    • Groups and users
    • Directory roles and users
    • Groups and groups
  • Extraction of Stock Keeping Units (SKUs) and included service plans
  • Extraction of a user’s assigned licenses
  • Extraction of a user’s assigned service plans
  • User provisioning
    • Password reset
  • Assignments
    • Add and remove assignments between groups and users
    • Add and remove assignments between directory roles and users

Minimum required permissions

None.

Implementation notes

The Microsoft Azure Active Directory connectivity package only includes directory roles that are enabled. You must create and enable directory roles - both custom directory roles and from templates – in the Microsoft Azure Portal.

Prerequisites

Before importing information from Azure Active Directory to Omada Identity, perform the following setps in the Microsoft Azure Portal.

Register a new application in Azure Portal

Create an application registration to authenticate and authorize Omada Identity with Azure Active Directory:

  1. In the Azure portal, go to your directory. In the Manage section, find the App registrations, then click New registration.

  2. In the Register an application dialog box, enter a Name, select Accounts in any organizational directory as Supported account types, and enter a Redirect URI. You can enter any value that you want to use, as long as it is in a valid URL format.

  3. When you click Register, the application is registered. Make a note of the Application ID. You must use the Application (client) ID when you onboard the system to Omada Identity.

    info

    The Application ID shown in the following image is only an example. Your Application ID contains a different value.

Add Graph API

The connectivity add-on uses the Microsoft Graph API to read and write information to the directory. Add the Graph API for the registered application:

  1. Go to API permissions and select +Add a permission.

  2. Choose Microsoft Graph from Commonly used Microsoft APIs from the Supported legacy APIs and click Select.

  3. Select all needed Application permissions.

  4. Click the Add permissions button.

    The table below presents the minimum required permissions for the correct connection between Microsoft Azure Active Directory and Omada Identity.

    MICROSOFT GRAPH

    PermissionType
    Directory.Read.AllApplication
    Directory.ReadWrite.AllApplication
    Group.Read.AllApplication
    Group.ReadWrite.AllApplication
    User.Read.AllApplication
    User.ReadWrite.AllApplication
    RoleManagement.Read.DirectoryApplication
    RoleManagement.ReadWrite.DirectoryApplication

    OFFICE 365 RELATED PERMISSIONS

    To import SKUs or service plans you must also include the following permission:

    • Organization.Read.All - type: Application

  5. After adding the permission, you must grant consent to the permissions. To do that, click Grant admin consent for button.

Create a Client Secret

  1. Go to Certificates & secrets select + New client secret.

  2. If you want to, type a description for the secret key, for example, to identify one secret key from other keys.

  3. If you want to, chose an expiration time for the secret, then click Add.

  4. Copy the generated key shown under Value. You cannot see the value again when you have left the screen, so you can only use this key if you copy it now and paste it in Omada Identity after setting up the Omada Identity application on Azure.

  5. Your Microsoft Entra ID is now ready to be registered with Omada Identity. You can create as many secret keys as you require.

Allow password reset and deletion of users and group assignments in Microsoft Azure Active Directory

To delete a user or group in Microsoft Azure Active Directory, you must first assign your application’s principal a User Account Administrator role. If you use Microsoft Graph, perform the same operation for the password reset to work. Choose one of the following options:

  1. Go to https://portal.azure.com.

  2. Click Microsoft Entra ID.

  3. Click Roles and administrators.

  4. Click User administrator role.

  5. Click + Add assignments.

  6. In the search box, enter the name of the application you have created in the Register a new application in Azure Portal step.

  7. Click Add.