Data provisioning
Connection details
-
In the Domain name field, type the address of the domain used for the Azure tenant, such as
example.com. The value is used when provisioning new users. -
In the API Version field specify the Microsoft Graph API version. By default, it is set to version 1.0 and the value should usually not be changed.
-
Optionally, specify the Tenant ID. Type or paste the Directory ID of the directory for the Omada Identity application you have created on Microsoft Entra ID. You can find the Directory ID by going to the Properties section for the relevant directory on the Microsoft Azure Portal.If value is not specified, the connector will use the value specified under Connection details. You should only specify a value here if you have not used the standard Microsoft Entra ID collector to load information.
-
Optionally, specify the Application ID. Type the ID of the Omada Identity Azure application that you must create in the Microsoft Azure Portal. Find the Application ID under Settings in the Microsoft Azure Portal. If the value is not specified, the connector will use the value specified under Connection details. You should only specify a value here if you have not used the standard Microsoft Entra ID collector to load information.
-
Optionally, specify the Client secret. Type or paste the value of a key that you have created in the Microsoft Azure Portal. If value is not specified, the connector will use the value specified under Connection details. You should only specify a value here if you have not used the standard Microsoft Entra ID collector to load information.
-
Optionally, configure the Headers field. You can provide a JSON document specifying custom headers, for example:
{"Request": {"Accept": " text/html","contenttype":
"application/json","SomeCustomHeaderWithValue":
"custom value", "SomeCustomHeaderWithoutValue":
null}} -
Optionally, enable the Test connection setting to make sure that the details that you entered are correct.
Data model
The data model for Microsoft Entra ID Connectivity supports the following objects:
MSEntraIDUser
The MSEntraIDUser object is used to create, update, and delete users in Microsoft Entra ID. It has the following properties (the parameters listed in the table above are not all the available parameters but only the commonly used ones, you can extend the object with additional parameters if required):
| Parameter | Type | Description |
|---|---|---|
| Object Id | Expression | string.Format("{0}@{1}", ROPE_AccountName, ConnectorConfiguration.GetValue("DomainName") |
| Object type | Constant | users |
| Operation | - | Operation == "DeleteIfExists" ? "Delete" : Operation |
| userPrincipalName* | Expression | Operation=="Create" ? string.Format("{0}@{1}", ROPE_AccountName, ConnectorConfiguration.GetValue("DomainName")) : null |
| accountEnabled** | Expression | Operation == "DeleteIfExists" || Operation == "Delete" ? null : ROPE_Disabled ? "false" : "true" |
| displayName** | Expression | Operation == "DeleteIfExists" || Operation == "Delete" ? null : ROPE_Identity |
| givenName | Map | ROPE_ATTR_FIRSTNAME |
| surname | Map | ROPE_ATTR_LASTNAME |
| mailNickname** | Expression | Operation=="Create" ? ROPE_AccountName : null |
| Map | ROPE_ATTR_EMAIL | |
| passwordProfile.password** | Expression | Operation=="Create" ? ROPE_ATTR_INITIALPASSWORD : null |
| passwordProfile.forceChangePasswordNextSignIn | Expression | Operation=="Create" ? "true" : null |
| businessPhones | Map | ROPE_ATTR_CELLPHONE |
manager@odata\.bind | Expression | Operation == "Create" && ROPE_ATTR_MANAGER[0] != ROPE_AccountName ? string.Format("https://graph.microsoft.com/v1.0/users/{0}@{1}", ROPE_ATTR_MANAGER[0], ConnectorConfiguration.GetValue("DomainName")) : Operation == "Update" && ROPE_Disabled == false ? string.Format("https://graph.microsoft.com/v1.0/users/{0}@{1}", ROPE_ATTR_MANAGER[0], ConnectorConfiguration.GetValue("DomainName")) : null |
| usageLocation | Constant | Country code (examples: US, ES, GB) |
Properties marked with * are required. Properties marked with ** are required for the create actions.
MSEntraIDSecurityGroup
The MSEntraIDSecurityGroup object is used to create, update, and delete security groups in Microsoft Entra ID. Omada only supports sending owners via resource when creating a new resource. To add a new owner to the group after creating a new resource, use the request process. The object has the following properties:
| Parameter | Type | Description |
|---|---|---|
| Object type | Constant | groups |
| Operation | Expression | Operation == "Create" ? "CreateIfNotExists" : Operation |
| displayName* | Expression | `Operation == "Create" |
| mailNickname** | Expression | Operation == "Create" ? RLM_DisplayName.Replace(" ", "") : null |
| mailEnabled | Expression | Operation == "Create" ? "false" : null |
| securityEnabled | Expression | Operation == "Create" ? "true" : null |
| description | Expression | `Operation == "Create" |
owners@odata.bind | MV Expression | RLM_EXPLICITOWNER_OBJECTGUID: Operation == "Create" && Value != null && Value.Length > 0 ? string.Format(" https://graph.microsoft.com/v1.0/users/{0}@{1}", Value, ConnectorConfiguration.GetValue("DomainName")) : null |
| objectGuid | Expression | Operation == "Create" ? RLM_ROLEID : null |
Properties marked with * are required. Properties marked with ** are required for the create actions.
MSEntraIDSharepointGroup
The MSEntraIDSharepointGroup object is used to create, update, and delete Sharepoint Groups in Microsoft Entra ID. Omada only supports sending owners via resource when creating a new resource. To add a new owner to the group after creating a new resource, use the request process. The object has the following properties:
| Parameter | Type | Description |
|---|---|---|
| Object type | Constant | groups |
| Operation | Expression | Operation == "Create" ? "CreateIfNotExists" : Operation |
| displayName* | Expression | `Operation == "Create" |
| mailNickname** | Expression | Operation == "Create" ? RLM_DisplayName.Replace(" ", "") : null |
| mailEnabled** | Expression | Operation == "Create" ? "false" : null |
| securityEnabled** | Expression | Operation == "Create" ? "true" : null |
| description** | Expression | `Operation == "Create" |
| creationOptions** | Expression | `Operation == "Create" |
| groupTypes* | Expression | Operation == "Create" ? "Unified" : null |
owners@odata.bind | MV Expression | RLM_EXPLICITOWNER_OBJECTGUID: Operation == "Create" && Value != null && Value.Length > 0 ? string.Format(" https://graph.microsoft.com/v1.0/users/{0}@{1}", Value, ConnectorConfiguration.GetValue("DomainName")) : null |
| objectGuid | Expression | Operation == "Create" ? RLM_ROLEID : null |
Properties marked with * are required. Properties marked with ** are required for the create actions.
MSEntraIDTeams
The MSEntraIDTeams object is used to create, update, and delete Teams Groups in Microsoft Entra ID. Creating Teams groups with more than one owner is not supported - Omada only sets one owner when creating a new resource. If multiple owners are required for a Teams group, use the request process. The object has the following properties:
| Parameter | Type | Description |
|---|---|---|
| Object type | Expression | `Operation == "Create" |
| Operation | Expression | Operation == "Create" ? "CreateIfNotExists" : Operation |
template@odata\.bind** | Expression | Operation == "Create" ? "https://graph.microsoft.com/v1.0/teamsTemplates('standard')" : null |
| displayName* | Expression | `Operation == "Create" |
members[].@odata\.type** | Expression | Operation == "Create" ? "#microsoft.graph.aadUserConversationMember" : null |
| members[].roles[]* | Expression | Operation == "Create" ? "owner" : null |
| members[].user@odata.bind** | Expression | Operation == "Create" && RLM_EXPLICITOWNER_OBJECTGUID != null && RLM_EXPLICITOWNER_OBJECTGUID.Length > 0 ? string.Format("https://graph.microsoft.com/v1.0/users/{0}@{1}", RLM_EXPLICITOWNER_OBJECTGUID[0], ConnectorConfiguration.GetValue("DomainName")) : null |
| description** | Expression | `Operation == "Create" |
| objectGuid | Expression | Operation == "Create" ? RLM_ROLEID : null |
Properties marked with * are required. Properties marked with ** are required for the create actions.
MSEntraIDGroupAssignment
The MSEntraIDGroupAssignment object is used to create and delete a user from Microsoft Entra ID Security Group. It has the following properties:
| Parameter | Type | Description |
|---|---|---|
| Object ID | Expression | Operation == "Delete" ? "$ref" : "IGNORED" |
| Object type | Expression | (Operation == "Create" && ROPE_ATTR_C_MSENTRAIDGROUPROLE == "owner") ? string.Format("groups/{0}/owners/$ref", ROPE_ResourceIdentifier) : (Operation == "Create" && ROPE_ATTR_C_MSENTRAIDGROUPROLE != "owner") ? string.Format("groups/{0}/members/$ref", ROPE_ResourceIdentifier) : (Operation == "Delete" && ROPE_ATTR_C_MSENTRAIDGROUPROLE != "owner" && string.IsNullOrEmpty(ROPE_AccountExternalAnchor)) ? string.Format("groups/{0}/members/{1}", ROPE_ResourceIdentifier, (ROPE_AccountCBK.Substring(ROPE_AccountCBK.IndexOf('_') + 1).Replace("<a/>", ""))) : (Operation == "Delete" && ROPE_ATTR_C_MSENTRAIDGROUPROLE != "owner" && !string.IsNullOrEmpty(ROPE_AccountExternalAnchor)) ? string.Format("groups/{0}/members/{1}", ROPE_ResourceIdentifier, Extensions.GetFirstValue(ROPE_AccountExternalAnchor, JobAnchor)) : (Operation == "Delete" && ROPE_ATTR_C_MSENTRAIDGROUPROLE == "owner" && string.IsNullOrEmpty(ROPE_AccountExternalAnchor)) ? string.Format("groups/{0}/owners/{1}", ROPE_ResourceIdentifier, (ROPE_AccountCBK.Substring(ROPE_AccountCBK.IndexOf('_') + 1).Replace("<a/>", ""))) : (Operation == "Delete" && ROPE_ATTR_C_MSENTRAIDGROUPROLE == "owner" && !string.IsNullOrEmpty(ROPE_AccountExternalAnchor)) ? string.Format("groups/{0}/owners/{1}", ROPE_ResourceIdentifier, Extensions.GetFirstValue(ROPE_AccountExternalAnchor, JobAnchor)) : null |
| Operation | Expression | Operation == "Create" ? "CreateIfNotExists" : Operation |
| ResourcePathGet | Expression | (Operation == "Create" && ROPE_ATTR_C_MSENTRAIDGROUPROLE != "owner" && string.IsNullOrEmpty(ROPE_AccountExternalAnchor) && !string.IsNullOrEmpty(ROPE_AccountCBK)) ? string.Format("groups/{0}/members/{1}", ROPE_ResourceIdentifier, (ROPE_AccountCBK.Substring(ROPE_AccountCBK.IndexOf('_') + 1).Replace("<a/>", ""))) : (Operation == "Create" && ROPE_ATTR_C_MSENTRAIDGROUPROLE != "owner" && !string.IsNullOrEmpty(JobAnchor)) ? string.Format("groups/{0}/members/{1}", ROPE_ResourceIdentifier, Extensions.GetFirstValue(ROPE_AccountExternalAnchor, JobAnchor)) : (Operation == "Create" && ROPE_ATTR_C_MSENTRAIDGROUPROLE == "owner" && string.IsNullOrEmpty(ROPE_AccountExternalAnchor) && !string.IsNullOrEmpty(ROPE_AccountCBK)) ? string.Format("groups/{0}/owners/{1}", ROPE_ResourceIdentifier, (ROPE_AccountCBK.Substring(ROPE_AccountCBK.IndexOf('_') + 1).Replace("<a/>", ""))) : (Operation == "Create" && ROPE_ATTR_C_MSENTRAIDGROUPROLE == "owner" && !string.IsNullOrEmpty(JobAnchor)) ? string.Format("groups/{0}/owners/{1}", ROPE_ResourceIdentifier, Extensions.GetFirstValue(ROPE_AccountExternalAnchor, JobAnchor)) : null |
| @odata.id** | Expression | (Operation == "Create" && ROPE_ATTR_C_MSENTRAIDGROUPROLE == "owner") ? string.Format(" https://graph.microsoft.com/v1.0/users/{0}" , Extensions.GetFirstValue(ROPE_DistinguisedName, ROPE_AccountExternalAnchor, JobAnchor)) : (Operation == "Create" && ROPE_ATTR_C_MSENTRAIDGROUPROLE != "owner" && string.IsNullOrEmpty(ROPE_AccountCBK)) ? string.Format(" https://graph.microsoft.com/v1.0/directoryObjects/{0}" , Extensions.GetFirstValue(ROPE_AccountExternalAnchor, JobAnchor)) : (Operation == "Create" && ROPE_ATTR_C_MSENTRAIDGROUPROLE != "owner" && !string.IsNullOrEmpty(ROPE_AccountCBK)) ? string.Format(" https://graph.microsoft.com/v1.0/directoryObjects/{0}" , (ROPE_AccountCBK.Substring(ROPE_AccountCBK.IndexOf('_') + 1).Replace("<a/>", ""))) : null |
Properties marked with * are required. Properties marked with ** are required for the create actions.
MSEntraIDGroupAssignment
The MSEntraIDGroupAssignment object is used to create and delete a user from Microsoft Entra ID Sharepoint. It has the following properties:
| Parameter | Type | Description |
|---|---|---|
| Object ID | Expression | Operation == "Delete" ? "$ref" : "IGNORED" |
| Object type | Expression | (Operation == "Create" && ROPE_ATTR_C_MSENTRAIDGROUPROLE== "owner") ? string.Format("groups/{0}/owners/$ref", ROPE_ResourceIdentifier) : (Operation == "Create" && ROPE_ATTR_C_MSENTRAIDGROUPROLE != "owner") ? string.Format("groups/{0}/members/$ref", ROPE_ResourceIdentifier) : (Operation == "Delete" && ROPE_ATTR_C_MSENTRAIDGROUPROLE != "owner" && string.IsNullOrEmpty(ROPE_AccountExternalAnchor)) ? string.Format("groups/{0}/members/{1}", ROPE_ResourceIdentifier, (ROPE_AccountCBK.Substring(ROPE_AccountCBK.IndexOf('_') + 1).Replace("<a/>", ""))) : (Operation == "Delete" && ROPE_ATTR_C_MSENTRAIDGROUPROLE != "owner" && !string.IsNullOrEmpty(ROPE_AccountExternalAnchor)) ? string.Format("groups/{0}/members/{1}", ROPE_ResourceIdentifier, Extensions.GetFirstValue(ROPE_AccountExternalAnchor, JobAnchor)) : (Operation == "Delete" && ROPE_ATTR_C_MSENTRAIDGROUPROLE == "owner" && string.IsNullOrEmpty(ROPE_AccountExternalAnchor)) ? string.Format("groups/{0}/owners/{1}", ROPE_ResourceIdentifier, (ROPE_AccountCBK.Substring(ROPE_AccountCBK.IndexOf('_') + 1).Replace("<a/>", ""))) : (Operation == "Delete" && ROPE_ATTR_C_MSENTRAIDGROUPROLE == "owner" && !string.IsNullOrEmpty(ROPE_AccountExternalAnchor)) ? string.Format("groups/{0}/owners/{1}", ROPE_ResourceIdentifier, Extensions.GetFirstValue(ROPE_AccountExternalAnchor, JobAnchor)) : null |
| Operation | Expression | Operation == "Create" ? "CreateIfNotExists" : Operation |
| ResourcePathGet | Expression | (Operation == "Create" && ROPE_ATTR_C_MSENTRAIDGROUPROLE != "owner" && string.IsNullOrEmpty(ROPE_AccountExternalAnchor) && !string.IsNullOrEmpty(ROPE_AccountCBK)) ? string.Format("groups/{0}/members/{1}", ROPE_ResourceIdentifier, (ROPE_AccountCBK.Substring(ROPE_AccountCBK.IndexOf('_') + 1).Replace("<a/>", ""))) : (Operation == "Create" && ROPE_ATTR_C_MSENTRAIDGROUPROLE != "owner" && !string.IsNullOrEmpty(JobAnchor)) ? string.Format("groups/{0}/members/{1}", ROPE_ResourceIdentifier, Extensions.GetFirstValue(ROPE_AccountExternalAnchor, JobAnchor)) : (Operation == "Create" && ROPE_ATTR_C_MSENTRAIDGROUPROLE == "owner" && string.IsNullOrEmpty(ROPE_AccountExternalAnchor) && !string.IsNullOrEmpty(ROPE_AccountCBK)) ? string.Format("groups/{0}/owners/{1}", ROPE_ResourceIdentifier, (ROPE_AccountCBK.Substring(ROPE_AccountCBK.IndexOf('_') + 1).Replace("<a/>", ""))) : (Operation == "Create" && ROPE_ATTR_C_MSENTRAIDGROUPROLE == "owner" && !string.IsNullOrEmpty(JobAnchor)) ? string.Format("groups/{0}/owners/{1}", ROPE_ResourceIdentifier, Extensions.GetFirstValue(ROPE_AccountExternalAnchor, JobAnchor)) : null |
| @odata.id** | Expression | Operation == "Create" ? string.Format("https://graph.microsoft.com/v1.0/users/{0}", Extensions.GetFirstValue(ROPE_DistinguisedName, ROPE_AccountExternalAnchor, JobAnchor)) : null |
Properties marked with * are required. Properties marked with ** are required for the create actions.
MSEntraIDTeamsAssignment
The MSEntraIDTeamsAssignment object is used to create and delete a user from Microsoft Entra ID Teams. It has the following properties:
| Parameter | Type | Description |
|---|---|---|
| Operation | Expression | Operation == "Create" ? "CreateIfNotExists" : Operation |
| objectGuid | Expression | Operation != "Update" ? ROPE_ResourceIdentifier : null |
| @odata.type** | Expression | Operation == "Create" ? "#microsoft.graph.aadUserConversationMember" : null |
user@odata\.bind* | Expression | Operation == "Create" ? string.Format("https://graph.microsoft.com/v1.0/users/{0}", Extensions.GetFirstValue(ROPE_DistinguisedName, ROPE_AccountExternalAnchor, JobAnchor) ) : null |
| userObjectRef | Expression | Operation == "Delete"Operation =="Create" ? ROPE_ATTR_C_MSTEAMSMEMBERSHIPID : null |
Properties marked with * are required. Properties marked with ** are required for the create actions.
MSEntraIDRoleAssignment
The MSEntraIDRoleAssignment object is used to add or remove a user from a role. It has the following properties:
| Parameter | Type | Description |
|---|---|---|
| Operation | Expression | (Operation == "Create") ? "CreateIfNotExists" : Operation |
| objectGuid | Expression | ROPE_ResourceIdentifier |
| @odata.id* | Expression | `(Operation == "Create" && (!string.IsNullOrEmpty(ROPE_AccountExternalAnchor) |
| @odata.id** | Expression | (Operation == "Create" && !string.IsNullOrEmpty(JobAnchor) && string.IsNullOrEmpty(ROPE_AccountCBK)) ? string.Format("https://graph.microsoft.com/v1.0/directoryObjects/{0}", Extensions.GetFirstValue(ROPE_AccountExternalAnchor, JobAnchor)) : null |
| userObjectRef | Expression | ((Operation == "Delete" Operation == "Create") && (!string.IsNullOrEmpty(ROPE_AccountCBK))) ? (ROPE_AccountCBK.Substring(ROPE_AccountCBK.IndexOf('_') + 1).Replace("<a/>", "")) : null |
| userObjectRef | Expression | ((Operation == "Delete" Operation == "Create") && (string.IsNullOrEmpty(ROPE_AccountCBK))) ? Extensions.GetFirstValue(ROPE_AccountExternalAnchor, JobAnchor) : null |
Properties marked with * are required. Properties marked with ** are required for the create actions.
Task mappings
Microsoft Entra ID Connectivity uses the following mappings:
| Parameter | Resource type | Description |
|---|---|---|
| MSEntraIDUser – User | Microsoft Entra ID Account | Contains mappings for Microsoft Entra ID user assignments |
| MSEntraIDUser – SSR | Microsoft Entra ID Account | Contains mappings for self-service password reset for Microsoft Entra ID users |
| MSEntraIDSecurityGroup - Resource | Microsoft Entra ID Security Group | Contains mappings for Microsoft Entra ID Security group resources |
| MSEntraIDSharepointGroup - Resource | Microsoft Entra ID Sharepoint | Contains mappings for Microsoft Entra ID Sharepoint resources |
| MSEntraIDTeams – Resource | Microsoft Entra ID Teams | Contains mappings for Microsoft Entra ID Teams resources |
| MSEntraIDTeamsAssignment - Assignment | Microsoft Entra ID Teams | Contains mappings for Microsoft Entra ID Teams assignments |
| MSEntraIDGroupAssignment - Assignment | Microsoft Entra ID Sharepoint | Contains mappings for Microsoft Entra ID Sharepoint assignments |
| MSEntraIDGroupAssignment - Assignment | Microsoft Entra ID Security Group | Contains mappings for Microsoft Entra ID Security group assignments |
| MSEntraIDRoleAssignment - Assignment | Microsoft Entra ID Directory Role | Contains mappings for Microsoft Entra ID Role Assignments |
The default Microsoft Entra ID Account task mappings use clear-text password that should be encrypted. If the password cannot be encrypted (for example with the stringEncrypter tool), replace it with a calculated attribute.
RoPE Configuration
Perform the following steps to ensure the correct functioning of manager provisioning and deleting assignments between Teams groups and users:
-
Open the RoPE configuration file:
On-prem:\Omada Identity Suite\Role and Policy Engine\Service\ConfigFiles
Cloud: Management Portal --> RoPE configuration -
Under the Attribute Value Resolver extension, add the following lines (change the key value in case you already have that specific key defined):
<add key="MSEntraID_Manager" name="MANAGER" extraInfo="Type:ReferencePath" value="/#IDENTITY/OUREF/MANAGER/IDENTITYREF:[IDENTITYID]"></add>
- Under the Map Attributes From Actual Data extension, add the following lines (change the key value in case you already have that specific key defined):
<add key="3" extraInfo="Microsoft Entra ID Teams" name="C_MSTEAMSMEMBERSHIPID" value="C_MSTEAMSMEMBERSHIPID" />
Events definition
Establish event definitions that trigger create, update, and delete operations for resource provisioning (Teams groups, SharePoint groups, and Security groups). To create event definitions, implement a code method to GenerateGUID in the logical key field:
- Go to Setup --> Administration --> Process configuration --> Event definitions. Click New.
- Enter the following details:
Name: Trigger Microsoft Entra ID Groups – Create
Description: Microsoft Teams, Microsoft SharePoint, Microsoft Security
Event is triggered when: A new object is created
Triggers on objects of type: Resources - Click Apply.
- Click New and create two Execute code method entries.
- Code method 1
Assembly:Omada.OE.UtilityCodeAssembly.dll
Class Name:Omada.OE.UtilityCodeAssembly.Main
Name of method:GenerateGUID
Name:result
Map to property:Logical key - Code method 2
Assembly:Omada.OE.Solution.OIM.Assembly.dll
Class Name:Omada.OE.Solution.OIM.Assembly.OPS.ResourceLifeCycleManager
Name of method:SubmitPrioritizedProvisioningJob
Name:operationEnum
Map to value:create
- Code method 1
- Click OK.
- In the event definition setup view, click Filter.
- Create a new filter. Enter the following details and click OK:
- To save the new event definition, click OK.
Create event definitions to trigger update and delete actions in the Resources object. For the update and delete operations, you don't need to create a code method to GenerateGUID.
You can only update the group's name.