Microsoft Entra (Former Azure) Connector

Last modified 09 Aug 2024 12:59 +02:00

Identity connector for Microsoft Entra ID (Microsoft Azure) services (Office365, Entra ID) based on Graph API.

Functionalitystable
Development statusactive (actively developed and maintained)
Support statussupportable
OriginEvolveum
Support provided byEvolveum
Target systemsOffice365, Entra ID (Azure Active Directory)
ProtocolMicrosoft Graph API
Source codehttps://github.com/Evolveum/connector-microsoft-graph-api

Capabilities and Features

Schema

YES

Provisioning

YES

Live Synchronization

YES

* Only for Account object type

Password

YES

Activation

YES

Script execution

No

Versions

Version Origin Binary Sources Build Date Description

1.0.0.1

Evolveum

download jar

Evolveum git repository (master)

Jan 21 2022

Stable version

1.0.1.0

Evolveum

download jar

Evolveum git repository (master)

Nov 15 2022

Fixes related to Licence handling and Group management improvements.

1.0.1.1

Evolveum

download jar

Evolveum git repository (master)

Mar 02 2023

Fix related to user account delta/delete operations.

1.0.1.2

Evolveum

download jar

Evolveum git repository (master)

Mar 03 2023

Fix related to handling actions on already deleted accounts.

1.0.2.0

Evolveum

download jar

Evolveum git repository (master)

Mar 14 2023

Role object class introduced for the management of role members and also the "mamanger" attribute management feature and some minor fixes.

1.0.2.1

Evolveum

download jar

Evolveum git repository (master)

Mar 24 2023

Changes in query url construction for the AccountObjectClass (can be extended for other object classes in the future)

1.0.2.2

Evolveum

download jar

Evolveum git repository (master)

Apr 20 2023

Changes in query url construction for the GroupObjectClass (can be extended for other object classes in the future)

1.0.3.0

Evolveum

download jar

Evolveum git repository (master)

Apr 28 2023

Filter aggregation implementation. Solves some issues with 'contains' filter in combination with other filters in composite filters.

1.1.0.0

Evolveum

download jar

Evolveum git repository (master)

Apr 28 2023

Upgrade to connId 1.5.1.3, Implementation of discovery methods.

1.1.0.1

Evolveum

download jar

Evolveum git repository (master)

May 3 2023

Connector configuration localization properties and minor schema fix.

1.1.1.0

Evolveum

download jar

Evolveum git repository (master)

May 11 2023

Contribution merge, contains all values filtering has added filter and search support (for limitations please see microsoft documentation)

1.2.0.0

Evolveum

download jar

Evolveum git repository (master)

May 22 2023

Fixes in filter escaping, group retrieval, group name duplicity. Improved query processing, multi-value updates, JSON build. Attribute schema changes and removal of UpdateOp and UpdateAttributeValuesOp (Both obsolete).

Documentation

Introduction

TODO

Limitations

Currently three object types are supported by the connector. Accounts, groups and licence objects. There are some limitations in case of more complex relationship parameters (i.e. "App role assignments" in regards of the User type objects), which are not present in the schema because of the current connID API limitations. The group objects "distribution lists" and "mail and security" groups are read-only due to graph API limitations. General provisioning and deprovisioning of group objects is otherwise permitted. Licences objects access is possible and read-only. Role object class is currently implemented as read only, except role membership management.

Only basic query features are supported fo Licence and Role objects.

Supporter filters for Licence and Role Objects (other than all filter)

ObjectClass Parameters Filter Note

Role

Uid, Display Name

Equals Filter

Role

Display Name

Contains Filter

Contains filter will be translated to "Starts With" filter

Role

Contains All Values

Licence

Uid, Id

Equals Filter

Past usage of the API permitted the update of membership information regarding "distribution lists" and "mail and security" groups objects. This seems to have changed in a future version of the graph API referencing this as a bug.

Query url construction for Accounts and Groups now gives the possibility to specify complex queries using Composite filters (‘And’, ‘Or’) and also ‘Not’ filter. There are a couple of api limitations in the usage of filters.

  • Contains filter: Although the graph API documentation states that a contains filter functionality is provided, in reality the usage is quite limited (seems that not possible for the Account objects, please see this article ). To compensate for this the connector leverages the “search” functionality which in some cases can partially work as a ‘contains’ filter (tokens). Please see this article.

  • Less than, Greater than filter: The construction of the filter queries is implemented properly yet the API responds mostly with an exception hinting that “Less than or equals” or “Greater than or equals” filtering should be used instead (did not find the reason for this in the API documentation yet).

  • Not and Ends with filter have implicitly the “count” parameter set to true. This is requested by the API, please see this article.

  • Generally you might experience specific limitations for other attributes. Usually you will be prompted with a corresponding exception.

When using a query which has a “contains” filter with other types of filter preset (Other than composite filters or the ‘NOT’ filter). The part of the query with the contains filter (either the single contains or other composite filter or not filter with only contains filters) has to be directly on the left or right side of the first ‘AND’ filter clause. This is due to API limitations regarding the combination of the ‘filter’ and ‘search’ clause, please see this article.

Please also keep in mind the way you structure the queries related to this fact. MidPoint will automatically generate some parts of the ‘AND’ filter tree based on the notation used in your configuration. In case of the usage of ‘Contains’ filter, please divide the ‘AND’ clauses directly in the configuration. Please see the example below:

(attributes/icfs:name not startsWith "XYZ" and attributes/icfs:name not endsWith "Baar")
and ((attributes/ri:department not contains "FOO" and attributes/ri:department not contains "Baar")
and (attributes/icfs:name contains "A" or attributes/icfs:name contains "B"))

Notes

The following ssl certificates are need for the connector deployment:

DigiCert Global Root CA
DigiCert Global Root G2

With the version 'version' 1.1.0.0 of the connector, the discovery method automatically fetches the jvm default trust store which holds the early mentioned certificates by default. The discovery method offers to use this trust store for communication.

Some API resources might have a limit on the amount of API calls. This called 'resource throttling' might have an effect on the general performance of the connector. The connector itself copes with this by invoking the request for a specific resource multiple times (if needed) with a pause between each attempt. The length of the 'wait time' depends on the reply from the API endpoint, which provides the connector with the information about the availability of the endpoint. For more information see "https://docs.microsoft.com/en-us/graph/throttling".

Configuration parameters

Parameter Note

clientId

The Application ID that the 'Application Registration Portal' (apps.dev.microsoft.com) assigned to your app.

clientSecret

The Application Secret that you generated for your app in the app registration portal.

tenantId

Either Domain name of the "Entra ID" (Azure AD) tenant or the tenant’s guid identifier.

validateWithFailoverTrustStore

If set to true, connector will use the failover truststore to validate CA certificates as a primary trust store. Default value is 'true'.

pathToFailoverTrustStore

Path to trust store database which is going to be used with CA certificate validation as a failover. Default value is the path to JVM native trust store.

proxyPort

Port number of the HTTPS proxy to use to connect to cloud services. For this setting to take any effect, ProxyHost needs to be configured as well.

proxyHost

Hostname of the HTTPS proxy to use to connect to cloud services. If used, ProxyPort needs to be configured as well.

pageSize

The number of entries to bring back per page in the call to the Graph API

disabledPlans

List of the SkuId:ServicePlanId,[ServicePlanId2…​]. These service plan will be disabled during assignment of the each license

inviteGuests

Whether to allow creation of guest accounts by inviting users from outside the tenant (based on e-mail address only)

sendInviteMail

Whether to send an email invitation to guest users.

inviteRedirectUrl

Specify a URL that an invited user should be redirected to once he claims his invitation. Mandatory if 'InviteGuests' is true

inviteMessage

Custom message to send in an invite. Requires 'InviteRedirectURL'

throttlingRetryWait

Max time period in between requests impacted by throttling. Define as number of seconds. Default 10

throttlingRetryCount

Max retry count in case of an request impacted by throttling. Default 3.

certificateBasedAuthentication

If set to true connector uses certificate-based authentication.

certificatePath

Path to public key (.crt format).

privateKeyPath

Path to private key (.der or .pem format).

Was this page helpful?
YES NO
Thanks for your feedback