Microsoft Azure (Graph API) Connector

Last modified 14 Dec 2021 17:45 +01:00

Identity connector for Microsoft Azure services (Office365, Azure AD) based on Graph API.

Functionalitystable
Development statusactive (actively developed and maintained)
Support statussupportable
OriginEvolveum
Support provided byEvolveum
Target systemsOffice365, Azure Active Directory
ProtocolMicrosoft Graph API
Source codehttps://github.com/Evolveum/connector-microsoft-graph-api

Capabilities and Features

Schema

YES

Provisioning

YES

Live Synchronization

YES

Password

YES

Activation

YES

Script execution

No

Versions

Version Origin Binary Sources Build Date Description

1.0-beta

Evolveum

Evolveum git repository (master)

Documentation

Introduction

TODO

Limitations

Currently three object types are supported by the connector. Accounts, groups and licence objects. There are some limitations in case of more complex relationship parameters (i.e. "App role assignments" in regards of the User type objects), which are not present in the schema because of the current connID API limitations. Also the creation of "distribution lists" and "mail and security" groups is not possible due to graph API limitations. General provisioning and deprovisioning of group objects is otherwise permitted. Licences objects access is possible and read-only.

Supported attributes

The connector supports all attributes supported by AD connector, along with the following Exchange ones. Descriptions are taken from Microsoft’s site.

Attribute Description Office365 counterpart Notes

city

city

country

county

department

department

displayName

displayName

facsimileTelephoneNumber

facsimileTelephoneNumber

givenName

givenName

jobTitle

jobTitle

licenses

Licenses are in the format: + [source] ---- SKU:PLAN:PLAN ---- + if you wish to assign only certain plans to a user, if you wish to assign all plans within a SKU to a user simply specify + [source] ---- SKU ---- + SKUs are the subscriptions such as "Microsoft Office 365 Plan A3 for Students" and plans are the individual components "Exchange Online (Plan 2)"The SKU and plan need to be specified in the short format which can be found using the Graph Explorer (http://graphexplorer.cloudapp.net/) the SKU is the skuPartNumber (e.g. ENTERPRISEPACK_STUDENT) and the PLAN is the servicePlanName (e.g. EXCHANGE_S_ENTERPRISE)

mail

mail

mailNickname

mailNickname

mobile

mobile

otherMails

otherMails

forceChangePasswordNextLogin

Boolean to force change of password at next login

forceChangePasswordNextLogin

Only used in managed domains

physicalDeliveryOfficeName

physicalDeliveryOfficeName

postalCode

postalCode

preferredLanguage

preferredLanguage

proxyAddresses

proxyAddresses

state

state

streetAddress

streetAddress

surname

surname

telephoneNumber

telephoneNumber

thumbnailPhoto

thumbnailPhoto

immutableId

immutableId

Mandatory for federated domains + This string is base64 encoded and must match that which is passed as the immutable ID within the federation solution. + Depending on the source of the attribute and the federation solution being used the way the attribute is base 64 encoded varies and within this connector can be configured using the immutableIDEncodeMechanism configuration variable. + Microsoft manipulate the order of the bits a GUID when base 64 encoding hence the various encoding mechanisms. + TODO expand

usageLocation

Mandatory if licenses are to be assigned

NAME

This should match the userPrincipalName within a federated environment

Notes

The following ssl certificates are need for the connector deployment:

DigiCert Global Root CA
DigiCert Global Root G2

Resource Sample