DigiCert Global Root CA
DigiCert Global Root G2
Microsoft Azure (Graph API) Connector
Identity connector for Microsoft Azure services (Office365, Azure AD) based on Graph API.
Functionality | stable |
Development status | active (actively developed and maintained) |
Support status | supportable |
Origin | Evolveum |
Support provided by | Evolveum |
Target systems | Office365, Azure Active Directory |
Protocol | Microsoft Graph API |
Source code | https://github.com/Evolveum/connector-microsoft-graph-api |
Capabilities and Features
Schema |
YES |
|
---|---|---|
Provisioning |
YES |
|
Live Synchronization |
YES |
* Not supported for Licences object type |
Password |
YES |
|
Activation |
YES |
|
Script execution |
No |
Versions
Version | Origin | Binary | Sources | Build Date | Description |
---|---|---|---|---|---|
1.0.0.1 |
Evolveum |
Jan 21 2022 |
Stable version |
||
1.0.1.0 |
Evolveum |
Nov 15 2022 |
Fixes related to Licence handling and Group management improvements. |
||
1.0.1.1 |
Evolveum |
Mar 02 2023 |
Fix related to user account delta/delete operations. |
||
1.0.1.2 |
Evolveum |
Mar 03 2023 |
Fix related to handling actions on already deleted accounts. |
||
1.0.2.0 |
Evolveum |
Mar 14 2023 |
Role object class introduced for the management of role members and also the "mamanger" attribute management feature and some minor fixes. |
Documentation
Introduction
TODO
Limitations
Currently three object types are supported by the connector. Accounts, groups and licence objects. There are some limitations in case of more complex relationship parameters (i.e. "App role assignments" in regards of the User type objects), which are not present in the schema because of the current connID API limitations. The group objects "distribution lists" and "mail and security" groups are read-only due to graph API limitations. General provisioning and deprovisioning of group objects is otherwise permitted. Licences objects access is possible and read-only. Role object class is currently implemented as read only, except role membership management.
Past usage of the API permitted the update of membership information regarding "distribution lists" and "mail and security" groups objects. This seems to have changed in a future version of the graph API referencing this as a bug. |
Notes
The following ssl certificates are need for the connector deployment:
Some API resources might have a limit on the amount of API calls. This called 'resource throttling' might have an effect on the general performance of the connector. The connector itself copes with this by invoking the request for a specific resource multiple times (if needed) with a pause between each attempt. The length of the 'wait time' depends on the reply from the API endpoint, which provides the connector with the information about the availability of the endpoint. For more information see "https://docs.microsoft.com/en-us/graph/throttling".
Configuration parameters
Parameter | Note |
---|---|
clientId |
The Application ID that the 'Application Registration Portal' (apps.dev.microsoft.com) assigned to your app. |
clientSecret |
The Application Secret that you generated for your app in the app registration portal. |
tenantId |
Either Domain name of the Azure AD tenant or the tenant’s guid identifier. |
proxyPort |
Port number of the HTTPS proxy to use to connect to cloud services. For this setting to take any effect, ProxyHost needs to be configured as well. |
proxyHost |
Hostname of the HTTPS proxy to use to connect to cloud services. If used, ProxyPort needs to be configured as well. |
pageSize |
The number of entries to bring back per page in the call to the Graph API |
disabledPlans |
List of the SkuId:ServicePlanId,[ServicePlanId2…]. These service plan will be disabled during assignment of the each license |
inviteGuests |
Whether to allow creation of guest accounts by inviting users from outside the tenant (based on e-mail address only) |
sendInviteMail |
Whether to send an email invitation to guest users. |
inviteRedirectUrl |
Specify a URL that an invited user should be redirected to once he claims his invitation. Mandatory if 'InviteGuests' is true |
inviteMessage |
Custom message to send in an invite. Requires 'InviteRedirectURL' |
throttlingRetryWait |
Max time period in between requests impacted by throttling. Define as number of seconds. Default 10 |
throttlingRetryCount |
Max retry count in case of an request impacted by throttling. Default 3. |