(attributes/icfs:name not startsWith "XYZ" and attributes/icfs:name not endsWith "Baar")
and ((attributes/ri:department not contains "FOO" and attributes/ri:department not contains "Baar")
and (attributes/icfs:name contains "A" or attributes/icfs:name contains "B"))Microsoft Entra (Former Azure) Connector
Identity connector for Microsoft Entra ID (Microsoft Azure) services (Office365, Entra ID) based on Graph API.
| Functionality | stable |
| Development status | active (actively developed and maintained) |
| Support status | supportable |
| Origin | Evolveum |
| Support provided by | Evolveum |
| Target systems | Office365, Entra ID (Azure Active Directory) |
| Protocol | Microsoft Graph API |
| Source code | https://github.com/Evolveum/connector-microsoft-graph-api |
Capabilities and Features
Schema |
YES |
|
|---|---|---|
Provisioning |
YES |
|
Live Synchronization |
YES |
* Only for Account object type |
Password |
YES |
|
Activation |
YES |
|
Script execution |
No |
Versions
| Version | Origin | Binary | Sources | Build Date | Description |
|---|---|---|---|---|---|
1.0.0.1 |
Evolveum |
Jan 21 2022 |
Stable version |
||
1.0.1.0 |
Evolveum |
Nov 15 2022 |
Fixes related to Licence handling and Group management improvements. |
||
1.0.1.1 |
Evolveum |
Mar 02 2023 |
Fix related to user account delta/delete operations. |
||
1.0.1.2 |
Evolveum |
Mar 03 2023 |
Fix related to handling actions on already deleted accounts. |
||
1.0.2.0 |
Evolveum |
Mar 14 2023 |
Role object class introduced for the management of role members and also the "mamanger" attribute management feature and some minor fixes. |
||
1.0.2.1 |
Evolveum |
Mar 24 2023 |
Changes in query url construction for the AccountObjectClass (can be extended for other object classes in the future) |
||
1.0.2.2 |
Evolveum |
Apr 20 2023 |
Changes in query url construction for the GroupObjectClass (can be extended for other object classes in the future) |
||
1.0.3.0 |
Evolveum |
Apr 28 2023 |
Filter aggregation implementation. Solves some issues with 'contains' filter in combination with other filters in composite filters. |
||
1.1.0.0 |
Evolveum |
Apr 28 2023 |
Upgrade to connId 1.5.1.3, Implementation of discovery methods. |
||
1.1.0.1 |
Evolveum |
May 3 2023 |
Connector configuration localization properties and minor schema fix. |
||
1.1.1.0 |
Evolveum |
May 11 2023 |
Contribution merge, contains all values filtering has added filter and search support (for limitations please see microsoft documentation) |
||
1.1.2.0 |
Evolveum |
May 22 2023 |
Fixes in sync delta evaluation of the "manager" related attributes. |
||
1.2.0.0 |
Evolveum |
October 12 2023 |
Fixes in filter escaping, group retrieval, group name duplicity. Improved query processing, multi-value updates, JSON build. Attribute schema changes and removal of UpdateOp and UpdateAttributeValuesOp (Both obsolete). |
Documentation
Introduction
TODO
Limitations
Currently three object types are supported by the connector. Accounts, groups and licence objects. There are some limitations in case of more complex relationship parameters (i.e. "App role assignments" in regards of the User type objects), which are not present in the schema because of the current connID API limitations. The group objects "distribution lists" and "mail and security" groups are read-only due to graph API limitations. General provisioning and deprovisioning of group objects is otherwise permitted. Licences objects access is possible and read-only. Role object class is currently implemented as read only, except role membership management.
Only basic query features are supported fo Licence and Role objects.
Supporter filters for Licence and Role Objects (other than all filter)
| ObjectClass | Parameters | Filter | Note |
|---|---|---|---|
Role |
Uid, Display Name |
Equals Filter |
|
Role |
Display Name |
Contains Filter |
Contains filter will be translated to "Starts With" filter |
Role |
Contains All Values |
||
Licence |
Uid, Id |
Equals Filter |
|
Past usage of the API permitted the update of membership information regarding "distribution lists" and "mail and security" groups objects. This seems to have changed in a future version of the graph API referencing this as a bug. |
Query url construction for Accounts and Groups now gives the possibility to specify complex queries using Composite filters (‘And’, ‘Or’) and also ‘Not’ filter. There are a couple of api limitations in the usage of filters.
-
Contains filter: Although the graph API documentation states that a contains filter functionality is provided, in reality the usage is quite limited (seems that not possible for the Account objects, please see this article ). To compensate for this the connector leverages the “search” functionality which in some cases can partially work as a ‘contains’ filter (tokens). Please see this article.
-
Less than, Greater than filter: The construction of the filter queries is implemented properly yet the API responds mostly with an exception hinting that “Less than or equals” or “Greater than or equals” filtering should be used instead (did not find the reason for this in the API documentation yet).
-
Not and Ends with filter have implicitly the “count” parameter set to true. This is requested by the API, please see this article.
-
Generally you might experience specific limitations for other attributes. Usually you will be prompted with a corresponding exception.
When using a query which has a “contains” filter with other types of filter preset (Other than composite filters or the ‘NOT’ filter). The part of the query with the contains filter (either the single contains or other composite filter or not filter with only contains filters) has to be directly on the left or right side of the first ‘AND’ filter clause. This is due to API limitations regarding the combination of the ‘filter’ and ‘search’ clause, please see this article.
Please also keep in mind the way you structure the queries related to this fact. MidPoint will automatically generate some parts of the ‘AND’ filter tree based on the notation used in your configuration. In case of the usage of ‘Contains’ filter, please divide the ‘AND’ clauses directly in the configuration. Please see the example below:
Notes
The following ssl certificates are need for the connector deployment:
DigiCert Global Root CA
DigiCert Global Root G2With the version 'version' 1.1.0.0 of the connector, the discovery method automatically fetches the jvm default trust store which holds the early mentioned certificates by default. The discovery method offers to use this trust store for communication.
Some API resources might have a limit on the amount of API calls. This called 'resource throttling' might have an effect on the general performance of the connector. The connector itself copes with this by invoking the request for a specific resource multiple times (if needed) with a pause between each attempt. The length of the 'wait time' depends on the reply from the API endpoint, which provides the connector with the information about the availability of the endpoint. For more information see "https://docs.microsoft.com/en-us/graph/throttling".
Setup
-
Import of SSL certificates into midPoint keystore, see notes above. (Configuration discovery might suggest the system keystore for the connector if the certificates are not present in midPoint keystore)
-
Create your application in Entra ID (former Azure Active Directory), for more information how to create it please see https://docs.microsoft.com/en-us/microsoft-identity-manager/microsoft-identity-manager-2016-connector-graph.
-
Add all DELEGATED permissions, see below.
Permissions
This are the permissions which you need to add to your Entra ID (former Azure Active Directory) instance for midPoint:
Required
-
Directory.Read.All
-
Directory.ReadWrite.All
-
Group.Create
-
Group.Read.All
-
Group.ReadWrite.All
-
Group.Selected
-
GroupMember.Read.All
-
GroupMember.ReadWrite.All
-
PrivilegedAccess.Read.AzureADGroup
-
PrivilegedAccess.ReadWrite.AzureADGroup
-
User.Read.All
-
User.ReadWrite.All
Optional: Role Membership Management
|
Additionally, to Licences and Groups Microsoft Entra also provides Roles as an object representing an entitlement. If you want to manage the Role object class you will need some additional permissions. |
-
EntitlementManagement.Read.All
-
EntitlementManagement.ReadWrite.All
-
RoleManagement.Read.Directory
-
RoleManagement.ReadWrite.Directory
Configuration parameters
| Parameter | Note |
|---|---|
clientId |
The Application ID that the 'Application Registration Portal' (apps.dev.microsoft.com) assigned to your app. |
clientSecret |
The Application Secret that you generated for your app in the app registration portal. |
tenantId |
Either Domain name of the "Entra ID" (Azure AD) tenant or the tenant’s guid identifier. |
validateWithFailoverTrustStore |
If set to true, connector will use the failover truststore to validate CA certificates as a primary trust store. Default value is 'true'. |
pathToFailoverTrustStore |
Path to trust store database which is going to be used with CA certificate validation as a failover. Default value is the path to JVM native trust store. |
proxyPort |
Port number of the HTTPS proxy to use to connect to cloud services. For this setting to take any effect, ProxyHost needs to be configured as well. |
proxyHost |
Hostname of the HTTPS proxy to use to connect to cloud services. If used, ProxyPort needs to be configured as well. |
pageSize |
The number of entries to bring back per page in the call to the Graph API |
disabledPlans |
List of the SkuId:ServicePlanId,[ServicePlanId2…]. These service plan will be disabled during assignment of the each license |
inviteGuests |
Whether to allow creation of guest accounts by inviting users from outside the tenant (based on e-mail address only) |
sendInviteMail |
Whether to send an email invitation to guest users. |
inviteRedirectUrl |
Specify a URL that an invited user should be redirected to once he claims his invitation. Mandatory if 'InviteGuests' is true |
inviteMessage |
Custom message to send in an invite. Requires 'InviteRedirectURL' |
throttlingRetryWait |
Max time period in between requests impacted by throttling. Define as number of seconds. Default 10 |
throttlingRetryCount |
Max retry count in case of an request impacted by throttling. Default 3. |
certificateBasedAuthentication |
If set to true connector uses certificate-based authentication. |
certificatePath |
Path to public key (.crt format). |
privateKeyPath |
Path to private key (.der or .pem format). |
Resource Sample
Was this page helpful?
YES
NO
Thanks for your feedback