Microsoft Azure (Graph API) Connector

Last modified 14 Mar 2023 14:07 +01:00

Identity connector for Microsoft Azure services (Office365, Azure AD) based on Graph API.

Functionalitystable
Development statusactive (actively developed and maintained)
Support statussupportable
OriginEvolveum
Support provided byEvolveum
Target systemsOffice365, Azure Active Directory
ProtocolMicrosoft Graph API
Source codehttps://github.com/Evolveum/connector-microsoft-graph-api

Capabilities and Features

Schema

YES

Provisioning

YES

Live Synchronization

YES

* Not supported for Licences object type

Password

YES

Activation

YES

Script execution

No

Versions

Version Origin Binary Sources Build Date Description

1.0.0.1

Evolveum

download jar

Evolveum git repository (master)

Jan 21 2022

Stable version

1.0.1.0

Evolveum

download jar

Evolveum git repository (master)

Nov 15 2022

Fixes related to Licence handling and Group management improvements.

1.0.1.1

Evolveum

download jar

Evolveum git repository (master)

Mar 02 2023

Fix related to user account delta/delete operations.

1.0.1.2

Evolveum

download jar

Evolveum git repository (master)

Mar 03 2023

Fix related to handling actions on already deleted accounts.

1.0.2.0

Evolveum

download jar

Evolveum git repository (master)

Mar 14 2023

Role object class introduced for the management of role members and also the "mamanger" attribute management feature and some minor fixes.

Documentation

Introduction

TODO

Limitations

Currently three object types are supported by the connector. Accounts, groups and licence objects. There are some limitations in case of more complex relationship parameters (i.e. "App role assignments" in regards of the User type objects), which are not present in the schema because of the current connID API limitations. The group objects "distribution lists" and "mail and security" groups are read-only due to graph API limitations. General provisioning and deprovisioning of group objects is otherwise permitted. Licences objects access is possible and read-only. Role object class is currently implemented as read only, except role membership management.

Past usage of the API permitted the update of membership information regarding "distribution lists" and "mail and security" groups objects. This seems to have changed in a future version of the graph API referencing this as a bug.

Notes

The following ssl certificates are need for the connector deployment:

DigiCert Global Root CA
DigiCert Global Root G2

Some API resources might have a limit on the amount of API calls. This called 'resource throttling' might have an effect on the general performance of the connector. The connector itself copes with this by invoking the request for a specific resource multiple times (if needed) with a pause between each attempt. The length of the 'wait time' depends on the reply from the API endpoint, which provides the connector with the information about the availability of the endpoint. For more information see "https://docs.microsoft.com/en-us/graph/throttling".

Configuration parameters

Parameter Note

clientId

The Application ID that the 'Application Registration Portal' (apps.dev.microsoft.com) assigned to your app.

clientSecret

The Application Secret that you generated for your app in the app registration portal.

tenantId

Either Domain name of the Azure AD tenant or the tenant’s guid identifier.

proxyPort

Port number of the HTTPS proxy to use to connect to cloud services. For this setting to take any effect, ProxyHost needs to be configured as well.

proxyHost

Hostname of the HTTPS proxy to use to connect to cloud services. If used, ProxyPort needs to be configured as well.

pageSize

The number of entries to bring back per page in the call to the Graph API

disabledPlans

List of the SkuId:ServicePlanId,[ServicePlanId2…​]. These service plan will be disabled during assignment of the each license

inviteGuests

Whether to allow creation of guest accounts by inviting users from outside the tenant (based on e-mail address only)

sendInviteMail

Whether to send an email invitation to guest users.

inviteRedirectUrl

Specify a URL that an invited user should be redirected to once he claims his invitation. Mandatory if 'InviteGuests' is true

inviteMessage

Custom message to send in an invite. Requires 'InviteRedirectURL'

throttlingRetryWait

Max time period in between requests impacted by throttling. Define as number of seconds. Default 10

throttlingRetryCount

Max retry count in case of an request impacted by throttling. Default 3.