1 Overview
2 Installation
3 Supported operations
4 Configuration
- 4.1 Configuration Properties
- 4.2 Prerequisites
  - 4.2.1 Obtaining an Azure AD account
  - 4.2.2 Integrate a new app with Azure Active Directory
5 Testing

Overview

The Azure connector is designed to manage provisioning to Microsoft Azure.

Installation

Follow these steps to run the stand-alone connector server:

Download the connector server jar file and store it in the connector server directory (any directory).
Download the REST connector jar file and store it in the bundles subdirectory.
Start the connector server. For more information, check the page about this topic.

Supported operations

Create
Delete
Update
Search
Test
Schema

Configuration

Configuration Properties

The following table describes all of the properties that you can specify for the configuration:

Configuration Property	Type	Required	Description

Configuration Property	Type	Required	Description
authority	String	X	The `authority` base URL. It should be `https://login.microsoftonline.com/common/` for a multitenant application (this is the URL for the Azure AD common endpoint, which enables users from any Azure AD tenant to sign in. For more information about the common endpoint, see this blog post.), or `https://login.microsoftonline.com/ + [YOUR_TENANT_ID]`
clientId	String	X	Azure Native Application ID; you can find it by selecting your Native App in Azure portal
redirectURI	String	X	Since usually the client app does not have an external service to redirect to, this URI is the standard placeholder for client apps; defaults to https://login.live.com/oauth20_desktop.srf
resourceURI	String	X	Azure AD Graph API service root; defaults to https://graph.windows.net
username	String	X	Your AD User username
password	String	X	Your AD User password
domain	String	X	Your Microsoft domain (e.g. `mycompany.onmicrosoft.com`)
tenantId	String	X	Azure Tenant ID
clientSecret	String	X	Client Secret value; you can find it under Certificates & Secrets
scopes	String	X	OpenID connect scopes; defaults to https://graph.microsoft.com/.default
userAttributesToGet	String	X	List of user attributes to retrieve. Must contain at least `id` and `userPrincipalName` in order to make the search work.
groupAttributesToGet	String	X	List of group attributes to retrieve. Must contain at least `id` in order to make the search work.
restoreItems	Boolean	X	true if you want to restore items (users and groups) instead of creating new one

Prerequisites

Obtaining an Azure AD account

Log in to https://portal.azure.com/;
Go to Azure Active Directory (in left panel);
Create a new user (with current Azure tenant domain, e.g. @mycompany.onmicrosoft.com);
Log out and log back in to https://portal.azure.com/ with that user;
Change password (it is required at first login);
Use username and new password in Azure connector configuration.

Any new User must have the Admin Role to manage Users and Groups;
Any new User must be owner of the Azure Native App you will create (see next step).

Integrate a new app with Azure Active Directory

Follow these steps to add a new application and be able to use the Azure AD capabilities.

Note: for our purpose it is important to create a Native app and give it some required permissions to manage AD Users and Groups.
About the "Redirect URI" field, you can specify something like http://localhost; it is required but we will not use it.

The required authorization must be set for the following APIs:

Microsoft Graph;

so, after creating the application, you'll need to select it and add a new permission for that API in the Required permissions menu.

Then:

In the Required permissions menu, click on Microsoft Graph;
Choose Delegated Permissions and add these permissions:
1. APIConnectors.Read.All
2. Directory.AccessAsUser.All
3. PrivilegedAccess.ReadWrite.AzureAD
4. profile
5. User.Read
Click Save;
Finally, back to Required permissions menu, click on the Grant Permissions button.

Testing

You'll need to create the file ./src/test/resources/net/tirasa/connid/bundles/azure/oauth2.properties, with the following structure:

oauth2.authority=
oauth2.clientId=
oauth2.redirectURI=
oauth2.resourceURI=
oauth2.username=
oauth2.password=
oauth2.domain=
oauth2.tenantId=
oauth2.clientSecret=
oauth2.scopes=
oauth2.userAttributesToGet=
oauth2.groupAttributesToGet=
oauth2.restoreItems=

In case you want to test license assignment you must add the following properties:

# To find available licenses use: 
# https://graphexplorer.azurewebsites.net, login to your Azure account and execute:
# GET https://graph.windows.net/iwelcomeoffice365.onmicrosoft.com/subscribedSkus
# then find a "skuId" with "capabilityStatus": "Enabled" 
availableLicense=
usageLocation=

every property must be filled with your Azure account related information.

Use the following command to run connector tests:

^{mvn -Pit}

ConnId

Azure