4.1 Azure AD Collectors

When your environment uses both Active Directory and Azure AD, user identities might be unique to one of the applications or might exist in both applications. If you use Active Directory and Azure AD with DirSync or AD Connect, you can create a single identity source for both applications by using the Azure AD User collector template.

In the collector template, specify an attribute that you want to use for merging duplicate identities and for matching identities to accounts and permissions. The attribute for the matching rule should contain a value that is unique to each identity. For example, in AD and OpenText Identity Manager, each user tends to have a unique Distinguished Name.

IMPORTANT: We have deprecated the 3.6.2 Azure AD User templates because Azure AD Graph is no longer supported by Microsoft. If you are still using the old Azure AD templates, you can reconfigure your template to map to the Microsoft Graph API by changing the Azure AD Service Resource default value to https://graph.microsoft.com/v1.0. For information about the differences between the previously supported API and Microsoft Graph API, see Microsoft’s Learning Portal.

When using the Azure AD MS Graph collector, complete the following steps :

Enable the Azure Microsoft Graph API for your site and grant the following permissions, ranging from the least to the most privilege, to an account to access the API:

Permission	Types	Description
Application.Read.All	Application	Read all applications
Device.Read.All	Application	Read all devices
Directory.AccessAsUser.All	Delegated	Access the directory as the signed-in user
Directory.Read.All	Application and Delegated	Read directory data
Directory.ReadWrite.All	Application and Delegated	Read and write directory data and manage users and groups
Domain.Read.All	Delegated	Read domains
Group.Read.All	Application and Delegated	Read all groups
GroupMember.Read.All	Application and Delegated	Read group memberships
Group.ReadWrite.All	Application and Delegated	Read and write all groups that the signed-in user is a member of, which includes creating, updating, and deleting groups.
RoleManagement.Read.All	Delegated	Read role management data for all RBAC providers
RoleManage-ment.Read.CloudPC	Delegated	Read Cloud PC RBAC settings
RoleManage-ment.Read.Directory	Application and Delegated	Read directory RBAC settings
RoleManagement.ReadWrite.Directory	Application and Delegated	Read and write directory role information. This includes creating, updating, and deleting directory roles and their assignments.
User.Read	Delegated	Sign in and read the user profile
User.Read.All	Application and Delegated	Read all user profiles
User.ReadBasic.All	Delegated	Read all users’ basic profiles
User.ReadWrite.All	Application and Delegated	Read and update all users’ profiles
Organization.Read.All	Application and Delegated	Read information about an organization in Microsoft 365.
Organization.ReadWrite.All	Application and Delegated	Read and change all settings and information for your Microsoft 365 organization, including directory and organizational data.

Verify that you can browse your Azure domain with the graph explorer using the account from Step 1. For more information, see the page on Microsoft Graph .

OpenText Identity Governance uses the Azure AD MS Graph collector to collect information from the SharePoint Team site. When you create a SharePoint Team site, a Microsoft 365 group is automatically created and changes to the SharePoint Team site, such as adding or removing users, are reflected in the associated Microsoft 365 group, and vice versa. These details are saved in Azure as a group. During data collection, OpenText Identity Governance collects information from Azure as part of a group and for each data collection, OpenText Identity Governance collects the SharePoint Team site information as part of the broader group collection.

NOTE:Only the SharePoint Team site is supported. OpenText Identity Governance does not support SharePoint Communication site.