Identity Governance provides the following templates for Azure AD MS Graph:
Azure AD MS Graph Identity
Azure AD MS Graph Account
Azure AD MS Graph Permission
MS Azure AD Fulfillment
For additional information about configuring Azure AD templates, see the following sections:
When your environment uses both Active Directory and Azure AD, user identities might be unique to one of the applications or might exist in both applications. If you use Active Directory and Azure AD with DirSync or AD Connect, you can create a single identity source for both applications by using the Azure AD User collector template.
In the collector template, specify an attribute that you want to use for merging duplicate identities and for matching identities to accounts and permissions. The attribute for the matching rule should contain a value that is unique to each identity. For example, in AD and Identity Manager, each user tends to have a unique Distinguished Name.
IMPORTANT: We have deprecated the 3.6.2 Azure AD User templates because Azure AD Graph is no longer supported by Microsoft. If you are still using the old Azure AD templates, you can reconfigure your template to map to the Microsoft Graph API by changing the Azure AD Service Resource default value to https://graph.microsoft.com/v1.0. For information about the differences between the previously supported API and Microsoft Graph API, see https://docs.microsoft.com/en-us/graph/migrate-azure-ad-graph-property-differences.
When using the Azure AD MS Graph collector, complete the following steps :
Enable the Azure Microsoft Graph API for your site and grant the following permissions to an account to access the API:
|
Permission |
Types |
Description |
|---|---|---|
|
Application.Read.All |
Application |
Read all applications |
|
Device.Read.All |
Application |
Read all devices |
|
Directory.AccessAsUser.All |
Delegated |
Access the directory as the signed-in user |
|
Directory.Read.All |
Application and Delegated |
Read directory data |
|
Domain.Read.All |
Delegated |
Read domains |
|
Group.Read.All |
Application and Delegated |
Read all groups |
|
GroupMember.Read.All |
Application and Delegated |
Read group memberships |
|
RoleManagement.Read.All |
Delegated |
Read role management data for all RBAC providers |
|
RoleManage-ment.Read.CloudPC |
Delegated |
Read Cloud PC RBAC settings |
|
RoleManage-ment.Read.Directory |
Delegated |
Read directory RBAC settings |
|
User.Read |
Delegated |
Sign in and read the user profile |
|
User.Read.All |
Application and Delegated |
Read all user profiles |
|
User.ReadBasic.All |
Delegated |
Read all users’ basic profiles |
Verify that you can browse your Azure domain with the graph explorer using the account from Step 1. For more information, see https://developer.microsoft.com/en-us/graph/graph-explorer.
Identity Governance uses the Azure AD MS Graph collector to collect information from the SharePoint Team site. When you create a SharePoint Team site, a Microsoft 365 group is automatically created, and any user that you add or remove from the SharePoint Team site is added or removed from the Microsoft 365 group and vice versa. These details are saved in Azure as a group. During data collection, Identity Governance collects information as a group from the Azure portal, and whenever there is a collection, Identity Governance collects the SharePoint Team site information as part of the group collection.
NOTE:Only the SharePoint Team site is supported. Identity Governance does not support SharePoint Communication site.
Identity Governance uses the Azure AD MS Graph fulfiller to automatically assign or remove permissions from user accounts and add or remove members from Microsoft 365 and Security groups. Identity Governance does not support adding or removing members from the Distribution List and Mail-enabled Security type of groups because Mail-enabled and distribution groups cannot be managed by Microsoft Graph group APIs.
The template supports the following fulfillment change requests:
ADD_APPLICATION_TO_USER
ADD_PERMISSION_TO_USER
REMOVE_ACCOUNT_PERMISSION
REMOVE_PERMISSION_ASSIGNMENT
REMOVE_ACCOUNT
REMOVE_APPLICATION_FROM_USER
REMOVE_ACCOUNT_ASSIGNMENT
The Azure MS Graph fulfiller has default mapping for some mandatory attributes. The Azure application requires these mandatory attributes to create an account. For the fulfillment to process successfully, you must add these mandatory attributes to the Fulfillment Context attribute. The following table provides the list of attributes.
|
Fulfillment Context Attributes |
Attributes |
|---|---|
|
Recipient |
|
|
Account |
|
|
Permission |
|
NOTE:We recommend that while adding users to the Azure application, you provide a unique mailNickName for each user. The purpose of this is to prevent the error that can occur when you try to add users with the same first and last name. The ECMA script includes the logic for creating the unique mailNickName, but you can customize it to meet your requirements.
In addition to this list of attributes, you can configure other attributes in the collector template such as department, title, job codes, or workforce ID to match the requirements of your application. However, you must add them to the Fulfillment Context attribute. In addition, while configuring the fulfiller, go to Fulfillment item configuration and mapping, click {..}, then edit the transform script for User Profile.
In the transform script, you must add the native application key as outUserProfile and add the corresponding fulfillment context attribute key in the outUserProfile value. For example, for the attribute Workforce ID, edit the transform script to:
if(inUserProfile.workforceId) outUserProfile["employeeId"] = inUserProfile.workforceId
NOTE:If you want to specify Workforce ID as the attribute for matching identities to accounts and permissions, then while configuring the collector template you must map Workforce ID to the native ID value, for example, employeeId, and set it as the matching rule.
Identity Governance uses the Azure AD MS Graph fulfiller to provision and deprovision users as a group from the SharePoint Team site. The following change requests are supported when provisioning and deprovisioning users as a group from the SharePoint Team site:
ADD_PERMISSION_TO_USER
REMOVE_ACCOUNT_PERMISSION
REMOVE_ PERMISSION_ASSIGNMENT