17.2 Understanding and Configuring Azure AD MS Graph Templates

Identity Governance provides the following templates for Azure AD MS Graph:

  • Azure AD MS Graph Identity

  • Azure AD MS Graph Account

  • Azure AD MS Graph Permission

  • MS Azure AD Fulfillment

For additional information about configuring Azure AD templates, see the following sections:

17.2.1 About Azure AD Collectors

When your environment uses both Active Directory and Azure AD, user identities might be unique to one of the applications or might exist in both applications. If you use Active Directory and Azure AD with DirSync or AD Connect, you can create a single identity source for both applications by using the Azure AD User collector template.

In the collector template, specify an attribute that you want to use for merging duplicate identities and for matching identities to accounts and permissions. The attribute for the matching rule should contain a value that is unique to each identity. For example, in AD and Identity Manager, each user tends to have a unique Distinguished Name.

IMPORTANT: We have deprecated the 3.6.2 Azure AD User templates because Azure AD Graph is no longer supported by Microsoft. If you are still using the old Azure AD templates, you can reconfigure your template to map to the Microsoft Graph API by changing the Azure AD Service Resource default value to https://graph.microsoft.com/v1.0. For information about the differences between the previously supported API and Microsoft Graph API, see https://docs.microsoft.com/en-us/graph/migrate-azure-ad-graph-property-differences.

When using the Azure AD MS Graph collector, complete the following steps :

  1. Enable the Azure Microsoft Graph API for your site and grant the following permissions to an account to access the API:

    Permission

    Types

    Description

    Application.Read.All

    Application

    Read all applications

    Device.Read.All

    Application

    Read all devices

    Directory.AccessAsUser.All

    Delegated

    Access the directory as the signed-in user

    Directory.Read.All

    Application and Delegated

    Read directory data

    Domain.Read.All

    Delegated

    Read domains

    Group.Read.All

    Application and Delegated

    Read all groups

    GroupMember.Read.All

    Application and Delegated

    Read group memberships

    RoleManagement.Read.All

    Delegated

    Read role management data for all RBAC providers

    RoleManage-ment.Read.CloudPC

    Delegated

    Read Cloud PC RBAC settings

    RoleManage-ment.Read.Directory

    Delegated

    Read directory RBAC settings

    User.Read

    Delegated

    Sign in and read the user profile

    User.Read.All

    Application and Delegated

    Read all user profiles

    User.ReadBasic.All

    Delegated

    Read all users’ basic profiles

  2. Verify that you can browse your Azure domain with the graph explorer using the account from Step 1. For more information, see https://developer.microsoft.com/en-us/graph/graph-explorer.

Identity Governance uses the Azure AD MS Graph collector to collect information from the SharePoint Team site. When you create a SharePoint Team site, a Microsoft 365 group is automatically created, and any user that you add or remove from the SharePoint Team site is added or removed from the Microsoft 365 group and vice versa. These details are saved in Azure as a group. During data collection, Identity Governance collects information as a group from the Azure portal, and whenever there is a collection, Identity Governance collects the SharePoint Team site information as part of the group collection.

NOTE:Only the SharePoint Team site is supported. Identity Governance does not support SharePoint Communication site.

17.2.2 About Azure AD MS Graph Fulfillment

Identity Governance uses the Azure AD MS Graph fulfiller to automatically assign or remove permissions from user accounts and add or remove members from Microsoft 365 and Security groups. Identity Governance does not support adding or removing members from the Distribution List and Mail-enabled Security type of groups because Mail-enabled and distribution groups cannot be managed by Microsoft Graph group APIs.

The template supports the following fulfillment change requests:

  • ADD_APPLICATION_TO_USER

  • ADD_PERMISSION_TO_USER

  • REMOVE_ACCOUNT_PERMISSION

  • REMOVE_PERMISSION_ASSIGNMENT

  • REMOVE_ACCOUNT

  • REMOVE_APPLICATION_FROM_USER

  • REMOVE_ACCOUNT_ASSIGNMENT

The Azure MS Graph fulfiller has default mapping for some mandatory attributes. The Azure application requires these mandatory attributes to create an account. For the fulfillment to process successfully, you must add these mandatory attributes to the Fulfillment Context attribute. The following table provides the list of attributes.

Fulfillment Context Attributes

Attributes

Recipient

  • User ID from Source

  • Last Name

  • First Name

  • Full Name

  • Email

  • Employee Status

Account

  • Account ID from Source

  • Account Disabled

Permission

  • Permission Type

  • Permission ID from Source

NOTE:We recommend that while adding users to the Azure application, you provide a unique mailNickName for each user. The purpose of this is to prevent the error that can occur when you try to add users with the same first and last name. The ECMA script includes the logic for creating the unique mailNickName, but you can customize it to meet your requirements.

In addition to this list of attributes, you can configure other attributes in the collector template such as department, title, job codes, or workforce ID to match the requirements of your application. However, you must add them to the Fulfillment Context attribute. In addition, while configuring the fulfiller, go to Fulfillment item configuration and mapping, click {..}, then edit the transform script for User Profile.

In the transform script, you must add the native application key as outUserProfile and add the corresponding fulfillment context attribute key in the outUserProfile value. For example, for the attribute Workforce ID, edit the transform script to:

if(inUserProfile.workforceId) outUserProfile["employeeId"] = inUserProfile.workforceId

NOTE:If you want to specify Workforce ID as the attribute for matching identities to accounts and permissions, then while configuring the collector template you must map Workforce ID to the native ID value, for example, employeeId, and set it as the matching rule.

Identity Governance uses the Azure AD MS Graph fulfiller to provision and deprovision users as a group from the SharePoint Team site. The following change requests are supported when provisioning and deprovisioning users as a group from the SharePoint Team site:

  • ADD_PERMISSION_TO_USER

  • REMOVE_ACCOUNT_PERMISSION

  • REMOVE_ PERMISSION_ASSIGNMENT