Fetch Azure Groups with the AD Connector for ACLs
In Fusion 4.2.6 and later 4.x.x versions, the Active Directory Connectors for ACLs has the ability to fetch Azure groups and index them into the ACL collection. The connector utilizes the Microsoft Graph API’s group-list service.
The resulting ACL document contains IDs that are GUID strings, such as 45b7d2e7-b882-4a80-ba97-10b7a63b8fa4
, and they have inbound_ss
relationship to the ldapGroup-sid
record’s SID identifier.
Configuration parameters
In order to crawl Azure groups from the AD Connector for ACLs, you will need the values for the following parameters:
-
Azure AD Tenant ID
-
Azure AD Client ID
-
Azure AD Client Secret
Find your Tenant ID and Client ID
Begin by registering your application:
-
Visit the Azure portal.
-
Click App registrations.
-
Click New registration.
The new application registration screen will appear:
-
Enter a name for the application.
-
Choose the Single Tenant supported account type.
-
Leave the Redirect URI value blank.
-
Click Register.
The screen that follows displays the values for:
-
Azure AD Tentant ID. Listed as "Directory (tenant) ID"
-
Azure AD Client ID. Listed as "Application (client) ID"
Enter these values in the Fusion UI’s connector configuration.
Configure your application permissions
-
Click View API permissions.
-
Add the following as Application permissions under Microsoft Graph.
You must use Application permissions. Failure to use Application permissions will result in 403
errors from the Graph API when attempting to crawl the Azure groups. Do not use the Delegated permissions option.-
GroupMember.Read.All
Allows the application to read general information about associated groups, such as the list of members and basic group properties. See Microsoft Graph Group Application permissions for more information.
-
User.Read.All
Allows the application to read all user profile information, such as properties and group membership. See Microsoft Graph User Application permissions for more information.
-
-
Select Grant admin consent.
Find your Client Secret
-
Click Clients & Secrets.
-
Create a New client secret.
This value is used as the Azure AD Client Secret in the Fusion UI’s connector configuration.
Troubleshooting
Use the following script to diagnose Azure credentials issues:
param (
[Parameter(Mandatory)]$AzureTenantId,
[Parameter(Mandatory)]$AzureClientId,
[Parameter(Mandatory)]$AzureClientSecret
)
# first we get the bearer token
$headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"
$headers.Add("Content-Type", "application/x-www-form-urlencoded")
$body = "client_id=${AzureClientId}&client_secret=${AzureClientSecret}&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default&grant_type=client_credentials"
$response = Invoke-RestMethod "https://login.microsoftonline.com/${AzureTenantId}/oauth2/v2.0/token" -Method 'POST' -Headers $headers -Body $body
$access_token = $response.access_token
Write-Host "Successfully got access token ${access_token}"
# now that we got the token, use it to get the groups
$headers2 = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"
$headers2.Add("Authorization", "Bearer ${access_token}")
$response2 = Invoke-RestMethod 'https://graph.microsoft.com/v1.0/groups' -Method 'GET' -Headers $headers2
$response2 | ConvertTo-Json