Product Selector

Fusion 5.12
    Fusion 5.12

    Fetch Azure Groups with the AD Connector for ACLs

    In Fusion 4.2.6 and later 4.x.x versions, the Active Directory Connectors for ACLs has the ability to fetch Azure groups and index them into the ACL collection. The connector utilizes the Microsoft Graph API’s group-list service.

    The resulting ACL document contains IDs that are GUID strings, such as 45b7d2e7-b882-4a80-ba97-10b7a63b8fa4, and they have inbound_ss relationship to the ldapGroup-sid record’s SID identifier.

    Configuration parameters

    In order to crawl Azure groups from the AD Connector for ACLs, you will need the values for the following parameters:

    • Azure AD Tenant ID

    • Azure AD Client ID

    • Azure AD Client Secret

    Find your Tenant ID and Client ID

    Begin by registering your application:

    1. Visit the Azure portal.

    2. Click App registrations.

      ad acl azure group01

    3. Click New registration.

      ad acl azure group02

      The new application registration screen will appear:

      ad acl azure group03

    4. Enter a name for the application.

    5. Choose the Single Tenant supported account type.

    6. Leave the Redirect URI value blank.

    7. Click Register.

    The screen that follows displays the values for:

    • Azure AD Tentant ID. Listed as "Directory (tenant) ID"

    • Azure AD Client ID. Listed as "Application (client) ID"

    ad acl azure group04

    Enter these values in the Fusion UI’s connector configuration.

    Configure your application permissions

    1. Click View API permissions.

      ad acl azure group05

    2. Add the following as Application permissions under Microsoft Graph.

      You must use Application permissions. Failure to use Application permissions will result in 403 errors from the Graph API when attempting to crawl the Azure groups. Do not use the Delegated permissions option.

      1. GroupMember.Read.All

        Allows the application to read general information about associated groups, such as the list of members and basic group properties. See Microsoft Graph Group Application permissions for more information.

      2. User.Read.All

        Allows the application to read all user profile information, such as properties and group membership. See Microsoft Graph User Application permissions for more information.

    1. Select Grant admin consent.

      ad acl azure grant admin consent

    Find your Client Secret

    1. Click Clients & Secrets.

    2. Create a New client secret.

      ad acl azure group06

    This value is used as the Azure AD Client Secret in the Fusion UI’s connector configuration.

    More information

    Troubleshooting

    Use the following script to diagnose Azure credentials issues:

    param (
    [Parameter(Mandatory)]$AzureTenantId,
    [Parameter(Mandatory)]$AzureClientId,
    [Parameter(Mandatory)]$AzureClientSecret
)

# first we get the bearer token

$headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"
$headers.Add("Content-Type", "application/x-www-form-urlencoded")

$body = "client_id=${AzureClientId}&client_secret=${AzureClientSecret}&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default&grant_type=client_credentials"

$response = Invoke-RestMethod "https://login.microsoftonline.com/${AzureTenantId}/oauth2/v2.0/token" -Method 'POST' -Headers $headers -Body $body
$access_token = $response.access_token

Write-Host "Successfully got access token ${access_token}"

# now that we got the token, use it to get the groups

$headers2 = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"
$headers2.Add("Authorization", "Bearer ${access_token}")

$response2 = Invoke-RestMethod 'https://graph.microsoft.com/v1.0/groups' -Method 'GET' -Headers $headers2
$response2 | ConvertTo-Json