Fetch Azure Groups with the AD Connector for ACLs

Starting in Fusion 4.2.6, the Active Directory Connectors for ACLs has the ability to fetch Azure groups and index them into the ACL collection. The connector utilizes the Microsoft Graph API’s group-list service.

The resulting ACL document contains IDs that are GUID strings, such as 45b7d2e7-b882-4a80-ba97-10b7a63b8fa4, and they have inbound_ss relationship to the ldapGroup-sid record’s SID identifier.

Configuration parameters

In order to crawl Azure groups from the AD Connector for ACLs, you’ll need the values for the following parameters:

  • Azure AD Tenant ID

  • Azure AD Client ID

  • Azure AD Client Secret

Find your Tenant ID and Client ID

Begin by registering your application:

  1. Visit the Azure portal.

  2. Click App registrations.

    ad acl azure group01

  3. Click New registration.

    ad acl azure group02

    The new application registration screen will appear:

    ad acl azure group03

  4. Enter a name for the application.

  5. Choose the Single Tenant supported account type.

  6. Leave the Redirect URI value blank.

  7. Click Register.

The screen that follows displays the values for:

  • Azure AD Tentant ID - Listed as "Directory (tenant) ID"

  • Azure AD Client ID - Listed as "Application (client) ID"

ad acl azure group04

Enter these values in the Fusion UI’s connector configuration.

Configure your application permissions

  1. Click View API permissions.

    ad acl azure group05

  2. Add the following as Application permissions under Microsoft Graph:

    1. Directory.Read.All

    2. Group.Read.All

    3. GroupMember.Read.All

    4. User.Read

    5. User.Read.All

You must use Application permissions. Failure to use Application permissions will result in 403 errors from the Graph API when attempting to crawl the Azure groups. Do not use the Delegated permissions option.

Find your Client Secret

  1. Click Clients & Secrets.

  2. Create a New client secret.

    ad acl azure group06

This value is used as the Azure AD Client Secret in the Fusion UI’s connector configuration.