Detailed tutorial on creating Azure AD integration

The tutorial below provides a step-by-step guidance on the setup and configuration of an Azure AD integration. It includes three aspects: preparation on the Azure AD side; preparation on the ObserveID side, and the First Load of Integration Data from the Target to ObserveID. Once the data is loaded, the Integration is ready for further configuration of rules and use according to the business processes in the organization.

In this section:

  • Preparation for ObserveID in the Azure portal
    • App registration
    • API permissions for base capabilities
    • API permission for Exchange Online
    • Admin consent
    • Azure IAM Role
    • Azure AD Role
  • Configuration of Azure AD integration in ObserveID
  • First load of data from Azure AD to ObserveID

Preparation for ObserveID in the Azure portal

  1. Log in to the Azure portal: https://portal.azure.com

    And the Home page of the portal opens. Use the More services link to view all available services.

    Home page of the Azure portalHome page of the Azure portal

App registration

The app registration in the Azure Portal is required to enable the communication between ObserveID and Azure Active Directory using Microsoft Graph API and Azure Management API. To go through the registration of ObserveID on the Azure portal, do the following:

  1. Click More services
  2. Click Azure Active Directory Intra
  3. Click App registrations in the opened Azure Active Directory.
  4. Click New registration in the App registrations area.
  5. Enter the application's name on the opened Register an application page, then select the Single Tenant option from Supported account types, and click Register.
  6. Open the created application registration, and click Certificates & secrets.
  7. Click New client secret on the Certificates & secrets page.
  8. Enter Description and select the expiration period in the Expires field for the new secret. Click Add.
  9. Copy the Value of the generated secret, and save it for further use when filling out the connection details of the Azure AD integration in ObserveID. The Value (not the Secret ID) is visible only upon generation, and if not saved, the secret would need to be re-generated anew to be able to copy its Value.

API permissions for base capabilities

As a general approach inTo add the API permissions to the registered app on Azure AD, do the following:

  1. Open: Azure Portal > All Services > Active Directory > App Registrations > {the registered app} > API permissions
  2. Click Add a permission, and select Microsoft Graph.
  3. Select the permission type: Delegated or Application according to the minimum permission requirements in relation to each specific permission. The permission requirements are specified in the Prerequisites part of the Azure AD integration setup.
  4. Start typing the permission name in the search bar, then select the required permission among the search results in the Permissions grid. Once ready, click the Add permissions button.
  5. Repeat the steps above to add as many permissions as needed, according to the minimum permission requirements specified in the Prerequisites part of the Azure AD integration setup.

API permission for Exchange Online

Please, note that to connect Exchange Online environment in Microsoft 365, the Azure Active Directory licenses should have any of the following:

  • Microsoft 365 for business,
  • Microsoft 365 for enterprise,
  • a standalone Exchange Online plan.

To provide the ObserveID app in the Azure portal with an access to Exchange Online, the required API permission specified in the minimum permission requirements of the Prerequisites part of the Azure AD integration setup should be added as follows:

  1. Click API permissions in the menu of the app: Azure Portal > All Services > Active Directory > App Registrations > {the registered app} > API permissions
  2. Click Add a permission on the API permissions page.
  3. Open the APIs my organization uses tab on the Request API permissions popup window.
  4. Start typing Offic.. in the search bar of the popup window.
  5. Click Office 365 Exchange Online among the search result options.
  6. Select Application permissions.
  7. Start typing exch… in the search bar, and then select Exchange.ManageAsApp permission among the search results.
  8. Click the Add permissions button at the bottom of the page.
  9. Click Grant admin consent and follow the subsequent steps. With the admin consent granted, the API permission assignment is finished.

Admin consent

The API permissions added to the registered app in the Azure portal must have the Administrator's authorization. Having received the request for the Administrator Consent, the Administrator needs to approve the permissions added to the app.

Having the privileges of the Administrator, it is possible to give the consent, as follows:

  1. Open: Azure Portal > All Services > Active Directory > App Registrations > {the registered app} > API permissions
  2. Click Grant admin consent beside the Add a permission option. As a rule, it is disabled for non-Administrators.
  3. Confirm the consent in the opened dialog.

Azure RBAC Role

If the Azure integration is expected to pull and\or provision access to the Azure subscription resources, the registered app in the Azure portal needs to be authorized to use the Subscription associated with the Active Directory, as follows:

  1. Open Access Control (IAM) with one of the following options:
    1. Subscriptions area, as follows: Azure Portal > All Services > Subscriptions > {a Subscription} > Access Control (IAM)
    2. Resource Group area, as follows: Resource Group > Subscription > Access Control (IAM)
  2. Click Add.
  3. Click Add role assignment.
  4. Select the required role, according to the minimum permission requirements specified in the Prerequisites part of the Azure AD integration setup.
  5. Search for and select the registered app as a security principal.
  6. Click Save.

Azure AD Role

The registered app in the Azure portal needs to be granted an Azure AD Role to use the Active Directory resources, as follows:

  1. Open: Azure Portal > All Services > Active Directory > Roles and Administrators
  2. Start to type in the required Azure AD Role, according to the minimum permission requirements specified in the Prerequisites part of the Azure AD integration setup.
  3. Select the required Azure AD Role among other search results in the Roles grid. And the Assignments page of the selected role opens.
  4. Click Add assignments. And the Add assignments page opens.
  5. Click the No member selected link on the Add assignments page. And the Select a member panel opens on the right-hand side.
  6. Enter the name of the registered app, or its Application ID. And then select the registered app in the search results.
  7. Click Next.
  8. In the Enter justification field, enter some justification of the assignment of the role to the registered app. Any descriptive text will be sufficient.
  9. Click Assign.
  10. Repeat the steps above to add enough Azure AD Roles according to the minimum permission requirements specified in the Prerequisites part of the Azure AD integration setup.

Configuration of Azure AD integration in ObserveID

  1. Log in to the ObserveID platform. And the Dashboard is the first page that is opened.

  2. Expand Identity Automation and click Integrations in the menu on the left.

  3. Click New integration to create a new integration.

  4. Click Azure AD in the opened New integration popup window.

  5. Enter a name for the new integration in the opened New Integration - Details window.

  6. Paste the copied Client ID of the application in the Azure portal into the Client ID field in ObserveID.

  7. Copy the saved secret value (not the Secret ID) of the application secret when it was generated in the Azure portal.

  8. Paste the copied generated for the application in the Azure portal into the Client Secret field in ObserveID.

  9. Paste the copied tenant id from the properties of the application in the Azure portal into the Tenant Id field in ObserveID.

  10. Enter the URL: https://portal.azure.com of the Azure portal into the Login URL field.

  11. Enable the “Should Import Resource-Based Access Control Policies” toggle if the data import should include the RBAC Roles. If the RBAC Roles are redundant and it is needed to speed up the data import process by reducing the amount of data fetched in each call, select Disabled.

  12. Click Disabled for the following parameters:

    • Configure WinRM For Windows

    • Should Setup Win RM Over Https For Windows Import Shell

    It is possible to set up those later, if needed.

  13. Click Save.

  14. Click Test Connection.

If Test Connection finished successfully, go on with the next step, which is the first load of the Integration Data. Otherwise, open Access Log for any details to troubleshoot the connection.

First load of data from Azure AD to ObserveID

  1. Click Workflows in the menu on the left.
  2. Click the Tasks button on the horizontal toolbar.
  3. Click the Trigger icon on the left beside the Data Import task for Azure task where Azure is the name entered for the new integration.
  4. Click the Refresh button a couple of times until the task will change its status from Triggered to Idle.
  5. The successful execution of the Data Import task for Azure should transfer data from the Azure platform to the ObserveID platform. To verify that the data has been successfully imported, return to the integration details in the Integrations area. Check that the options in the second left-hand menu, such as Accounts, Resources, Entitlements, and Properties show the integration data.