Prerequisites

No special prerequisites have to be in place.

Users and permissions for connecting to Azure Active Directory

To connect to Azure Active Directory, a technical user must be provided in Azure active Directory with the following authorizations:

  • Member in the global administrator administrator organization role

Integrating IAM.cloud as enterprise application

Before connecting IAM.cloud to Azure active Directory, IAM.cloud has to be configured as an enterprise application in Azure Active Directory. That for, log into the Microsoft Azure Admin Portal: Azure Admin Portal

Switch to the Azure Active Directory admin center.

In the Microsoft Azure Active Directory admin center, create a new enterprise application for your directory.

Click “Create your own application”

While naming the enterprise application, select the option “Register an application to integrate with Azure AD (App you’re developing)”. Then click “Create”.

IPG recommends to limit the access to the API to “Accounts in this organizational directory only” (Single tenant). Then click “Register”. Then switch to the Azure Active Directory dashboard and click “App registrations”.

Hint: While setting up the application, an application ID (client ID) is created. This application ID is required for setting up the target system connector.

Select the newly created application from the list of applications and click “API permissions”.

By clicking “Add a permission”, add the following permissions to the application by selecting “Microsoft Graph” as the API and “Delegated permissions” as the type of permissions:

  • Sign in and read user profile - User.Read

  • read and write access to user profile - User.ReadWrite

  • read and write all users' full profile - User.ReadWrite.All

  • read and write all groups - Group.ReadWrite.All

  • read and write directory data - Directory.ReadWrite.All

  • access directory as the signed in user - Directory.AccessAsUser.All

  • sign users in - openid

Some of these permissions require administrative consent - this needs to be granted.


Add the following Application permissions as well:

  • Application.ReadWrite.All
  • Directory.ReadWrite.All

  • Group.ReadWrite.All

  • User.Read.All

  • User.ReadWrite.All

  • Policy.Read.All - (permission newly added)
  • RoleManagement.ReadWrite.Directory - (permission newly added)

Some of these permissions require administrative consent - this needs to be granted.

Configure the client secret using the option “Certificates & secrets” and clicking the button “New client secret”. Keep the secret value for the setup of the target system connector.

Hint: Copy the secrets value directly after creating it - it’s needed for setting up the target system connector.

Setting up the target system connector

To connect to an Azure Active Directory connect to the IAM.cloud portal with a user having the IAM.cloud application role “Global Target system configurator”. Click “Responsibilities” and “Target systems”.

In the list of available target system connectors select the connector “Azure Active Directory“ and click the button “Setup” to create a new target system instance.

Name the target system instance, put in a description and select the IAM.cloud Gateway as the execution server.

Attribute

Description

Target system instance

The name of the target system instance - this is a freetext value with no technical relevance and will be used as the display name for the target system instance only.

Description

The description to the target system instance - this is a freetext value with no technical relevance and will be used for documentation purposes only.

Execution server

The server that will be executing the target system connectivity tasks. This has to be the IAM.cloud cloud Gateway in order to connect to the Azure Active Directory.


After entering the target system instance attributes, click “Save” to enable the technical configuration of the target system connector.

Fill in the technical attributes for the target system connector and click “Save”.


Attribute

Description

ShellDisplay

The value in the attribute ShellDisplay will be used as the name of the technical connectivity setup.

ShellDescription

The value in the attribute ShellDescription will be used for documentation purposes for the technical connectivity setup.

OrgDomain

Azure Active Directory org domain name


AzureID

The ID of the Azure tenant


CID

Client-ID / Application ID of the created enterprise application

SecretKey

The secret key that was created during the setup of the enterprise application

AADPasswordPolicy

This attributes represents the password policy that will be applied while creating new user accounts by IAM.cloud. The default password policy is called “Azure Active Directory password policy”. If customers wish to leverage customer specific password policies, reach out to your IPG account representative or open a service request.


If all mandatory attribute values are filled in and the configuration is saved, the button “Rollout” will be enabled. Click “Rollout” to connect the Azure Active Directory to IAM.cloud.