Azure AD Plugin Setup

AD LDAP (Active Directory Lightweight Directory Access Protocol) is an application protocol for querying and modifying items in Active Directory. This plugin queries Microsoft's Active Directory service to programmatically manage and query an Active Directory environment.

Azure AD Admin Plugin Configuration Guide

Azure Active Directory (Azure AD) is Microsoft’s enterprise cloud-based identity and access management (IAM) solution. The Azure AD Admin plugin for InsightConnect supports:

  • Add user to group
  • Add user to group by ID
  • Create user
  • Disable user account
  • Enable user account
  • Force user to change password
  • Get group by name
  • Get user info
  • Remove user from group
  • Revoke sign in sessions
  • Update user info

There are few things you need to do before you get started:

Collect Configuration Information

To collect configuration information, Log into your Azure portal at Azure.

Application ID

  1. In the side navigation of the Azure portal, click Azure Active Directory, then select App Registrations in the secondary navigation menu.
  2. Click New Registration.
  3. Complete the form with InsightConnect for the name, Web app/API for the application type and for the sign in URL. Then click Create.
  4. Save the application registration to Azure, copy and save Application ID.

New App RegistrationRegister Application

Application Secret Key

Azure uses asymmetric keys to authenticate and secure communications with other applications. This can be set up in the Application menu, where you will need to create a new key in Azure to use it with an InsightConnect connection.

  1. Select newly registered application.
  2. Click on Certificates & secrets.
  3. Select New client secret.
  4. Give the key a description and set the duration of the key. It will expire after the duration you set. Then click on Add.
  5. Azure will generate a value for your new key. Copy and save this string now, as you will not be able to see and retrieve it after you leave this page in the Azure Portal.

New Secret KeyAdd New Secret Key

Tenant ID

The tenant ID can be found in the side navigation of Azure Active Directory. Click Overview to find it.

If you need to create a new Tenant ID, select Overview then choose Manage Tenants and click Create.

Tenant ID

Configure Application Permissions

After registering the new Application in Azure, you will need to configure permissions needed for the Azure AD Admin Plugin. To set up all of the permissions below, admin role is required.

  • The application this plugin connects needs the following permissions:
    • Directory.AccessAsUser.All
    • Directory.ReadWrite.All
    • User.ReadWrite.All
  • Because all actions in this plugin are user and directory operations, which are administrator tasks, the above permissions are required.
  1. In Application menu you will find API Permissions, click on it.
  2. Select Add Permision, then choose Microsoft API's, from Microsoft Graph, choose Delegated Permissions.
  3. From following options select and save: Directory.AccessAsUser.All , Directory.ReadWrite.All , User.ReadWrite.All.

Select PermissionsPermissions

Add Application to the Global Administrator Role

This can be done in Application menu where you have created Certificate & Secrets and API permissions.

To add the application to the global administrator role, the following steps are necessary:

  1. Select Roles and Administrators
  2. Then click on Global Administrator
  3. And then assign to global administrator role

Global Administrator Assignment

Troubleshoot the Azure AD Admin Plugin

If your Azure AD Admin plugin fails to authorize, check the plugin’s error logs. It is likely that the connection settings are invalid. Verify that the Application ID, Tenant ID, and Secret Key are correct in your Azure AD Admin connections.

Authentication request status: 401 will tell you that Secret Key is invalid. For example:

Connect: Connecting...
Updating auth token...
Getting token from:
Starting new HTTPS connection (1):
5 "POST /5c824599-dc8c-4d31-96fb-3b886d4f8f10/oauth2/token HTTP/1.1" 401 471
Authentication request status: 401

Authentication request status: 400 will tell you that Tenant ID or Application ID is invalid. For example:

Connect: Connecting...
Updating auth token...
Getting token from:
Starting new HTTPS connection (1):
5 "POST /5c824599-dc8c-4d31-96fb-3b886d4f8f10/oauth2/token HTTP/1.1" 400 778
Authentication request status: 400