MonikaBikki (Customer) asked a question.
We are trying to implement an Azure AD connector and an O365 entitlement collector via Microsoft Azure Graph based on the "IGL_Generic_REST_Collector_Application_Guide" guide.
Regarding the "OAuth Authentication related configurations on Azure AD" we are missing some key information that is not detailed in the guide:
- What permissions we specifically need on the API permissions part. There is only a screenshot attached with the given permissions but it seems extensive compared to what we need.
- To obtain the access token we need a user to authenticate on Azure. We would like to create a service user for that purpose with the bare minimal permissions for that use case.
Could somebody please give us a detailed list of what permissions do we need in that 2 part mentioned above?
Thanks
These are really separate questions as there certainly would be different requirements for Connectors (updates) and Collectors (read only).
Note that the Generic REST Connector and the Generic REST Collector are by definition generic, so we do not provide specific guidance for specific endpoints. In some of the guides Azure is used as an example but this should not be considered a guide for that specific application.
As noted our examples provide a set of scopes that is known to work but what the minimum is that will work is a much more difficult question and may have different answers for different use cases. For example for provisioning in Azure there are different scopes that may be required for different objects that you need to provision. For example you can use Azure to provision for Office and for Exchange but you may want to use the same scope for both. You might even elect to have different AFX connectors for each use case. The delimitative information for Microsoft Azure really resides with Microsoft and their documentation for the various commands you wish to leverage.
Your post to this community is one resource and I would hope that you will get some examples of what worked for some customers but be aware that any answer you get here will not be definitive.
There were some guides on our old site which gave more examples, and I will see if I can find some links.
Does this guide provide you with a starting point?
RSA Identity Governance and Lifecycle Azure AD AppGuide | RSA Community
I can't seem to find my old comments on this forum but I did get collectors to work with Azure using a service principal and not a user. I found it a little limiting because one of the main issues is the accountenabled value is true/false not 1/0 and RSA IGL doesn't seem to have a simple way of interpreting it. Then we found that queries for users, groups and group members for all items took a very long time and would hang on us. I ended up killing those collectors. Thinking of an alternative solution where I populate a table or file with Azure data using a script outside of IGL and just query that.
I never did get AFX to work using the service principal with application permissions method. Too bad I can't find my old comments though, I'd be able to recall how I configured the collectors. it was not documented intuitively, I think I ended up using the generic rest API collector documentation instead of the Azure specific one. When I opened a ticket they told me bearer token auth was not supported but I did get it work eventually.