| Contents |
|---|
| Identities | Accounts | Groups | App Roles | Entitlements |
|---|---|---|---|---|
| ✔️ | ✔️ | ✔️ | ❌ | ❌ |
Overview
 |
This Azure AD integration guide is based on the generic REST collector. |
API reference guide Microsoft Graph REST API v1.0
Azure AD : Application
Steps
- Login to RSA Identity G&L console as System Administrator.
- Navigate to Resources > Directories.
- Click on Create Directory and select Other Directory.
- Enter the details as shown below.
- Click Finish.
Azure AD : Identity Collector
This section explains the process for configuring an identity collector for the Azure AD application. We will use the RSA IGL generic REST collector for this purpose.
Steps
- Login to RSA Identity G&L console as System Administrator.
- Navigate to Resources > Directories.
- Click on Azure AD.
- Navigate to Collectors tab and click on Create Identity Collector. Enter the details as shown below.
- Click Next and enter the connection details.
- If authentication type is OAuth2, refer to OAuth2 Configuration with RSA IGL section.
- If authentication type is Token, refer to Token (Admin Consent) Configuration with RSA IGL section.
- Click Next. On the Account Data page, enter the following configurations.
- Click Next. In the Map Collector Attributes to User Attributes, map the collected account attributes.
- Click Next.
- Click Finish. Use the Test function to make sure the configurations are accurate.
Azure AD : Account Collector
This section explains the process for configuring an account collector for the Azure AD application. We will use the RSA IGL Generic REST collector for this purpose.
Steps
- Login to RSA Identity G&L console as System Administrator.
- Navigate to Resources > Directories.
- Click on Azure AD.
- Navigate to Collectors tab and click on Create Account Collector. Enter the details as shown below.
- Click Next and enter the connection details.
- If authentication type is OAuth2, refer to OAuth2 Configuration with RSA IGL section.
- If authentication type is Token, refer to Token (Admin Consent) Configuration with RSA IGL section.
- Click Next. Select the data types that the collector will be collecting from Azure AD
- Click Next. On the Account Data page, enter the following configurations.
- Click Next. On the Group Data page, enter the following configurations.
- Click Next. On the Account Group Membership Data page, enter the following configurations.
- Click Next. In the Map Collector Attributes to Account Attributes, map the collected account attributes.
- Click Next. In the Map Collector Attributes to Account Mapping Attributes, map the user reference attribute.
- Click Next. In the Map Collector Attributes to Group Attributes, map the collected group attributes.
- Click Next. In the User Resolution Rules, map the user to account.
- Click Next. In the Member Account Resolution Rules, map the target collector for group members.
- Click Finish. Use the Test function to make sure the configurations are accurate.
Azure AD : Setup
This section explains the setup of credentials for the service account that will be used with RSA IGL ADC and EDC.
App Setup
Steps
- Login to Azure portal Microsoft Azure
- Select Azure Active Directory
- Note down the Tenant ID. This is required in the RSA IGL collector configuration.
- Click on App Registrations.
- Click on New Registration
- Provide the details as shown below. Under Redirect URI, provide OAuth callback URL (https://IGL_HOST_NAME:8443/aveksa/oauth/callback) for RSA IGL.
- Click Register.
- Note down the Client ID. This is required in the RSA IGL collector configuration.
- Click on View API Permissions.
- Select Microsoft Graph.
- Select Delegated Permissions.
- Select the below permissions.
- Click Add Permissions.
- Click on Certificates & Secrets. Click on New Client Secret.
- Set the Description and suitable expiration period for the client secret.
- Click Add. Note down the Client Secret which will be displayed only once. This is required in the RSA IGL collector configuration.
Admin Consent Setup
Steps
- Refer to Authorization and the Microsoft Graph Security API - Microsoft Graph | Microsoft Docs for information on Admin consent.
- Prepare the Admin Consent URL as shown below and send it to the O365 administrator to consent.
Format:
https://login.microsoftonline.com/common/adminconsent?client_id=<Application Id>&state=12345&redirect_uri=<Redirect URL>
- Once the Admin clicks the URL, they must login and authorize.
OAuth2 Configuration with RSA IGL
This section explains the process of setting up RSA IGL ADC and EDC to acquire the OAuth2 token dynamically from Microsoft Graph.
Steps
- Login to RSA Identity G&L console as System Administrator.
- Create or Edit a generic REST ADC or EDC that will be using OAuth2 authentication.
- On the Connection Details page, configure the following.
- Client ID - The Application (client) ID.
- Client Secret - The client secret.
- Authentication URL - https://login.microsoftonline.com/YOUR_TENANT_ID/oauth2/v2.0/authorize
- Access Token URL - https://login.microsoftonline.com/YOUR_TENANT_ID/oauth2/v2.0/token
- Scope - openid offline_access
- Click on Get OAuth 2.0 Access Token.
- Click on Proceed For Authorization.
- Login to Microsoft with the service account credentials.
- The below message indicates that RSA IGL has successfully acquired a token.
- Click Close.
- Save the collector configuration & test.
Token (Admin Consent) Configuration with RSA IGL
This section explains the process of setting up RSA IGL ADC and EDC with token authentication from Microsoft Graph admin consent option.
Steps
- Login to RSA Identity G&L console as System Administrator.
- Create or Edit a generic REST ADC or EDC that will be using Token authentication.
- On the Connection Details page, configure the following.
Username Client ID Password Client Secret Request Body grant_type=client_credentials&client_id=${TokenUsername}&client_secret=${TokenPassword} - Save the collector configuration & test.
