Contents x
    Azure AD User Directories
    • 16 Apr 2024
    • 3 Minutes to read
    • Dark
      Light
    Contents

    Azure AD User Directories

    • Updated on 16 Apr 2024
    • 3 Minutes to read
    • Dark
      Light
    Article summary

    General

    This type of user directory synchronizes Users and User Groups and can be used to perform Authentication.

    Properties

    Azure AD user directories have the following properties:

    Name

    		Description
    NameThe name of the user directory; this is a free text you can assign.
    Tenant IDThe tenant ID associated with your Azure AD (see below).
    Client IDThe client (application) ID you have received when performing the Azure AD Preparation (see below).
    Client SecretThe client secret you have received when performing the Azure AD Preparation (see below).
    Callback URL FolderThe URL folder of the redirect URL that will be used when authentication against this Azure AD. If you only use one Azure AD you can leave the default value. If you use more than one Azure AD you need to make sure that each Azure AD configuration has a unique callback URL folder. The callback URL folder has to be set in the redirect URL when configuring the Azure AD (see below).
    Has Custom Callback URLEnable this option to enter a custom callback URL.
    Callback URLThe custom URL folder of the redirect URL that will be used when authentication against this Azure AD. Helpful when using a reverse proxy, for example.

    You can test the current configuration by clicking Test Connection to check if the connection to the Azure AD can successfully be established.

    User Group Queries

    Every Azure AD user directory can have one or more user group queries to define which user groups within the Azure AD to synchronize.

    INFO

    Only Azure AD user groups for which a user group query exists will be synchronized.

    User group queries have the following properties:

    Name

    		Description
    NameThe name of the user group within the Azure AD or a regular expression matching the names of user groups within the Azure AD (depending on the Matching Method property).
    Matching MethodExact Match. When selecting this option only the Azure AD user group whose name exactly matches the Name property will be synchronized.

    Regular Expression. When selecting this option all Azure AD user groups whose names match the regular expression contained in the Name property of this query will be synchronized.
    Members TypeThe user type to assign to Users synchronized with the Azure AD user group. If a user belongs to multiple queried user groups in the user directory, the user type with the highest permissions will be assigned to that user.
    Default LanguageThe default language to assign to Users synchronized with the Azure AD user group unless the Azure AD user has a preferred language set in Azure AD.
    Time ZoneThe time zone to assign to Users synchronized with the Azure AD user group.
    CultureThe culture to assign to Users synchronized with the Azure AD user group.

    Azure AD Preparation

    Before you can use an Azure AD as a user directory, you have to perform the following configuration setups in your Azure AD Administration Portal:

    • Click App registrations.
    • Create a new app registration and give it a name (e.g. Mail And Deploy).
    • Set the redirect URL to a URL that has the format https://hostname:port/urlfolder where the host name and port are the ones that are used by users to launch the management console and the URL folder is the callback URL folder of the Azure AD (see above). Set the platform to Single Page Application (SPA).
    • Click Register. On the overview page copy the Application (Client) ID and the Tenant ID.
    • In the left menu select Authentication, then select ID tokens (used for implicit and hybrid flows) and click Save.
    • In the left menu select Token Configuration and click Add optional claims. Then select token type ID and add the following claims:
    • email
    • upn
    • verified_primary_email
    • xms_pl
    • In the left menu select API Permissions and add the following Microsoft Graph permissions:
      • Delegated: email
      • Delegated: openid
      • Delegated: profile
      • Delegated: User.Read
      • Application: Group.ReadAll
      • Application:User.Read.All
    • Make sure that admin consent is granted for all API permissions.
    • In the left menu select Certificates & secrets and create a new client secret and then copy the Value which we will used as the client secret.
    Was this article helpful?
    What's Next