- 16 Apr 2024
- 3 Minutes to read
- DarkLight
Azure AD User Directories
- Updated on 16 Apr 2024
- 3 Minutes to read
- DarkLight
General
This type of user directory synchronizes Users and User Groups and can be used to perform Authentication.
Properties
Azure AD user directories have the following properties:
Name | Description |
---|---|
Name | The name of the user directory; this is a free text you can assign. |
Tenant ID | The tenant ID associated with your Azure AD (see below). |
Client ID | The client (application) ID you have received when performing the Azure AD Preparation (see below). |
Client Secret | The client secret you have received when performing the Azure AD Preparation (see below). |
Callback URL Folder | The URL folder of the redirect URL that will be used when authentication against this Azure AD. If you only use one Azure AD you can leave the default value. If you use more than one Azure AD you need to make sure that each Azure AD configuration has a unique callback URL folder. The callback URL folder has to be set in the redirect URL when configuring the Azure AD (see below). |
Has Custom Callback URL | Enable this option to enter a custom callback URL. |
Callback URL | The custom URL folder of the redirect URL that will be used when authentication against this Azure AD. Helpful when using a reverse proxy, for example. |
You can test the current configuration by clicking Test Connection to check if the connection to the Azure AD can successfully be established.
User Group Queries
Every Azure AD user directory can have one or more user group queries to define which user groups within the Azure AD to synchronize.
Only Azure AD user groups for which a user group query exists will be synchronized.
User group queries have the following properties:
Name | Description |
---|---|
Name | The name of the user group within the Azure AD or a regular expression matching the names of user groups within the Azure AD (depending on the Matching Method property). |
Matching Method | Exact Match. When selecting this option only the Azure AD user group whose name exactly matches the Name property will be synchronized. Regular Expression. When selecting this option all Azure AD user groups whose names match the regular expression contained in the Name property of this query will be synchronized. |
Members Type | The user type to assign to Users synchronized with the Azure AD user group. If a user belongs to multiple queried user groups in the user directory, the user type with the highest permissions will be assigned to that user. |
Default Language | The default language to assign to Users synchronized with the Azure AD user group unless the Azure AD user has a preferred language set in Azure AD. |
Time Zone | The time zone to assign to Users synchronized with the Azure AD user group. |
Culture | The culture to assign to Users synchronized with the Azure AD user group. |
Azure AD Preparation
Before you can use an Azure AD as a user directory, you have to perform the following configuration setups in your Azure AD Administration Portal:
- Click App registrations.
- Create a new app registration and give it a name (e.g. Mail And Deploy).
- Set the redirect URL to a URL that has the format https://hostname:port/urlfolder where the host name and port are the ones that are used by users to launch the management console and the URL folder is the callback URL folder of the Azure AD (see above). Set the platform to Single Page Application (SPA).
- Click Register. On the overview page copy the Application (Client) ID and the Tenant ID.
- In the left menu select Authentication, then select ID tokens (used for implicit and hybrid flows) and click Save.
- In the left menu select Token Configuration and click Add optional claims. Then select token type ID and add the following claims:
- upn
- verified_primary_email
- xms_pl
- In the left menu select API Permissions and add the following Microsoft Graph permissions:
- Delegated: email
- Delegated: openid
- Delegated: profile
- Delegated: User.Read
- Application: Group.ReadAll
- Application:User.Read.All
- Make sure that admin consent is granted for all API permissions.
- In the left menu select Certificates & secrets and create a new client secret and then copy the Value which we will used as the client secret.