Azure Client Credentials

Azure Active Directory (Azure) is Microsoft's cloud-based identity and access management service. Azure AD helps your employees sign in and access resources such as Microsoft Office 365, the Azure portal, and thousands of other Software as a Service (SaaS) applications.

Important:This Azure integration requires the authentication method OAuth2 with client credentials.

The following sections explain prerequisites, resources, and instructions for integrating with SaaS Management.

Stored Azure Client Credentials Information
Required Minimum Permissions for Azure Client Credentials
Optional Credentials for Azure Client Credentials
Azure Client Credentials Authentication Method
Required Credentials for Azure Client Credentials
Obtaining Client Credentials and Directory (Tenant) ID for Azure Client Credentials
Data Anonymization for Azure Client Credentials
Integrating Azure Client Credentials With SaaS Management
Azure Client Credentials API Endpoints

Stored Azure Client Credentials Information

The following table describes the available integration tasks and stored data within [ProductName].

Available Integration Tasks

Information Stored

HR Roster

Unique ID
Email
Email Aliases
First Name
Last Name
Active Date
Department
Location

Application Discovery

Application ID
Application Name
App Instance ID
Additional Details (See the following Note.)

Note:Following are descriptions for the additional details that display in the Azure Client Credentials Discovered Applications tab:

Publisher—Specifies the publisher of the applications. 
Open_Access—Specifies whether users can use Single Sign-On (SSO) without any role assignment for the applications. 
SSO Integration—Specifies whether the publisher name of the app matches the name of the organization. A green check mark indicates a match; a red “x” indicates a mismatch. 
OAuth2 Integration—Specifies the applications configured with OAuth protocol for SSO. 

SSO Application Roster

Application ID
Application Name
App Instance ID
User ID
Email
First Name
Last Name
Active Date

SSO Application Access

User ID
Last Login
Application ID
Application Name
Login Location

Note:The information stored is subject to change as enhancements are made to the SaaS application.

Required Minimum Permissions for Azure Client Credentials

The minimum API required permissions are based on the Required Application Permissions for Azure Client Credentials and Required User Role for Azure Client Credentials .

Required Application Permissions for Azure Client Credentials

Important:The Azure Client Credentials integration with SaaS Management will fail if consent is not given to both the AuditLog.Read.All and the Directory.Read.All permissions. For more information, see Microsoft’s documentation topic, List signIns.

Application Permission

Description

Integration Task Name

User.Read.All

Enables the application to read the full set of profile properties on behalf of the signed-in user.

HR Roster 

Application.Read.All

Enables the application to read applications and service principals on behalf of the signed-in user.

Application Discovery 

Organization.Read.All

Enables the application to read the organization and related resources, without a signed-in user. Related resources include things like subscribed SKUs and tenant branding information.

Application Discovery 

AuditLog.Read.All and

Directory.Read.All

Enables the application to read and query your audit log activities, without a signed-in user.

SSO Application Access 

Application.Read.All

Enables the application to read applications and service principals on behalf of the signed-in user.

SSO Application Roster 

GroupMember.Read.All

Enables the app to read memberships and basic group properties for all groups without a signed-in user.

SSO Application Roster 

Required User Role for Azure Client Credentials

Note:The following SaaS application user role is not applicable to Flexera One roles.

User Role

Description

Global Administrator

To grant the application permission, the user must have Global Administrator access. For more information, see Microsoft’s documentation topic, Azure AD Built-In Roles.

Azure Client Credentials Authentication Method

The required authentication method is OAuth 2.0 With Client Credentials. For more information, see Microsoft’s documentation topic, Microsoft Identity Platform and the OAuth 2.0 Client Credentials Flow.

Required Credentials for Azure Client Credentials

The following credentials are required:

Application (Client) ID
Client Secrets Value
Directory (Tenant) ID.

Optional Credentials for Azure Client Credentials

The following credentials are optional:

Include Guests
Domain Names—If you provide multiple values, they should be comma separated.

Obtaining Client Credentials and Directory (Tenant) ID for Azure Client Credentials

Before Integrating Azure Client Credentials With SaaS Management, you need to obtain the client credentials and tenant ID from your Microsoft account by completing the following steps.

To obtain Client Credentials and Directory (Tenant) ID:

1. Sign in to your Microsoft Azure Portal.
2. In the Search box at the top of the page, enter App registrations and click App registrations in the search results to select it. The App registrations page opens.
3. Click New Registration. The Register an application page opens.
4. Enter a Name and choose the Accounts in this organizational directory only option.
5. Click Register.
6. On the Overview tab, copy the Application (client) ID and copy the Directory (tenant) ID to a location or file you can access later. You will need these values for Integrating Azure Client Credentials With SaaS Management.
7. To generate a client secrets value, do the following:
a. Click the Certificates & secrets tab.
b. Under Client secrets, click New client secret. The Add a client secret dialog box opens.
c. In the Description field, enter a name for the new secret.
d. Under Expires, choose an expiration value.
e. Click Add.
f. Under Client secrets, copy and paste the client secret value into a file. You will need this value for Integrating Azure Client Credentials With SaaS Management.
8. Click the API permissions tab and do the following:
a. Click Microsoft Graph. The Request API permissions panel opens.
b. Click Application permissions.

Note:Do not select Delegated permissions. Delegated permissions will not work.

c. In the Select permissions search box, enter Directory. Then click the arrow to expand the Directory and select the Directory.Read.All permission and AuditLog.Read.All checkboxes.
d. Click Update permissions.
9. After the permissions are added, grant admin consent.
10. Continue to Data Anonymization for Azure Client Credentials.

Data Anonymization for Azure Client Credentials

Data anonymization is the processing technique that removes or modifies identifiable information. After the process is complete, data cannot be associated with a specific user. It helps protect private and sensitive data as well as private activities while maintaining its integrity.

Important:Before Integrating Azure Client Credentials With SaaS Management, you must complete the following task to ensure that anonymized users are not imported from Azure Client Credentials into SaaS Management. You will need to access reports that provide information about your organization’s use of applications and services.

Ensure that data anonymization is disabled in your Microsoft account. Otherwise, all activity data will end up in Suspicious SaaS Activities. For more information, see Microsoft’s documentation topic, Microsoft 365 Reports Show Anonymous User Names Instead of Actual User Names. If anonymized user data has been imported after integrating Azure Client Credentials with SaaS Management, submit a Flexera Support Case.

To view reports with anonymized user data:

1. Sign in to the Microsoft 365 Portal Admin Center.
2. In the menu, go to Settings > Org settings and click the Services link at the top.
3. Scroll down and click Reports.
4. In the window that is displayed, clear the Display concealed user, group, and site names in all reports box.
5. Proceed to Integrating Azure Client Credentials With SaaS Management.

Integrating Azure Client Credentials With SaaS Management

Complete the following steps to integrate Azure Client Credentials with SaaS Management.

To integrate Azure Client Credentials with SaaS Management:

1. Complete the steps in the prerequisite sections:
a. Data Anonymization for Azure Client Credentials
b. Obtaining Client Credentials and Directory (Tenant) ID for Azure Client Credentials.
2. Add the Azure Client Credentials application in SaaS Management. For more information, see Adding an Application.
3. In the Add Application page for Azure Client Credentials:
a. Select the following Integration Tasks:
HR Roster 
Application Discovery 
SSO Application Roster 
SSO Application Access 
b. Paste the previously copied values for Application (Client) ID, Client Secrets Value, and Directory (Tenant) ID. For more information, see Obtaining Client Credentials and Directory (Tenant) ID for Azure Client Credentials.
c. To filter users based on domain, enter the appropriate domain name(s) in the Domain Names field of the Azure Client Credentials integration setup slideout. Domain names are not case sensitive. If you provide multiple domain values, they should be comma separated. If the Domain Names field is left empty, it will pull all the user domains.

Note:If the User Principal Name (UPN) and mail values are not the same, the entered domain values will not display in the Email column of the Azure Client Credentials Users tab in SaaS Management.

d. To filter the Azure Client Credentials user types that are pulled in from the HR Roster integration task, enter the appropriate value in the Include Guests field.

Example 1: To retrieve Guest, Member, and null Azure user types, enter yes in the Include Guests field.

Example 2: To retrieve only Member and null Azure user types, do not enter a value in the Include Guests field.

The results for both examples display in the All SaaS Users (Organization > All SaaS Users) page.

e. Click Authorize.

Tip:After the Application Discovery integration task has been enabled after 24 hours, you can add the discovered SSO enabled applications to your list of Managed SaaS Applications. For more information, see Adding Discovered SSO Enabled Applications to Your List of Managed SaaS Applications.

Important:The default number of your organization’s Azure users that are pulled into SaaS Management for discovered SSO enabled applications represents all the users listed in your Azure AD. To limit the scope of the Azure user count in SaaS Management to those users assigned to the Azure discovered SSO enabled applications, you need to set the App Role Assignment flag to Yes for each SSO enabled application. For more information on setting the app role assignment, see Microsoft’s documentation topic, Update the App to Require User Assignment. Within SaaS Management, Azure users with an inactive status represent those users who are unassigned from the SSO enabled application.

Azure Client Credentials API Endpoints

HR Roster

https://graph.microsoft.com/v1.0/users

Application Discovery

https://graph.microsoft.com/v1.0/servicePrincipals

 

https://graph.microsoft.com/v1.0/organization/

SSO Application Access

https://graph.microsoft.com/v1.0/auditLogs/signIns

SSO Application Roster

https://graph.microsoft.com/v1.0/servicePrincipals/<applicationId>/appRoleAssignedTo

 

https://graph.microsoft.com/v1.0/groups/<groupId>/members