Azure Client Credentials

Azure Active Directory (Azure) is Microsoft's cloud-based identity and access management service. Azure AD helps your employees sign in and access resources such as Microsoft Office 365, the Azure portal, and thousands of other Software as a Service (SaaS) applications.

Important:This Azure integration requires the authentication method OAuth2 with client credentials.

•

Information Stored

•

Minimum Permissions Required

•

Authentication Method

•

Credentials Required

•

Obtaining Client Credentials and Tenant ID

•

Data Anonymization

•

Integrating Azure Client Credentials with SaaS Management

•

API Endpoints

Information Stored

The following table describes the available integration tasks and stored data.

Available Integration Tasks

Integration Task	Information Stored
HR Roster	• User ID • Email • Email Aliases • First Name • Last Name • Active Date • Department • Location
Application Discovery	• Application ID • Application Name • App Instance ID • Additional Details (open_access, publisher, oauth2Integration) Note:The Additional Details are described below: • open_access - Specifies whether users can use Single Sign-On (SSO) without any role assignment for the applications. • publisher - Specifies the publisher of the applications. • oauth2Integration - Specifies the applications configured with OAuth protocol for SSO.
SSO Application Roster	• Application ID • Application Name • App Instance ID • User ID • Email • First Name • Last Name • Active Date
SSO Application Access	• User ID • Last Login • Application ID • Application Name • Login Location

Note:The information stored is subject to change as enhancements are made to the product.

Minimum Permissions Required

Minimum API required permissions are based on the Application Permission and User Role .

Application Permission

Important:The Azure Client Credentials integration with SaaS Management will fail if consent is not given to both the AuditLog.Read.All and the Directory.Read.All permissions. For details, refer to the Microsoft List signIns documentation section.

Application Permission

Permission	Description	Integration Task Name
User.Read.All	Allows the application to read the full set of profile properties on behalf of the signed-in user.	HR Roster
Application.Read.All	Allows the application to read applications and service principals on behalf of the signed-in user.	Application Discovery
Organization.Read.All	Allows the application to read the organization and related resources, without a signed-in user. Related resources include things like subscribed SKUs and tenant branding information.	Application Discovery
AuditLog.Read.All and Directory.Read.All	Allows the application to read and query your audit log activities, without a signed-in user.	SSO Application Access
Application.Read.All	Allows the application to read applications and service principals on behalf of the signed-in user.	SSO Application Roster
GroupMember.Read.All	Allows the app to read memberships and basic group properties for all groups without a signed-in user.	SSO Application Roster

User Role

User Role

Role	Description
Global Administrator	To grant the application permission, the user must have Global Administrator access. For details, refer to the Microsoft documentation Azure AD Built-In Roles.

Authentication Method

OAuth2 with Client Credentials. For details, refer to Microsoft’s instructions in Microsoft identity platform and OAuth 2.0 client credentials flow.

Credentials Required

•

Client ID

•

Client Secret

•

Tenant ID

•

Include Guests (Optional)

•

Domain Names (Optional) - If you provide multiple values, they should be comma separated.

Obtaining Client Credentials and Tenant ID

To obtain client credentials and tenant ID, perform the following steps.

To obtain Client Credentials and Tenant ID:

1.

Sign in to your Microsoft Azure Portal.

2.

In the Search box at the top of the screen, enter App registrations and click App registrations in the search results to select it. The App registrations page opens.

3.

Click New Registration. The Register an application page opens.

4.

Enter a Name and choose the Accounts in this organizational directory only option.

5.

Click Register.

6.

On the Overview tab, copy the Application (client) ID and copy the Directory (tenant) ID to a location you can access later. You will need these values in Integrating Azure Client Credentials with SaaS Management.

7.

To generate a Client secret, do the following:

a.

Click the Certificates & secrets tab.

b.

Under Client secrets, click New client secret. The Add a client secret dialog box opens.

c.

In the Description field, enter a name for the new secret.

d.

Under Expires, choose an expiration value.

e.

Click Add.

f.

Under Client secrets, copy the client secret value. You will need this in Integrating Azure Client Credentials with SaaS Management.

8.

Click the API permissions tab and do the following:

a.

Click Microsoft Graph. The Request API permissions panel opens.

b.

Click Application permissions.

Note:Do not select Delegated permissions. Delegated permissions will not work.

c.

In the Select permissions search box, enter Directory. Then click the arrow to expand the Directory and select the Directory.Read.All permission and AuditLog.Read.All check boxes.

d.

Click Update permissions.

9.

Once the permissions are added, grant admin consent.

10.

Complete Integrating Azure Client Credentials with SaaS Management.

Data Anonymization

Data anonymization is the processing technique that removes or modifies identifiable information. Once the process is complete, data cannot be associated with a specific user. It helps protect private and sensitive data as well as private activities while maintaining its integrity.

When adding the Azure Client Credentials application, it is important to make sure that anonymized users are not imported from Azure Client Credentials into SaaS Management. You will need to access reports that provide information about your organization’s use of applications and services.

The following procedure is important as a prerequisite to ensure that anonymized user data is not imported when integrating Azure Client Credentials with SaaS Management.

To view reports with anonymized user data:

1.

Sign in to the Microsoft 365 Portal Admin Center.

2.

In the menu, go to Settings > Org settings and click the Services link at the top.

3.

Scroll down and click Reports.

4.

In the window that is displayed, clear the Display concealed user, group, and site names in all reports box.

5.

Proceed to Integrating Azure Client Credentials with SaaS Management.

Note:Ensure that data anonymization is disabled in your Microsoft account. Otherwise, all activity data will end up in Suspicious SaaS Activities. For more information, see the Microsoft documentation regarding Showing Anonymous User Names. If anonymized user data has been imported after integrating Azure Client Credentials with SaaS Management, submit a Support Case.

Integrating Azure Client Credentials with SaaS Management

To integrate Azure Client Credentials with SaaS Management, perform the following steps.

To integrate Azure Client Credentials with SaaS Management:

1.

In the Microsoft Azure Portal, enter your Global Administrator username and password to sign in.

2.

From your Microsoft account, copy the Client ID, Client Secret, and Tenant ID values.

3.

in SaaS Management, add the Azure Client Credentials application. Refer to Adding an Application.

4.

In the Add Application screen for Azure Client Credentials:

a.

Select the following Integration Tasks:

•

HR Roster

•

Application Discovery

•

SSO Application Roster

•

SSO Application Access

b.

Paste the previously copied values for Client ID, Client Secret, and Tenant ID.

c.

To filter users based on domain, enter the appropriate domain name(s) in the Domain Names field of the Azure Client Credentials integration setup slideout. Domain names are not case sensitive. If you provide multiple domain values, they should be comma separated. If the Domain Names field is left empty, it will pull all the user domains.

Note:If the User Principal Name (UPN) and mail values are not the same, the entered domain values will not display in the Email column of the Azure Client Credentials Users tab in SaaS Management.

d.

To filter the Azure Client Credentials user types that are pulled in from the HR Roster integration task, enter the appropriate value in the Include Guests field.

Example 1: To retrieve Guest, Member, and null Azure user types, enter yes in the Include Guests field.

Example 2: To retrieve only Member and null Azure user types, do not enter a value in the Include Guests field.

The results for both examples display in the All SaaS Users (Organization > All SaaS Users) screen.

e.

Click Authorize.

Tip:Once the Application Discovery integration task has been enabled after 24 hours, you can add the discovered SSO enabled applications to your list of Managed SaaS Applications. For details, refer to Adding Discovered SSO Enabled Applications to Your List of Managed SaaS Applications.

API Endpoints

HR Roster

https://graph.microsoft.com/v1.0/users

Application Discovery

https://graph.microsoft.com/v1.0/servicePrincipals

 

https://graph.microsoft.com/v1.0/organization/

SSO Application Access

https://graph.microsoft.com/v1.0/auditLogs/signIns

SSO Application Roster

https://graph.microsoft.com/v1.0/servicePrincipals/<applicationId>/appRoleAssignedTo

 

https://graph.microsoft.com/v1.0/groups/<groupId>/members