Azure
Azure Active Directory (Azure) is Microsoft's cloud-based identity and access management service. Azure AD helps your employees sign in and access resources such as Microsoft Office 365, the Azure portal, and thousands of other Software as a Service (SaaS) applications.
Information Stored
The following table describes the available integration tasks and stored data.
Available Integration Tasks
|
|
|
|
HR Roster
|
|
|
Application Discovery
|
|
•
|
Additional Details (open_access, publisher, oauth2Integration) |
Note:The Additional Details are described below:
|
•
|
open_access - Specifies whether users can use Single Sign-On (SSO) without any role assignment for the applications. |
|
•
|
publisher - Specifies the publisher of the applications. |
|
•
|
oauth2Integration - Specifies the applications configured with OAuth protocol for SSO. |
|
|
SSO Application Roster
|
|
|
SSO Application Access
|
|
Note:The information stored is subject to change as enhancements are made to the product.
Minimum Permissions Required
Minimum API required permissions are based on the Application Permission and User Role .
Application Permission
Application Permission
|
|
|
|
|
Directory.Read.All
|
Allows the application to read data in your organization's directory, such as users, groups, and applications without a signed-in user.
|
All Integration Tasks
|
|
Offline_access
|
This permission is necessary for the refresh token generation.
|
|
|
AuditLog.Read.All
|
To read the audit log details in your Microsoft account
|
Application Access
|
Important:The Azure integration with SaaS Management will fail if consent is not given to both the AuditLog.Read.All and the Directory.Read.All permissions. For details, refer to the Microsoft List signIns documentation section.
User Role
User Role
|
|
|
|
Application Administrator
|
To grant and authorize the application permission, the user must have Application Administrator access. For details, refer to Microsoft’s description of the Application Administrator.
|
Note: Note the following:
|
•
|
Once the Authorization is completed and the integration tasks are executed successfully, the user role can be reduced to the Report Reader role. |
|
•
|
After Authorizing, changing the password, or revoking the user roles for the user used for authorizing will result in an integration task failure. |
Authentication Method
OAuth2 with Authorize flow. For details, refer to the Microsoft OAuth2 authorization code flow documentation.
Credentials Required
|
•
|
Include Guests (Optional) |
Note:Username and password are required only for authorizing the application permissions. These values are not stored in SaaS Management.
Data Anonymization
Data anonymization is the processing technique that removes or modifies identifiable information. Once the process is complete, data cannot be associated with a specific user. It helps protect private and sensitive data as well as private activities while maintaining its integrity.
When adding the Azure application, it is important to make sure that anonymized users are not imported from Office 365 into SaaS Management. You will need to access reports that provide information about your organization’s use of applications and services.
The following procedure is important as a prerequisite to ensure that anonymized user data is not imported when integrating Azure with SaaS Management.
To view reports with anonymized user data:
|
1.
|
Log in to the Microsoft 365 Portal Admin Center. |
|
2.
|
In the menu, go to Settings > Org settings and click the Services link at the top. |
|
3.
|
Scroll down and click Reports. |
|
4.
|
In the window that is displayed, clear the Display concealed user, group, and site names in all reports box. |
Note:Ensure that data anonymization is disabled in your Microsoft account. Otherwise, all activity data will end up in Suspicious SaaS Activities. For more information, see the Microsoft documentation regarding Showing Anonymous User Names. If anonymized user data has been imported after integrating Azure with SaaS Management, submit a Support Case.
Integrating Azure with SaaS Management
To integrate Azure with SaaS Management, perform the following steps.
To integrate Azure with SaaS Management:
|
2.
|
To filter the Azure user types that are pulled in from the HR Roster integration task, enter the appropriate value in the Include Guest field. |
Example 1: To retrieve Guest, Member, and null Azure user types, enter yes in the Include Guest field.
Example 2: To retrieve only Member and null Azure user types, do not enter a value in the Include Guest field.
The results for both examples display in the All SaaS Users (Organization > All SaaS Users) screen.
|
3.
|
In SaaS Management, click the Authorize link provided during the integration setup, which will redirect you to the Microsoft/Azure portal. |
|
4.
|
Enter your Application Administrator username and password to log in. |
|
5.
|
Click Accept to authorize to provide access to the APIs for the Directory.Read.All permission in the account. |
API Endpoints
HR Roster
https://graph.microsoft.com/v1.0/users
Application Discovery
https://graph.microsoft.com/v1.0/servicePrincipals
SSO Application Access
https://graph.microsoft.com/v1.0/auditLogs/signIns
SSO Application Roster
https://graph.microsoft.com/v1.0/users/<UserID>/appRoleAssignments