Integrate with Microsoft Entra ID (formerly Azure Active Directory)

Prerequisites

Before you install and configure a Microsoft Entra ID (formerly Azure Active Directory) connected system, you should consider the following prerequisites and tasks.

Certified Components

The target system can be any one of the following:

Table - Certified Components

Component Type Component
Target System Microsoft Entra ID (formerly Azure Active Directory)
Target API Version
  • Microsoft Entra ID (formerly Azure Active Directory)
  • Microsoft Graph API v1.0
  • Microsoft Authentication API version v2.0 (OAuth 2.0)

Supported Modes

Microsoft Entra ID (formerly Azure Active Directory) connected system supports the following modes:

  • Authoritative
  • Permissions Management

Supported Connected System Operations

The Microsoft Entra ID (formerly Azure Active Directory) connected system supports the following connector operations:
  • User Management
    • Create user
    • Delete user
    • Reset Password
  • Role Grant Management
    • Assign Roles to a user
    • Revoke Roles from a user
  • License Grant Management
    • Assign Licences to a user
    • Remove Licences from a user
  • Security Group Management
    • Assign Security Group to a user
    • Remove Security Group from a user
  • Office Group Management
    • Assign Office Group to a user
    • Remove Office Group from a user

Microsoft Enterprise Application Configuration and Settings

Before you can establish a connection, you need to perform the following tasks in your Microsoft Entra admin center for the Enterprise application:
  • Create and register an enterprise application that you want to integrate with Oracle Access Governance. For more information, refer Microsoft documentation.
  • Generate a client secret for the application
  • Grant the following delegated and application permissions for the Microsoft Graph API:

    Delegated Permission

    • Directory.ReadWrite.All
    • Group.ReadWrite.All
    • GroupMember.ReadWrite.All
    • User.Read
    • User.ReadWrite

    Application Permission

    • Directory.ReadWrite.All
    • Group.ReadWrite.All
    • GroupMember.ReadWrite.All
    • User.ReadWrite.All

    For more information, refer Microsoft documentation.

Configure

You can establish a connection between Microsoft Entra ID (formerly Azure Active Directory) and Oracle Access Governance by entering connection details. To achieve this, use the connected systems functionality available in the Oracle Access Governance Console.

Navigate to the Connected Systems Page

Navigate to the Connected Systems page of the Oracle Access Governance Console, by following these steps:
  1. From the Oracle Access Governance navigation menu icon Navigation menu, select Service Administration → Connected Systems.
  2. Click the Add a connected system button to start the workflow.

Select and configure a new Connected System

To start the add a connected system workflow, you should select the type of system that you would like to connect with Oracle Access Governance:

Select system

On the Select system step of the workflow, you can specify which type of application you would like to onboard.

  1. Select Microsoft Entra ID (formerly Azure Active Directory).
  2. Click Next.

Enter details

On the Enter Details step of the workflow, enter the details for the connected system:

  1. Enter a name for the application you want to connect to in the What do you want to call your directory? field.
  2. Enter a description for the application in the How do you want to describe this directory? field.
  3. Determine if this connected system is an authoritative source, and if Oracle Access Governance can manage permissions for existing users by setting the following checkboxes.
    • This is the authoritative source for my Identities
    • I want to manage permissions for this Connected System
    Default in each case is Selected.
  4. Click Next.

Configure

On the Configure step of the workflow, enter the configuration details required to allow Oracle Access Governance to connect to the target Microsoft Entra ID (formerly Azure Active Directory).

  1. In the Host field, enter the host name of the machine hosting your target system. For example, for the Microsoft Graph API, you may enter graph.microsoft.com
  2. In the Port field, enter the port number at which the application will be accessible. By default, Microsoft Entra ID (formerly Azure Active Directory) uses port 443 to handle all the outbound communication, unless otherwise.
  3. Enter the client identifier (a unique string) issued by the authorization server to your client application during the registration process in the Client ID field. The client ID, also known as Application ID, is obtained when registering an application on Microsoft Entra ID (formerly Azure Active Directory). This value identifies your application in the Microsoft identity platform. For more details refer Microsoft documentation.
  4. In the Client secret field, enter the secret ID value to authenticate the identity of your client application. You need to create a new client secret for your application and enter the value in this field.

    Note:

    You must note or copy this client secret value, as you won't be able access or view it once you leave the page.
    For more details refer Microsoft documentation.
  5. Enter the URL of the authentication server that validates the client ID and client secret for your target system in the Authentication Server Url field. For example, to authenticate the application using the OAuth 2.0 API, enter in the following syntax
    https://login.microsoftonline.com/<Primary Domain or Directory(tenant ID)>/oauth2/v2.0/token
    To know how to fetch your Primary domain or tenant ID, refer Microsoft documentation.
  6. In the Scope field, enter the scope of your client application. For example, for the Microsoft Graph API, you can leave the default value as https://graph.microsoft.com/.default. For more details, refer Microsoft documentation.
  7. If the target system requires SSL connectivity, then set the value of this parameter to true in the SSL Enabled field. Otherwise set the value to false.
  8. In the Proxy Host name, enter the proxy details, if applicable.
  9. Enter the proxy password and confirm your password.
  10. Click Add to create the connected system.

If the configuration details are correct, then the connection is validated and displays "Success" on the console. The Lookup Data Load and the Full Data Load operations are completed within a few minutes and displays "Success" on the console.

Post Configuration

There are no postinstall steps associated with a Microsoft Entra ID (formerly Azure Active Directory) target.