Integrate with Microsoft Entra ID (formerly Azure Active Directory)
Prerequisites
Before you install and configure a Microsoft Entra ID orchestrated system, you should consider the following prerequisites and tasks.
Certified Components
The Microsoft Entra ID system can be any one of the following:
Table - Certified Components
Component Type | Component |
---|---|
System |
|
System API Version |
|
Supported Modes
Microsoft Entra ID orchestrated system supports the following modes:
- Authoritative Source
- Managed System
Supported Operations
- Create user
- Delete user
- Reset Password
- Assign Roles to a user
- Revoke Roles from a user
- Assign Licences to a user
- Remove Licences from a user
- Assign SecurityGroup to a user
- Remove SecurityGroup from a user
- Assign OfficeGroup to a user
- Remove OfficeGroup from a user
Default Supported Attributes
- Data being ingested by Oracle Access Governance from Microsoft Entra ID:
User.givenName
will map toIdentity.firstName
- Data being provisioned into Microsoft Entra ID from Oracle Access Governance:
account.lastName
will map toUser.surname
Table - Default Attributes - Authoritative Source
Microsoft Entra ID/Microsoft Entra ID B2C-Enabled Tenant Entity | Attribute Name On Managed System | Oracle Access Governance Identity Attribute Name | Oracle Access Governance Identity Attribute Display Name |
---|---|---|---|
User | id | uid | Unique Id |
mailNickname | name | Employee user name | |
userPrincipalName | |||
givenName | firstName | First name | |
surname | lastName | Last name | |
displayName | displayName | Name | |
usageLocation | usageLocation | Locality name | |
manager | managerLogin | Manager | |
preferredLanguage | preferredLanguage | Preferred language | |
accountEnabled | status | Status | |
Additional Attributes for B2C-enabled Tenant | identities | identities.issuerAssignedId | identities |
identities | identities.signInType | Sign in type | |
identities | identities.issuer | Issuer | |
passwordPolicies | passwordPolicy | Password policy |
Table - Default Attributes - Managed System
Microsoft Entra ID/Microsoft Entra ID B2C-Enabled Tenant Entity | Attribute Name On Managed System | Oracle Access Governance Account Attribute Name | Oracle Access Governance Account Attribute Display Name |
---|---|---|---|
User | id | uid | Unique Id |
userPrincipalName | name | User login | |
givenName | firstName | First name | |
surname | lastName | Last name | |
displayName | displayName | Name | |
mailNickname | mailNickname | Mail nick name | |
usageLocation | usageLocation | Usage location | |
city | city | City | |
country | country | Country | |
manager | managerLogin | Manager | |
passwordProfile.forceChangePasswordNextSignIn | forceChangePasswordNextSignIn | Change password on next logon | |
preferredLanguage | preferredLanguage | Preferred language | |
userType | userType | Employee type | |
accountEnabled | status | Status | |
password | password | Password | |
Additional Attributes for B2C-enabled Tenant | |||
identities.issuerAssignedId | issuerAssignedId | Issuer assigned id | |
identities.signInType | signInType | Signin type | |
identities.issuer | issuer | Issuer | |
passwordPolicies | passwordPolicy | Password Policy | |
Licenses | licenses as entitlement |
Microsoft Enterprise Application Configuration and Settings
- Create and register an enterprise application that you want to integrate with Oracle Access Governance. For more information, refer Microsoft documentation.
- Generate a client secret for the application
- Grant the following delegated and application permissions for
the Microsoft Graph API:
Delegated Permission
- Directory.ReadWrite.All
- Group.ReadWrite.All
- GroupMember.ReadWrite.All
- User.Read
- User.ReadWrite
Application Permission
- Directory.ReadWrite.All
- Group.ReadWrite.All
- GroupMember.ReadWrite.All
- User.ReadWrite.All
- RoleManagement.ReadWrite.Directory
- Click the Grant Admin Consent button to provide directory-wide full permissions to perform the related API tasks for an integrated system
For more information, refer to the Microsoft documentation.
Default Matching Rules
In order to map accounts to identities in Oracle Access Governance you need to have a matching rule for each orchestrated system.The default matching rule for the Microsoft Entra ID orchestrated system is:
Table - Default Matching Rules
Mode | Default Matching Rule |
---|---|
Authoritative Source
Identity matching checks if incoming identities match an existing identity or are new. |
For Microsoft Entra ID/For Microsoft Entra ID B2C-Enabled Tenant: Screen value:
Attribute name:
|
Managed System Account matching checks if incoming accounts match with existing identities. |
For Microsoft Entra ID: Screen value:
Attribute name:
For Microsoft Entra ID B2C-Enabled Tenant: Screen value:
Attribute name:
|
Configure
You can establish a connection between Microsoft Entra ID (formerly Azure Active Directory) and Oracle Access Governance by entering connection details. To achieve this, use the orchestrated systems functionality available in the Oracle Access Governance Console.
Navigate to the Orchestrated Systems Page
- From the Oracle Access Governance navigation menu icon
, select Service Administration → Orchestrated Systems.
- Click the Add an orchestrated system button to start the workflow.
Select system
On the Select system step of the workflow, you can specify which type of system you would like to onboard. You can search for the required system by name using the Search field.
- Select Microsoft Entra ID.
- Click Next.
Enter details
- Enter a name for the system you want to connect to in the Name field.
- Enter a description for the system in the Description field.
- Determine if this orchestrated system is an authoritative source, and if Oracle Access Governance can manage permissions by setting the following checkboxes.
- This is the authoritative source for my identities
- I want to manage permissions for this system
- Click Next.
Note:
The Microsoft Entra ID orchestrated system allows you to manage groups in Microsoft Entra ID using the I want to manage identity collections for this orchestrated system option. If selected, this checkbox allows you to manage Microsoft Entra ID groups from within Oracle Access Governance. Any changes made to Microsoft Entra ID groups will be reconciled between Oracle Access Governance and the orchestrated system. Similarly, any changes made in Microsoft Entra ID, will be reflected in Oracle Access GovernanceAdd Owners
Note:
When setting up the first Orchestrated System for your service instance, you can assign owners only after you enable the identities from the Manage Identities section.- Select an Oracle Access Governance active user as the primary owner in the Who is the primary owner? field.
- Select one or more additional owners in the Who else owns it? list. You can add up to 20 additional owners for the resource.
Account settings
- Select to allow Oracle Access Governance to create new accounts when a permission is requested, if the account does not already exist. By default this option is selected meaning that an account will be created if it does not exist, when a permission is requested. If the option is unselected then permissions can only be provisioned where the account already exists in the orchestrated system. If permission is requested where no user exists then the provisioning operation will fail.
-
Select where and who to send notification emails when an account is created. The default setting is User. You can select one, both, or none of these options. If you select no options then notifications will not be sent when an account is created.
- User
- User manager
- When an identity leaves your enterprise you should remove access to
their accounts. You can select what to do with the account when this happens.
Select one of the following options:
- Delete
- Disable
- No action
Note:
The options above are only displayed if supported in the orchestrated system type being configured. For example, if Delete is not supported, then you will only see the Disable and No action options. - When all permissions for an account are removed, for example when
moving from one department to another, you may need to adjust what accounts the
identity has access to. You can select what to do with the account when this
happens. Select one of the following options:
- Delete
- Disable
- No action
Note:
The options above are only displayed if supported in the orchestrated system type being configured. For example, if Delete is not supported, then you will only see the Disable and No action options. - If you want Oracle Access Governance to manage accounts created directly in the orchestrated system you can select the Manage accounts that are not created by Access Governance option. This will reconcile accounts created in the managed system and will allow you to manage them from Oracle Access Governance.
Note:
If you do not configure your system as a managed system then this step in the workflow will display but is not enabled. In this case you proceed directly to the Integration settings step of the workflow.Note:
If your orchestrated system requires dynamic schema discovery, as with the Generic REST and Database Application Tables integrations, then only the notification email destination can be set (User, Usermanager) when creating the orchestrated system. You cannot set the disable/delete rules for movers and leavers. To do this you need to create the orchestrated system, and then update the account settings as described in Configure Orchestrated System Account Settings.Integration Settings
On the Integration Settings step of the workflow, enter the configuration details required to allow Oracle Access Governance to connect to Microsoft Entra ID.
- In the Host field, enter the host name of the machine hosting your Managed System. For example, for the Microsoft Graph API, you may enter graph.microsoft.com
- In the Port field, enter the port number at which the system will be accessible. By default, Microsoft Entra ID uses port 443.
- Enter the URL of the authentication server that validates the
client ID and client secret for your Managed System in the Authentication Server Url field. For example, to authenticate
the application using the OAuth 2.0 API, enter in the following syntax
To know how to fetch your Primary domain or tenant ID, refer Microsoft documentation.https://login.microsoftonline.com/<Primary Domain or Directory(tenant ID)>/oauth2/v2.0/token
- Enter the client identifier (a unique string) issued by the authorization server to your client system during the registration process, into the Client ID field. The client ID, also known as Application ID, is obtained when registering an application in Microsoft Entra ID. This value identifies your application in the Microsoft identity platform. For more details refer to Microsoft documentation.
- In the Client secret field, enter the secret ID value to
authenticate the identity of your system. You need to create a new client secret
for your system and enter the value in this field. Only use this value when you
are not using private key for authentication.
Note:
You must note or copy this client secret value, as you won't be able access or view it once you leave the page. - Enter PEM private key into the Private key field, only when
you are not using Client secret for authentication.
For test purposes only, you can generate a self-signed certificate using the following steps:
- Create an encrypted private key which you will load into the
Entra ID
instance.
openssl req -x509 -newkey rsa:2048 -keyout encrypted_key.pem -out cert.cer -sha256 -days 365
- Decrypt the private key to create a .pem (decrypted_key.pem
in the example) file which you can enter as the value for the Private
key when configuring Oracle Access Governance.
openssl rsa -in encrypted_key.pem -out decrypted_key.pem
- Optionally, if your private key is in PKCS1 format, convert
the decrypted key for PKCS8 format which is supported in Oracle Access Governance.
openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in decrypted_key.pem -out pkcs8.key
- Create an encrypted private key which you will load into the
Entra ID
instance.
- Enter the value for the certificate fingerprint (X509) in the
Certificate fingerprint, only when you are not using Client secret
for authentication. .
To obtain the certificate fingerprint use the following steps:
- Convert the hex value of the certificate thumbprint to
binary.
echo -n "***353DB6DF03567473E299DB5E7F4C***" | xxd -r -p > thumbprint.bin
- Convert the binary thumbprint to base64 which can be used in
the Certificate fingerprint
field.
openssl base64 -in thumbprint.bin -out thumbprint_base64.txt
- Convert the hex value of the certificate thumbprint to
binary.
- Click the Is this B2C tenant enabled environment? check box to indicate it's a Microsoft Entra ID B2C enabled tenant.
- In What is the request timeout? field, enter the maximum amount of time to wait for a server to respond to a request.
- Click Add to create the orchestrated system.
Finish up
- Customize before enabling the system for data loads
- Activate and prepare the data load with the provided defaults
For information about Oracle's commitment to accessibility, visit the Oracle Accessibility Program website at http://www.oracle.com/pls/topic/lookup?ctx=acc&id=docacc.
Access to Oracle Support
Oracle customers that have purchased support have access to electronic support through My Oracle Support. For information, visit http://www.oracle.com/pls/topic/lookup?ctx=acc&id=info or visit http://www.oracle.com/pls/topic/lookup?ctx=acc&id=trs if you are hearing impaired.