Integrate with Microsoft Entra ID (formerly Azure Active Directory)

Prerequisites

Before you install and configure a Microsoft Entra ID orchestrated system, you should consider the following prerequisites and tasks.

Certified Components

The Microsoft Entra ID system can be any one of the following:

Table - Certified Components

Component Type	Component
System	Microsoft Entra ID
System API Version	Microsoft Entra ID Microsoft Graph API v1.0 Microsoft Authentication API version v2.0 (OAuth 2.0)

Supported Modes

Microsoft Entra ID orchestrated system supports the following modes:

• Authoritative Source
• Managed System

Supported Operations

The Microsoft Entra ID orchestrated system supports the following operations on Microsoft Entra ID:

• Create user
• Delete user
• Reset Password
• Assign Roles to a user
• Revoke Roles from a user
• Assign Licences to a user
• Remove Licences from a user
• Assign SecurityGroup to a user
• Remove SecurityGroup from a user
• Assign OfficeGroup to a user
• Remove OfficeGroup from a user

Default Supported Attributes

The Microsoft Entra ID orchestrated system supports the following default attributes. These attributes are mapped depending on the direction of the connection, for example:

• Data being ingested by Oracle Access Governance from Microsoft Entra ID: User.givenName will map to Identity.firstName
• Data being provisioned into Microsoft Entra ID from Oracle Access Governance: account.lastName will map to User.surname

Table - Default Attributes - Authoritative Source

Microsoft Entra ID Entity	Attribute Name On Managed System	Oracle Access Governance Identity Attribute Name	Oracle Access Governance Identity Attribute Display Name
User	id	uid	Unique Id
	mailNickname	name	Employee user name
	userPrincipalName	email	Email
	givenName	firstName	First name
	surname	lastName	Last name
	displayName	displayName	Name
	usageLocation	usageLocation	Locality name
	manager	managerLogin	Manager
	preferredLanguage	preferredLanguage	Preferred language
	accountEnabled	status	Status

Table - Default Attributes - Managed System

Microsoft Entra ID Entity	Attribute Name On Managed System	Oracle Access Governance Account Attribute Name	Oracle Access Governance Account Attribute Display Name
User	id	uid	Unique Id
	userPrincipalName	name	User login
	givenName	firstName	First name
	surname	lastName	Last name
	displayName	displayName	Name
	mailNickname	mailNickname	Mail nick name
	usageLocation	usageLocation	Usage location
	city	city	City
	country	country	Country
	manager	managerLogin	Manager
	passwordProfile.forceChangePasswordNextSignIn	forceChangePasswordNextSignIn	Change password on next logon
	preferredLanguage	preferredLanguage	Preferred language
	userType	userType	Employee type
	accountEnabled	status	Status
	password	password	Password

Microsoft Enterprise Application Configuration and Settings

Before you can establish a connection, you need to perform the following tasks in your Microsoft Entra ID Admin Center for the Enterprise application:

1. Create and register an enterprise application that you want to integrate with Oracle Access Governance. For more information, refer Microsoft documentation.
2. Generate a client secret for the application
3. Grant the following delegated and application permissions for the Microsoft Graph API:

   Delegated Permission

   • Directory.ReadWrite.All
   • Group.ReadWrite.All
   • GroupMember.ReadWrite.All
   • User.Read
   • User.ReadWrite

   Application Permission

   • Directory.ReadWrite.All
   • Group.ReadWrite.All
   • GroupMember.ReadWrite.All
   • User.ReadWrite.All
   • RoleManagement.ReadWrite.Directory
4. Click the Grant Admin Consent button to provide directory-wide full permissions to perform the related API tasks for an integrated system

For more information, refer to the Microsoft documentation.

Configure

You can establish a connection between Microsoft Entra ID (formerly Azure Active Directory) and Oracle Access Governance by entering connection details. To achieve this, use the orchestrated systems functionality available in the Oracle Access Governance Console.

Navigate to the Orchestrated Systems Page

Navigate to the Orchestrated Systems page of the Oracle Access Governance Console, by following these steps:

1. From the Oracle Access Governance navigation menu icon , select Service Administration → Orchestrated Systems.
2. Click the Add an orchestrated system button to start the workflow.

Select system

On the Select system step of the workflow, you can specify which type of system you would like to onboard. You can search for the required system by name using the Search field.

1. Select Microsoft Entra ID.
2. Click Next.

Enter details

On the Enter Details step of the workflow, enter the details for the orchestrated system:

1. Enter a name for the system you want to connect to in the What do you want to call this system? field.
2. Enter a description for the application in the How do you want to describe this system? field.
3. Determine if this orchestrated system is an authoritative source, and if Oracle Access Governance can manage permissions for existing users by setting the following checkboxes.
   • This is the authoritative source for my identities
   • I want to manage permissions for this system
   Default in each case is Selected.
4. Click Next.

Configure

On the Configure step of the workflow, enter the configuration details required to allow Oracle Access Governance to connect to Microsoft Entra ID.

1. In the Host field, enter the host name of the machine hosting your Managed System. For example, for the Microsoft Graph API, you may enter graph.microsoft.com
2. In the Port field, enter the port number at which the system will be accessible. By default, Microsoft Entra ID uses port 443.
3. Enter the URL of the authentication server that validates the client ID and client secret for your Managed System in the Authentication Server Url field. For example, to authenticate the application using the OAuth 2.0 API, enter in the following syntax

   https://login.microsoftonline.com/<Primary Domain or Directory(tenant ID)>/oauth2/v2.0/token

   To know how to fetch your Primary domain or tenant ID, refer Microsoft documentation.
4. Enter the client identifier (a unique string) issued by the authorization server to your client system during the registration process, into the Client ID field. The client ID, also known as Application ID, is obtained when registering an application in Microsoft Entra ID. This value identifies your application in the Microsoft identity platform. For more details refer to Microsoft documentation.
5. In the Client secret field, enter the secret ID value to authenticate the identity of your system. You need to create a new client secret for your system and enter the value in this field. Only use this value when you are not using private key for authentication.

   Note:

   You must note or copy this client secret value, as you won't be able access or view it once you leave the page.
   For more details refer Microsoft documentation.
6. Enter PEM private key into the Private key field, only when you are not using Client secret for authentication.

   For test purposes only, you can generate a self-signed certificate using the following steps:

   1. Create an encrypted private key which you will load into the Entra ID instance.

      openssl req -x509 -newkey rsa:2048 -keyout encrypted_key.pem -out cert.cer -sha256 -days 365

   2. Decrypt the private key to create a .pem (decrypted_key.pem in the example) file which you can enter as the value for the Private key when configuring Oracle Access Governance.

      openssl rsa -in encrypted_key.pem -out decrypted_key.pem

   3. Optionally, if your private key is in PKCS1 format, convert the decrypted key for PKCS8 format which is supported in Oracle Access Governance.

      openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in decrypted_key.pem -out pkcs8.key

7. Enter the value for the certificate fingerprint (X509) in the Certificate fingerprint, only when you are not using Client secret for authentication. .

   To obtain the certificate fingerprint use the following steps:

   1. Convert the hex value of the certificate thumbprint to binary.

      echo -n "***353DB6DF03567473E299DB5E7F4C***" | xxd -r -p > thumbprint.bin

   2. Convert the binary thumbprint to base64 which can be used in the Certificate fingerprint field.

      openssl base64 -in thumbprint.bin -out thumbprint_base64.txt

8. Click Add to create the orchestrated system.

Finish up

Finally, you are given a choice whether to further configure your orchestrated system before running a data load, or accept the default configuration and initiate a data load. Select one from:

• Customize before enabling the system for data loads
• Activate and prepare the data load with the provided defaults

Post Configuration

There are no postinstall steps associated with a Microsoft Entra ID system.

---

Title and Copyright Information

Integrate with Microsoft Entra ID (formerly Azure Active Directory)

Copyright ©2024,

Oracle and/or its affiliates.

Documentation Accessibility

For information about Oracle's commitment to accessibility, visit the Oracle Accessibility Program website at http://www.oracle.com/pls/topic/lookup?ctx=acc&id=docacc.

Access to Oracle Support

Oracle customers that have purchased support have access to electronic support through My Oracle Support. For information, visit http://www.oracle.com/pls/topic/lookup?ctx=acc&id=info or visit http://www.oracle.com/pls/topic/lookup?ctx=acc&id=trs if you are hearing impaired.