Azure Active Directory
Microsoft has recently renamed its "Azure Active Directory" (also called "Azure AD" or "AAD") to "Microsoft Entra ID". This is not to be confused with "Windows Server Active Directory," which will remain the same.
Microsoft Entra ID is an Identity and Access Management cloud solution that extends your on-premises directories to the cloud and provides single sign-on to thousands of cloud (SaaS) apps and access to web apps you run on-premises.
OvalEdge uses Client ID, Client Secret, and Tenant ID to connect to the data source, which allows the user to fetch the user details.
Important: This document focuses on specific information relevant to this particular connector. Details about Establishing Connections, Connector Parameters, and Connector Settings will be found in the "Generic Features of Connectors" document.
Connector Characteristics
Connector Category
Integration System
Connectivity
Client ID, Client Secret, and Tenant ID
Connector Version
[OvalEdge Connector Version Information]
7.0
Microsoft Entra ID Source Versions Supported
[Data Source Version from which OvalEdge started providing support]
V2.0 Azure AD
OvalEdge Releases Supported (Available from)
[OvalEdge Release Version in which the connector was included in the OvalEdge Application]
5.0 Onwards
Supported Features
Crawling of Metadata Objects
Not Applicable
Metadata Source
Not Applicable
Supported Data Types:
Not Applicable
Profiling
Not Applicable
Data Preview
Not Supported
Data Quality Module
More info: Data Quality
Not Supported
DAM (Data Access Management) Support
More info: RDAM
Supported
Bridge Support
[The Bridge component is used as a Tunnel to Transfer Data from the Client-Hosted Cloud or Client-on-Premises Data Center. The handshake between the Bridge Server and Client is established with a Security Tool Kit (these differ from client to client and are generated based on the IP address/DNS, etc.).]
Supported
Crawl of Usage Statistics (Source System)
[This involves systematically collecting, analyzing, and reporting on data related to user activities, including details on which users are accessing the system, their actions, and the frequency of their access.]
Not Supported
Certifications at Source (Source System) [This refers to endorsing metadata objects applied within the source system. These certifications are then fetched and displayed in OvalEdge, enabling more in-depth analysis.]
Not Supported
Prerequisites
The following are the prerequisites required for establishing a connection:
Connectivity Details
API
Version
Details
https://login.microsoftonline.com/%s/oauth2/v2.0/token"
V2.0
For Authentication
Service Account with Minimum Permissions.
To use the Microsoft Entra ID connector, the account needs to have the following administrator permissions:
Operation
Minimum Access Permission
Connection Validation
READ
Crawling
Not supported
Profiling
Not supported
Configure Environment Variables (Optional).
This section describes the settings or instructions you should know before establishing a connection. If your environments have been configured, skip this step.
For more information, refer to the "Generic Features of Connectors" document.
Establish Connection
In the OvalEdge application, the Microsoft Entra ID connector allows you to crawl the data objects using Credential Manager Authentication.
The "Generic Features of Connectors" document covers general settings and parameters common to most OvalEdge connectors. Here, we'll focus on the specific details required to configure the Microsoft Entra ID Connector.
Microsoft Entra ID-Specific Parameters
Field Name
Description
Tenant ID*
The Tenant ID is a unique identifier for an Azure AD tenant. A tenant represents an organization within Azure AD and contains users, groups, applications, and other directory objects.
Enter the Azure AD Tenant ID.
Example: 72f988bf-86f1-41af-91XX-2d7cdXXXXXX47
Client ID*
The Client ID, or the Application ID, is a unique identifier assigned to an application when registered in Azure AD.
Enter the Azure AD Client ID.
Example: e7f3a942-5e57-4e09-bc39-2c0a2fXXXXX7
Client Secret*
The Client Secret is a password-like secret string that an application uses to prove its identity when requesting tokens from Azure AD. It's generated during the application registration process.
Enter the Client's Secret associated with Azure AD
Example: P@ssw0rd12345XXXX90abcdefghijklmnopqrstXXXXX
Important: * (asterisk) indicates the mandatory field to create a connection.
After entering the required parameters, you can either save the connection details first or validate the connection and then save it.
Errors & Resolution
You may encounter the following errors if the correct parameters are not provided while establishing the connection. Below are the most common error messages and their resolutions for your reference.
If you continue to experience issues with establishing the connection, please contact your assigned OvalEdge Customer Success Management (CSM) team
S.No.
Error Message(s)
Error Description/Resolution
1
Failed to establish a connection. Please check the credentials.
Error Description:
Invalid credentials are provided, or the user or role does not have access.
Resolution:
Verify the credentials (Tenant ID, Client ID, and Client Secret) provided for authentication.
Check if the credentials are correctly configured in your application.
2
Application with identifier '{client_id}' was not found in the directory '{tenant_id}'
Error Description:
The Client ID or Tenant ID is incorrect, or the application has not been registered in the specified Azure AD tenant.
Resolution:
Verify the Client ID and Tenant ID in your application's configuration.
Ensure the application is registered in the Azure AD tenant specified by the Tenant ID.
Check the Azure portal under "Azure Active Directory" > "App registrations" to confirm the application exists.
3
An invalid client secret is provided.
Error Description:
The Client Secret provided is incorrect or has expired.
Resolution:
Recheck the Client Secret in your configuration.
If the Client Secret has expired, generate a new one in the Azure portal under "Certificates & secrets" for your registered application.
Ensure the new Client Secret is correctly updated in your application's configuration.
4
The reply URL specified in the request does not match the reply URLs configured for the application.
Error Description:
The Redirect URI (Reply URL) configured in your application does not match any Redirect URIs registered in Azure AD.
Resolution:
Verify the Redirect URI in your application's configuration.
Update the Redirect URI in the Azure portal under "Azure Active Directory" > "App registrations" > your application > "Authentication" to include the correct URI.
5
The user or administrator has not consented to use the application with ID '{client_id}' named '{app_name}'. Send an interactive authorization request for this user and resource.
Error Description:
The user or an admin has not granted the required permissions to the application.
Resolution:
Ensure that the necessary permissions are listed under "API permissions" for your application in the Azure portal.
If admin consent is required, an admin needs to grant permission.
Replace {tenant_id} and {client_id} with your specific values.
6
User account '{email}' from identity provider does not exist in tenant '{tenant_name}' and cannot access the application '{client_id}' in that tenant. The account needs to be added as an external user in the tenant first.
Error Description:
The user attempting to sign in does not belong to the specified Azure AD tenant.
Resolution:
Ensure the user is added as a guest user in the Azure AD tenant.
In the Azure portal, go to "Azure Active Directory" > "Users" > "New guest user" and invite the user by email.
Connector Settings
After successfully validating the connection, you can access various settings to retrieve specific information from the data source.
Connector settings are not applicable for the Microsoft Entra ID connector.
Limitations
S.No.
Description
1.
The connector does not return custom attributes of Microsoft Entra ID entities.
2.
The connector does not support Mail-Enabled Security groups.
3.
Microsoft Entra ID group with the attribute "isAssignableToRole" is not currently supported.
4.
If you have deployed Azure Conditional Access (Microsoft Entra ID MFA) the connector will not work as expected.
FAQs
What is Microsoft Entra ID (Azure AD)?
Answer: Microsoft Entra ID, formerly Azure Active Directory (Azure AD), is Microsoft’s cloud-based identity and access management service. It helps employees sign in and access resources like Microsoft 365, the Azure portal, and thousands of other SaaS applications.
What are the prerequisites for connecting to Azure AD?
Answer: To connect to Azure AD, you need a Microsoft 365 or Azure subscription, an Azure AD tenant, and administrative privileges to register applications and configure permissions.
How do I register an application in Azure AD?
Answer: In the Azure portal, navigate to "Azure Active Directory" > "App registrations" > "New registration." Enter the application name, redirect URI, and other details, then save the registration.
How do I find my Tenant ID?
Answer: In the Azure portal, navigate to "Azure Active Directory." The Tenant ID is displayed under "Overview" as the "Directory (tenant) ID."
How do I generate a Client Secret?
Answer: In the Azure portal, go to "Azure Active Directory" > "App registrations" > your application > "Certificates & secrets." Click "New client secret" to generate a new secret.
How do I grant admin consent for my application?
Answer: In the Azure portal, navigate to "Azure Active Directory" > "App registrations" > your application > "API permissions." Click "Grant admin consent for {tenant name}".
What should I do if I encounter a 403 Forbidden error?
Answer: A 403 Forbidden error typically indicates insufficient permissions. Verify that your application has the necessary permissions and that admin consent has been granted.
How do I handle token expiration and refresh tokens?
Answer: Implement token refresh logic in your application. When the current access token expires, use the refresh token provided by Azure AD to request a new one.
What are the rate limits for Azure AD?
Answer: Azure AD imposes rate limits to prevent abuse. Specific limits can vary, but common limits include 12,000 requests per 10 seconds per app per tenant. Design your application to handle rate-limit responses gracefully.
How do I troubleshoot connection issues?
Answer:
Check Credentials: Verify that Tenant ID, Client ID, and Client Secret are correct.
Review Permissions: Ensure your application has the necessary permissions.
Network Issues: Check network connectivity and firewall settings.
Error Messages: Use detailed error messages provided by Azure AD to identify specific issues.
Can I connect multiple applications to the same Azure AD tenant?
Answer: Yes, you can register multiple applications within the same Azure AD tenant. Each application will have its own Client ID and Client Secret.
What is the difference between single-tenant and multi-tenant applications?
Answer:
Single-Tenant: The application is available only within the specific Azure AD tenant where it was registered.
Multi-Tenant: The application is available to users in any Azure AD tenant.
How do Conditional Access policies affect my application?
Answer: Conditional Access policies can enforce additional requirements like MFA or device compliance. Ensure your application handles these requirements appropriately and that users are aware of them.
What is the purpose of Redirect URIs?
Answer: Redirect URIs specify where Azure AD should send tokens after authentication. They ensure the tokens are sent to the correct location in your application.
How do I secure my Client's Secret?
Answer:
Store Client Secrets securely using secret management tools like Azure Key Vault.
Rotate Client Secrets regularly and update your application configuration accordingly.
Can I use Azure AD B2C for consumer-facing applications?
Answer: Azure AD B2C is designed for consumer-facing applications, providing identity and access management for your customers using social or local accounts.
Was this helpful?