Introduction
This article will lead you through the configuration options that are specific to the Microsoft Azure Active Directory (AD) target system connector.
Establish a new connection
- Select the Admin Consent button.
- On the Pick an account screen, sign in to the Microsoft account you wish to use. The account's domain must match your Azure AD tenant's primary domain, and must be assigned the Privileged role administrator administrative role in Azure.
- On the Permissions requested screen for the HelloID Azure AD target connector, select the Accept button. You should receive the success message "The Admin Consent procedure completed successfully." Close the browser tab to return to HelloID.
- Select the Link Azure AD button.
- On the Pick an account screen, sign in to the Microsoft account you wish to use. This should be the same account you used in step 2.
- On the Permissions requested screen for the HelloID Azure AD target connector, select the Consent on behalf of your organization check box.
- Select the Accept button. You should receive the success message "The Link Tenant procedure completed successfully." Close the browser tab to return to HelloID.
- Select the Target Systems link, and then select the wrench button for this Azure AD system to reload the screen.
- The system's configuration tabs will now be available. Select the Account tab.
- Select the Configure button under the Mapping section.
- Select the User principal name mapping to expand it. Change the definition of the
domain
variable in thegetValue()
function to your Azure AD tenant's primary domain. For example,const domain = 'helloidtest1.onmicrosoft.com';
. - Select the Map Additional Field drop down. Instead of selecting an existing option, enter
userType
and select the Add button. Select the userType entry to expand it, and enterGuest
for the Fixed value. This makes HelloID Provisioning create Azure AD guest accounts by default. - Change the default Password mapping if needed.
- Select the Apply button.
- Your target Azure AD system is now created. Follow the instructions below to further configure it as needed.
Configure the Microsoft Azure AD target system
On the target systems overview, click the wrench button for the Microsoft Azure Active Directory target that you wish to configure. This will take you to its configuration page.
The following tabs are specific to the Azure AD target connector. Information about tabs that are common among all target systems can be found here.
General
On the General tab, you can establish a connection to your Azure tenant if you have not already done so. See the above section, Establish a new connection.
The other settings on this page include:
- Name
The name of the target system, as displayed throughout the HelloID Provisioning module. - Description
The description of the target system, as displayed throughout the HelloID Provisioning module. - Exchange Online Integration
Turn on this toggle to create an Exchange Online mailbox when a new Azure AD account is provisioned. Enter your Exchange Online Username and Password in the respective fields. The mailbox will be hidden from the address list when the Azure AD account is disabled, and shown in the address list with the Azure AD account is enabled. Note that licensing must be configured separately, for example by using group memberships.
Account
See the Account tab for the on-premises AD target connector. Azure AD is identical, except it does not support uniqueness checks on external systems.
When mapping users' mailbox names, always use the mailNickname
attribute. Do not attempt to use the mail
attribute.
Administration
See the Administration tab for the on-premises AD target connector. Azure AD is identical, except it does not have any OU settings due to its flat directory structure.
Correlate
See the Correlate tab for the on-premises AD target connector. Azure AD is identical.
Correlation report
See the Correlation report tab for the on-premises AD target connector. Azure AD is nearly identical. The only difference is that in the Azure AD target system, the Account displayname column concatenates the Person's displayName (first) plus the correlated Azure AD account's UserPrincipalName (second, in parentheses)—rather than the sAMAccountName as with on-premises AD.
Security
The Azure AD target system connector uses the Microsoft Graph API to provision users and group memberships. It connects using Azure's Admin Consent feature, which grants access via an OpenID Connect flow. The application secret and application ID are stored encrypted in HelloID and cannot be seen or retrieved.
By default, HelloID requests the following permissions:
- Read and write all users' full profiles
- Read and write all groups
- Read directory data
If needed, you can change these permissions in the Azure portal. To do so:
- Select the Azure Active Directory button.
- Select the Enterprise applications link.
- Select the HelloID Azure AD target connector link.
- Select the Permissions link.
Note that removing existing permissions may lead to errors in the provisioning process.
All actions performed by HelloID are listed under the Azure enterprise application's Audit logs link.
Advanced configuration
If you need complex functionality that's not available in the native Azure AD target connector, you can create a custom PowerShell connector to connect to Azure via the Microsoft Graph API. See Create a Microsoft Graph API connector with PowerShell.