Configuration Parameters
This section contains the information that this connector uses to connect and interact with the application. Each application type requires different information to create and maintain a connection.
The Microsoft Entra ID connector uses the following connection parameters:
Note
Attributes marked with an asterisk (*) are mandatory.
Connector Credentials
Authentication method supported by the managed system. Default is OAuth 2.0.
Grant type to be used for the authentication.
SAML Bearer Assertion.
JWT Certificate Credentials.
Client ID of the application created on the Microsoft Entra ID for using Graph REST API.
Client secret of the Microsoft Entra ID application.
Name of the Microsoft Entra ID domain to be managed. For example, contoso.onmicrosoft.com
.
When enabled, the connector leverages the Microsoft Entra ID real-time enforcement of Conditional Access location and risk policies along with instant enforcement of token revocation events for an Enterprise Application (Service Principal).
Applicable only if Grant Type is selected as SAML Bearer Assertion
Endpoint URL of authorization server.
Username for authorization.
Password of the user for authorization.
Request body for SAML assertion.
Applicable only if Grant Type is selected as Refresh Token/Auth Code
Enter valid refresh token.
Applicable only if Grant Type is selected as JWT Certificate Credentials
The unique alpha-numeric value of certificate used to sign the JWT assertion.
Private Key text used for encrypting the JWT assertion.
Password for decrypting private key.
Additional Configuration
Note
-
For more information on filters, refer to the Supported query options section of the Azure AD Graph API Concepts document.
-
The Azure API does not support advanced query filters (
NOT
,ENDSWITH
, andNE
) with the expandedmanager
attribute in the URL. Remove themanager
attribute from the account schema and remove theowners
attribute from the groups schema while using the advanced filters. -
When using the advanced filters you must add the
supportsAdvancedAccountFilter
attribute to the application Debug page. For more information, refer to Additional Configuration Parameters.
Enables Aggregation and Provisioning of Exchange mailbox attributes.
FQDN/IP of the system where IQService is installed.
The TCP/IP port on which IQService is listening for requests.
If you enable Use TLS, configure the corresponding IQService TLS port.
Note
To enable exchange online mailbox management, you must configure the IQService Host and IQService Port parameters.
User registered with IQService for Client Authentication.
Password of registered user for Client Authentication.
Indicates whether this is a TLS communication between IdentityIQ and IQService.
If you enable Use TLS for IQService, IQService User, and IQService Password attributes are mandatory
Enables aggregation and provisioning of Office 365 groups. This exposes the Enable Microsoft Teams Governance checkbox.
This is only available if Manage Microsoft Office 365 Groups is selected. Select this option to checkbox to enable aggregation and provisioning of channels.
This field is only available when Enable Microsoft Teams Governance is selected. Enter any filter statements to define the scope for channels. For example if you want to add standard channels and private channels the filter would be, membershipType eq 'standard' or membershipType eq 'private'
Enables IdentityIQ notifications within Microsoft Teams. Note that this option must be checked in order for the next fields to appear.
Note
For more information, refer to the IdentityIQ Microsoft Teams Notifications.
The private URL of the Microsoft Teams bot, including the port and endpoint, in the format http://server:port/appidwithnodashes/api/notify
, where appidwithnodashes
is your own application's Microsoft App ID. This ID was also used when you set up the Messaging endpoint in the Azure bot.
In the IdentityIQ Microsoft Teams Notifications guide, note that the step in Creating an Azure Bot for IdentityIQ's Microsoft Teams Notifications that include this Messaging endpoint references the public server; in this field in IdentityIQ, be sure to use server and port details for the private server.
The Microsoft Entra ID tenant ID that is used for your Microsoft Teams application.
The client secret you generated when creating the Microsoft Teams application. In the IdentityIQ Microsoft Teams Notifications guide, refer to Creating a Microsoft Teams Application for IdentityIQ in Azure for details.
Enables Privileged Identity Management to manage the lifecycle of role assignments.
Indicates whether application is used to manage B2C tenant.
Enable if the application manages access packages. For more information, refer to Access Package Management.
Enable to manage access packages hidden from end users on the My Access portal. For more information, refer to Access Package Management.
Number of records per page. Default: 500.
Filter that defines the scoping condition for Accounts to be applied during account aggregation to limit set of data. The Microsoft Entra ID connector supports advanced query filters like endsWith
, NOT
, and NE
during aggregation. For example,
(startswith(displayName,'A')and
accountEnabled eq true)"/>
Select Advanced User Filter to include advanced filter queries such as endsWith, NOT, and NE during aggregation processes.
Filter that defines the scoping condition for Groups to be applied during account-group aggregation to limit set of data.
The following is an example for the groupFilters
configuration attribute:
<entry key="groupFilters" value="(startswith(displayName,'A') or
startswith(displayName,'B'))"/>
Note
For more information on filters, refer to the Supported query options section of the Azure AD Graph API Concepts document.
Note
The Azure API does not support advanced query filters (NOT
, ENDSWITH
, and NE
) with the expanded manager
attribute in the URL. Remove the manager
attribute from the account schema and remove the owners
attribute from the groups schema while using the advanced filters.
Select Advanced Group Filter to include advanced filter queries such as endsWith, NOT, and NE during aggregation processes.
When entitlement schema "roles" is present in the connector, set the Directory Roles Filter to ensure only specified roles are aggregated during an entitlement aggregation. For example, isBuiltIn eq true
. For more information on filtering conditions and values, refer to the Microsoft documentation.
You can also set this attribute using the application Debug page:
<entry key ="directoryRolesFilter" value ="isBuiltIn eq true" />
Applicable only if Manage Exchange Onlineis selected
UserPrincipalName of User having Exchange Administrator role.
Password of user having Exchange Administrator Role.
Select the Mail Contact Governance checkbox to manage mail contacts as accounts. For more information, refer to Azure Mail Contact Management.
In the Mail Contact Filter field, enter any filter statements used to define the scope of mail contacts for aggregation. For example, startswith(displayName,'MailContact1')
Note
To enable native before/after script execution for provisioning requests, configure IQService Host and IQService Port parameters. For more information on enabling the Client Authentication and TLS communication, see IQService.