Azure Cloud Object Management
Important
If you want to enable additional cloud governance features for your Entra Cloud Objects (for example, Azure Cloud Object Management , such as, Management Groups, Subscriptions, Resource Groups and Role Assignment or Service Principal Accounts Management), you must have
The Microsoft Entra ID connector provides support for access management of the following Azure Management Objects:
-
Management Groups
-
Subscriptions
-
Resource Groups
-
Role Assignment (RBAC role assignments. This is a custom group object)
The newly supported group objects (Azure Management objects) and operations are:
Operations |
Group Objects |
---|---|
Aggregation |
Management Groups, Subscriptions, and Resource Groups |
Aggregation and Add / Remove Entitlement |
Role Assignment (RBAC role assignments. This is a custom group object.) |
The following attributes can be configured in the
API version to be used for management group API. Type: String
Default value: 2020-02-01
API version to be used for subscription API. Type: String
Default value: 2020-01-01
API version to be used for resource group API. Type: String
Default value: 2020-06-01
API version to be used for Role Assignments API. Type: String
Default value: 2018-07-01
Azure management API resource base in case of Entra Gov or another private instance. Type: String
Default value: https://management.azure.com
Specify if role assignments need to be fetched during Get Account call. Type: boolean
Default value: False
Prerequisites
-
The Microsoft Entra ID connector supports the following grant types for OAuth2 authentication:
-
Client Credentials
-
Auth Code / Refresh Token
-
Certificate Credentials
Ensure that the appropriate permissions are granted as mentioned in the Administrator Permissions section below.
-
-
Existing clients must be modified for supporting
management.azure.com
as the scope.
Administrator Permissions
Based on the supported operations (Aggregation and Add/ Remove Entitlements), the following are the required permissions:
Permission: Microsoft.Management/managementGroups/read
Or
Role: Reader
Scope: Management Group
Permission: Microsoft.Authorization/roleAssignments/read
Or
Role: Reader
Scope: Management Group / Subscription
Permission: Microsoft.Authorization/roleDefinitions/read
Or
Role: Reader
Scope: Management Group / Subscription
Permission: Microsoft.Authorization/roleAssignments/write
Or
Role: User Access Administrator
Scope: Management Group / Subscription
Permission: Microsoft.Authorization/roleAssignments/delete
Or
Role: User Access Administrator
Scope: Management Group / Subscription
API Permissions
OAuth2.0 Authentication |
Type |
API |
Permission |
---|---|---|---|
Client Credentials
|
Delegated |
Azure Service Management |
user_impersonation |
Application |
Microsoft Graph |
Directory.ReadWriteAll |
|
Refresh Token / AuthCode |
Delegated |
Azure Service Management |
user_impersonation |
JWT Certificate Credentials |
Delegated |
Azure Service Management |
user_impersonation |
Refer to the following table to learn more about object management when
Object |
Identity Governance |
Cloud Governance |
---|---|---|
Account Management |
||
User |
Yes |
Yes |
B2B Guest User |
Yes |
Yes |
B2C User |
Yes |
Yes |
Federated User (Synchronized with On-Prem AD) |
Yes |
Yes |
Entitlement Management |
||
Groups |
Yes |
Yes |
License Plan (Service Plan) |
Yes |
Yes |
Administrator Roles |
Yes |
Yes |
Service Principal Names |
Yes |
Yes |
Management Groups |
No |
Yes |
Subscriptions |
No |
Yes |
Resource Groups |
No |
Yes |
Roles Assignment (RBAC) |
No |
Yes |