OAuth 2.0 Authentication

Azure Active Directory connector supports OAuth2.0 authentication with the following grant types:

  • Client Credentials

  • SAML Bearer Assertion

  • Refresh Token/Auth Code

  • JWT Certificate Credentials

Client Credentials

For the default grant type client credentials-based authentication, following are the required configurations:

  • Obtain Client ID and Client Secret from Azure Active Directory by registering the application.

  • Assign the required Microsoft Graph API permission to application. For more information, see Microsoft Graph API.

  • The following permissions do not allow the connector to manage users with administrative roles. To manage users with administrative roles, the application created on Azure must have the User Administrator or Global Administrator role and the Privileged Authentication Administrator role assigned using Windows Azure Active Directory Module for Windows PowerShell.

Permission

Type

Purpose

Directory.ReadWrite.All

Application

Read, Update, Delete Group, and Add Membership

Read, Update, Change Password, and Delete User

User.Invite.All

Application

Invite B2B Users

SAML Bearer Assertion

The SAML Bearer Assertion grant type authentication involves password-based user authentication with ADFS environment. SAML assertion issued by ADFS after authentication is used to obtain access token from Azure Active Directory.

The SAML Bearer Assertion authentication requires the following additional configurations to be performed:

  • Azure Active Directory Connect configured with Azure Active Directory along with ADFS.

  • Obtain Client ID and Client Secret from Azure Active Directory by registering the application.

  • Assign required permissions to application:

    Permission

    Type

    Purpose

    Directory.ReadWrite.All

    Delegated

    Read, Update, Delete Group, and Add Membership

    Read User and Update User

    User.Invite.All

    Delegated

    Invite B2B Users

    Directory.AccessAsUser.All

    Delegated

    Change Password and Delete User

Note
Assign granular level application permission for each operation if you do not want to assign full directory level permission. For more information, see Required Permissions.

  • The authentication user must be synchronized in Azure Active Directory.

  • To manage users with administrative roles, an application created on Azure must have the User Administrator or Global Administrator role and the Privileged Authentication Administrator role assigned using Windows Azure Active Directory Module for Windows PowerShell.

    Note
    To manage users with administrative roles, assign user with Global Administrator role.

  • The ADFS endpoint required to authenticate user must be enabled.

  • The ADFS service communication certificate must be installed on the IdentityNow machine.

  • The ADFS machine time zone must be in sync with Azure time zone, that is, UTC.

Refresh Token/Auth Code or JWT Certificate Credentials

  • Refresh Token/Auth Code: Refresh Token/Auth Code grant type is a client credentials-based authentication protocol. In addition to client credentials, it uses Refresh Token to perform authentication.

  • JWT Certificate Credentials: JWT Certificate Credentials supports Authentication based on JWT assertion prepared from Certificate and private key.

For the Refresh Token/Auth Code or JWT Certificate Credentials grant type client credentials-based authentication, the following are the required configurations:

  • Obtain Client ID and Client Secret from Azure Active Directory by registering the application.

  • Assign the required Microsoft Graph API permission to application. For more information, see Microsoft Graph API.

  • The following permissions do not allow the connector to manage users with administrative roles. To manage users with administrative roles, the application created on Azure must have the User Administrator or Global Administrator role and the Privileged Authentication Administrator role assigned using Windows Azure Active Directory Module for Windows PowerShell.

    Permission

    Type

    Purpose

    Directory.ReadWrite.All

    Delegated

    Read, Update, Delete Group, and Add Membership

    Read User and Update User

    User.Invite.All

    Delegated

    Invite B2B Users

    Directory.AccessAsUser.All

    Delegated

    Change Password, and Delete User

    Note
    Assign granular level application permission for each operation if you do not want to assign full directory level permission.

  • (For Refresh Token/Auth Code only) Generate Refresh Token. For more information, see Generating a Refresh Token.

  • (For JWT Certificate Credentials only) The Certificate (self-signed or CA signed) must be uploaded. It must be of type X.509 Certificate and Private Key must be encrypted with RSA and registered at the Azure Active Directory portal. Perform the following steps to register the certificate with the Microsoft identity platform:

    1. Log in to Azure Portal.

    2. In the Azure app registrations for client application, select the client application.

    3. Select Certificates & secrets.

    4. Select the Upload certificate and select the certificate file that is to be uploaded.

    5. Select Add.

    6. Obtain values for the following configurations:

      • Private Key: Obtain the private key text file.

      • Private Key Password

      • Certificate: Obtain the text file of the same certificate which was uploaded on the Azure portal.