Creating or Editing an Azure Identity Collector

Azure AD Connector Full OAuth 2.0 Support

File Access Manager now offers full support for OAuth 2.0 Authentication for the Azure AD connector. This enhancement replaces the previous Basic Authentication flow, where admins needed to provide user and password credentials, with a more secure and standardized method using OAuth 2.0. The configuration now aligns with other cloud application connectors like OneDrive, ensuring a modern and secure experience.

File Access Manager now offers full support of standard OAuth 2.0 Authentication for the Azure AD connector.

The new authorization sequence will direct the user through a standard Microsoft O365 consent flow, to grant the File Access Manager Azure AD Connector app the privilege to acquire and refresh access tokens.

The new authentication method replaces the previous Basic Authentication flow, that required admins to provide user and password credentials.

This enhancement brings full OAuth support to the Azure AD Identity Collector, instead of the legacy user and password approach.

This means the configuration will resemble other connectors for cloud applications such as OneDrive.

• Configuring the Identity Collector, instead of providing a username and a password, you will click on a link that sends you to a Microsoft login page.
• Enter the relevant user credentials and give your consent for the File Access Manager Azure AD O365 Application to access your directory data.
• You will then copy the resulting Authorization Code to the appropriate field, which will then be used to generate the first access token.
• The access token will be used in all requests to the tenant's Azure AD and will be automatically refreshed when needed.

Configuration

To complete the Azure Identity Collector configuration, follow these steps:

1. In the Identity Collector Configuration Wizard, enter your O365 Domain name, then click on the OAuth User URL link to generate an Authorization Code.

2. You will then be redirected to the Microsoft O365 Login Screen. Log in with the user credentials that should be used by the Identity Collector.

3. You will be prompted to consent to granting access to the File Access Manager Azure Connector. Accept to receive an Authorization Code and continue with generating the Access Token.

4. A final redirect will lead you to the File Access Manager Cloud Application Authorization Service, and will present the received Authorization Code.

5. Copy that code and paste it in the Auth Code field in the Identity Collector Configuration Wizard screen.

6. Select Next and complete the Identity Collector configuration flow.

Once completed, the Azure Identity Collector will be configured using OAuth 2.0, and the access token will be used for future authentication and data synchronization.

Permissions

The File Access Manager Azure AD Connector requires the following permissions:

• Directory.Read.All – this Permission grants read only access to AAD contents (by default, all domain users can read all AAD data).

Azure Active Directory Connectivity Requirements

File Access Manager uses the Microsoft Graph REST API – which works exclusively in HTTPS.

The API base path is https://graph.microsoft.com/v1.0/ where the tenant domain name is the customer assigned domain name on Microsoft cloud. It is usually in the format of domain_name.onmicrosoft.com, but might be changed in your configuration.

The following is a list of resources that are accessed by File Access Manager using the REST graph API include:

• https://graph.windows.net/{tenant_domain_name}/tenantDetails
• https://graph.windows.net/{tenant_domain_name}/users
• https://graph.windows.net/{tenant_domain_name}/users/{user_id}
• https://graph.windows.net/{tenant_domain_name}/groups/{group_id}
• https://graph.windows.net/{tenant_domain_name}/directoryRoles
• https://graph.windows.net/{tenant_domain_name}/directoryRoles/{role_id}

Administrator Consent Requirements

To grant a third-party application (ISV) with the Directory.Read.All permission in Azure, administrator consent is required. This consent can be granted by users with one of the following roles:

• Global Administrator (Company Administrator)
• Cloud Application Administrator
• Application Administrator

Here is how the process works:

During the initial configuration phase (while generating the token for the first time), the service account dedicated to the File Access Manager Azure AD Connector must have one of the above-mentioned roles. After consent is granted, the role can be removed from the user.

The consent flow will appear differently depending on the role of the user trying to grant consent:

• Non-admin User: When a non-admin user tries to access the consent screen, they will be shown an error or denied access, as they do not have permission to grant consent.

• Application Administrator: When an Application Administrator tries to grant consent, they will be asked to consent to the Directory.Read.All permission for the File Access Manager application. This consent grants the application access to read directory data.

• Global Administrator: When a Global Administrator (Company Administrator) tries to give consent, they will see an additional checkbox labeled "Consent on behalf of your organization." If checked, this will grant permission to the application for all users in the organization, ensuring that no other user needs to give explicit consent. However, this checkbox is optional and not required by File Access Manager, as the application only needs to operate on behalf of the consenting user.

Once consent is granted by one of these roles, the File Access Manager Azure AD Connector will be able to authenticate and interact with the directory data as required. The role can be removed after consent has been given, as further actions do not require elevated permissions.

Avoiding the Administrative Roles Grant

To avoid granting an administrative role to the service account during the consent process, even if only temporarily, Azure provides the AdminConsentRequests feature. This feature allows non-admin users to indirectly give consent for applications that require admin consent by requesting approval from an administrator.

This feature can be enabled at the tenant level and allows setting one of the three administrator roles (Global Administrator, Cloud Application Administrator, or Application Administrator) as viewers who can approve consent requests.

The requested is required to provide a justification for granting consent to the application and a request is sent to the administrator listed in the configuration as reviewers.

Clicking on Back to app would just return an access denied error as access was not yet granted. This screen can be safely closed while waiting for admin consent.

The reviewing administrator will either receive an email notifying them of the request, or have to go to the Admin Consent Requests screen and check for new requests.

To approve a request, the administrator will go through the Review permissions and consent flow.

After an Administrator accepts, non-administrator users will have to go the through token generation sequence again.

However, this time the consent screen will be skipped entirely, and the flow will lead directly to the Authorization code.

Note

This method gives consent to the app on behalf of the entire organization, similar to when a Global Administrator ticks the checkbox to enables the Consent on behalf of your organization, as described above.