The EmpowerID Azure Active Directory (Azure AD) SCIM Connector allows organizations to bring provides organizations with a comprehensive solution for managing and synchronizing user, group, role, license, application, and other data hosted in their Azure Cloud to . By integrating this data into EmpowerID, where it can be managed and synchronized with data in any organizations can ensure consistent management and synchronization across all connected back-end user directories, enhancing their identity governance and access management capabilities.
Architecture Overview
The EmpowerID Azure AD SCIM Connector's architecture is designed to securely interface with Azure Active Directory Connector uses a secure connection for inventorying and managing data in the Azure data store with the help of the EmpowerID SCIM 2.0 Microservice. The SCIM Microservice is an isolated component that is deployed in the client's Azure tenant and is responsible for establishing a secure connection with the Microsoft Graph API and directly writes/ reads data to/ from the Azure data store based on the request generated via the connector.
...
Please find below the components and its description.
...
Component
...
Description
...
EmpowerID Web App
EmpowerID web interface allows users to view the Azure Active Directory data inventoried into EmpowerID, and the same interface can be used for performing CRUD operations on the objects.
...
EmpowerID AAD Connector
EmpowerID AAD Connector encompass the inventory and write-back processes in the system that provide the business logic for inventory processing, provisioning and join logic, group membership assignments, naming conventions, and decisions regarding deleting or disabling accounts, groups and other objects.
...
Identity Warehouse
EmpowerID data store that comprises of a large number of tables for storing and maintaining the data inventoried from Azure Active Directory and other connected directories.
...
Certificate Authentication
...
EmpowerID Azure Active Directory connector uses secure handshake with the EmpowerID SCIM Microservice via Azure Certificate Authentication, meaning that the microservice only fulfills the request coming from the authorized client.
...
EmpowerID SCIM Microservice
The EmpowerID SCIM Microservice is an isolated component which is solely responsible for fulfilling requests coming from authorized clients (generally the EmpowerID AAD connector).
...
Managed Identity
Managed Identity is responsible for ensuring secure communication between the EmpowerID SCIM Microservice and Microsoft Graph API, it also possesses certain permissions that are required for making calls to the Graph API. Managed Identity must be created in the same Azure tenant where the data synchronizing is taking place between Azure data store and EmpowerID.
...
Microsoft Graph API
...
Microsoft Graph is a RESTful Web API that enables access to Microsoft Cloud service resources. It is created and managed by Microsoft; this API is invoked by the EmpowerID SCIM Microservice for fulfilling connector's requests for any Azure resource.
...
Azure Active Directory
...
Azure Active Directory (Azure AD) is a cloud-based identity and access management service that enables access to different resources, such as Users, Groups, Roles, Licenses, Azure Applications, Service Principals etc.
Insert excerpt
...
System Components and Data Flow
The EmpowerID Azure AD SCIM Connector architecture comprises several key components that enable secure and efficient data exchange between EmpowerID and Azure AD. Central to this architecture are the EmpowerID Web & App Server Containers, which host the necessary services and applications. These containers execute inventory and job tasks to collect and process data from Azure AD, storing the results in the EmpowerID Identity Warehouse – an SQL-based database for managing user identities, groups, roles, and other related attributes.
The system uses certificate-based authentication to establish secure communication between EmpowerID and the Azure AD tenant. This approach ensures that the EmpowerID Azure AD SCIM App Service can interact securely with Azure AD, maintaining data integrity and preventing unauthorized access.
The EmpowerID Azure AD SCIM App Service is deployed within the customer’s Azure tenant and serves as the interface between EmpowerID and Azure AD. It utilizes the SCIM 2.0 protocol to manage and synchronize data. The App Service communicates with Azure AD via the Microsoft Graph API, performing CRUD (Create, Read, Update, Delete) operations on resources such as users, groups, roles, and licenses.
In the Azure environment, the SCIM App Service uses a Managed Identity to interact securely with Azure AD and other Azure services. Azure automatically manages managed identities, streamlining the authentication and authorization processes and eliminating the need for manual credential management.
The Microsoft Graph API allows the SCIM App Service to access and manipulate Azure AD data directly. The service can retrieve and update user data, group memberships, roles, licenses, and other critical resources through the API, ensuring that the information is consistent across both EmpowerID and Azure AD.
Secure Data Inventory and Management
The EmpowerID Azure AD SCIM Connector offers several data management capabilities, allowing organizations to efficiently manage their Azure AD resources within EmpowerID.
Account Management
Inventory User Accounts: Collect and manage user account data from Azure AD.
Create, Update, and Delete User Accounts: Perform CRUD operations on user accounts directly from EmpowerID.
Enable and Disable User Accounts: Manage the active status of user accounts.
Reset User Account Passwords: Initiate password resets for user accounts.
Group Management
Inventory Groups and Group Memberships: Collect and manage group data, including membership details.
Create and Delete Groups: Perform CRUD operations on groups within Azure AD.
Add and Remove Group Memberships: Manage user memberships within groups.
Add or Remove Group Members: Directly manage individual users within group memberships.
Role Management
Inventory Azure Roles and Role Memberships: Collect and manage role data and role memberships from Azure AD.
Create Azure RBAC and Custom Directory Roles: Define and manage RBAC roles and custom directory roles.
Assign Users to Azure Roles: Assign or modify user roles directly within EmpowerID.
License Management
Inventory License Bundles, License Pools, and Tenant Subscriptions: Collect and manage licensing data from Azure AD.
Add or Remove License Assignments for Users: Manage individual user license assignments.
Add or Remove License Assignments for Groups: Manage group-based license assignments.
Application Management
Inventory Azure Applications, Credentials, App Roles, Scopes, App Role Assignments, and Scope Assignments: Collect and manage application-related data.
Create Azure OIDC, SAML (Non-Gallery), and SAML (Gallery) Applications: Define and manage different applications within Azure AD.
Edit and Delete Azure Applications: Perform CRUD operations on Azure AD applications.
Create and Delete Client Secrets and Certificates: Manage application secrets and certificates.
Create and Delete Scopes and App Roles: Define and manage application scopes and roles.
Update API Permissions and Token Configurations: Modify permissions and token settings for Azure AD applications.
Data Synchronization and Lifecycle Management
Once data from Azure AD is inventoried and mapped in EmpowerID, it becomes part of the platform's broader identity lifecycle management processes. The following sections outline how the connector handles data synchronization and supports key lifecycle events.
Data Synchronization
The EmpowerID Azure AD SCIM Connector enables synchronization between Azure AD and EmpowerID. This synchronization ensures that any changes made in Azure AD, such as updates to user roles, group memberships, or application assignments, are promptly reflected in EmpowerID. Synchronization is bidirectional, meaning that updates made in EmpowerID can also be propagated back to Azure AD if needed.
Lifecycle Management
The EmpowerID Azure AD SCIM Connector integrates with EmpowerID’s lifecycle management processes, allowing for seamless user, group, and role lifecycle management based on Azure AD data. The following processes are supported:
Provisioning:
Automatically create new users, groups, and roles in EmpowerID based on Azure AD data.
Ensure these entities are assigned the correct attributes and access rights defined in Azure AD.
Updating:
Synchronize changes made to existing users, groups, and roles in Azure AD with EmpowerID.
Reflect modifications such as role changes, group reassignments, or updates to user attributes across both systems.
Deprovisioning:
When users, groups, or roles are removed from Azure AD, they can be automatically deprovisioned in EmpowerID.
This process ensures that deactivated entities are appropriately handled, including removing access rights and deleting them as required.
Attribute Mapping
To ensure seamless integration, the EmpowerID Azure AD SCIM Connector maps attributes from Azure AD to the appropriate fields within EmpowerID. This mapping process ensures that all relevant data is captured and aligns with the data models used by EmpowerID. Below is an example of how key attributes are mapped:
Azure AD Attribue | EmpowerID Person Attribute |
---|---|
profileUrl | AboutMe |
active | Active |
phoneNumbers[?@.type=='work'].value | BusinessPhone |
city | City |
companyName | Company |
employeeOrgData.costCenter | CostCenter |
country | Country |
usageLocation | CustomAttribute10 |
['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User'].['department'] | Department |
description | Description |
employeeOrgData.division | Division |
endDateTime | effectiveEndDate |
startDateTime | EffectiveStartDate |
emails[?@.type=='work'].value | |
externalId | EmailAlias |
['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User'].['employeeNumber'] | EmployeeID |
employeeType | EmployeeType |
['urn:ietf:params:scim:schemas:extension:azureOnPremData:2.0:User'].['onPremisesExtensionAttributes'].['extensionAttribute1'] | ExtensionAttribute1 |
['urn:ietf:params:scim:schemas:extension:azureOnPremData:2.0:User'].['onPremisesExtensionAttributes'].['extensionAttribute10'] | ExtensionAttribute10 |
['urn:ietf:params:scim:schemas:extension:azureOnPremData:2.0:User'].['onPremisesExtensionAttributes'].['extensionAttribute11'] | ExtensionAttribute11 |
['urn:ietf:params:scim:schemas:extension:azureOnPremData:2.0:User'].['onPremisesExtensionAttributes'].['extensionAttribute12'] | ExtensionAttribute12 |
['urn:ietf:params:scim:schemas:extension:azureOnPremData:2.0:User'].['onPremisesExtensionAttributes'].['extensionAttribute13'] | ExtensionAttribute13 |
['urn:ietf:params:scim:schemas:extension:azureOnPremData:2.0:User'].['onPremisesExtensionAttributes'].['extensionAttribute14'] | ExtensionAttribute14 |
['urn:ietf:params:scim:schemas:extension:azureOnPremData:2.0:User'].['onPremisesExtensionAttributes'].['extensionAttribute15'] | ExtensionAttribute15 |
['urn:ietf:params:scim:schemas:extension:azureOnPremData:2.0:User'].['onPremisesExtensionAttributes'].['extensionAttribute2'] | ExtensionAttribute2 |
['urn:ietf:params:scim:schemas:extension:azureOnPremData:2.0:User'].['onPremisesExtensionAttributes'].['extensionAttribute3'] | ExtensionAttribute3 |
['urn:ietf:params:scim:schemas:extension:azureOnPremData:2.0:User'].['onPremisesExtensionAttributes'].['extensionAttribute4'] | ExtensionAttribute4 |
['urn:ietf:params:scim:schemas:extension:azureOnPremData:2.0:User'].['onPremisesExtensionAttributes'].['extensionAttribute5'] | ExtensionAttribute5 |
['urn:ietf:params:scim:schemas:extension:azureOnPremData:2.0:User'].['onPremisesExtensionAttributes'].['extensionAttribute6'] | ExtensionAttribute6 |
['urn:ietf:params:scim:schemas:extension:azureOnPremData:2.0:User'].['onPremisesExtensionAttributes'].['extensionAttribute7'] | ExtensionAttribute7 |
['urn:ietf:params:scim:schemas:extension:azureOnPremData:2.0:User'].['onPremisesExtensionAttributes'].['extensionAttribute8'] | ExtensionAttribute8 |
['urn:ietf:params:scim:schemas:extension:azureOnPremData:2.0:User'].['onPremisesExtensionAttributes'].['extensionAttribute9'] | ExtensionAttribute9 |
phoneNumbers[?@.type=='fax'].value | Fax |
name.givenName | FirstName |
displayName | FriendlyName |
name.honorificSuffix | GenerationalSuffix |
phoneNumbers[?@.type=='home'].value | HomeTelephone |
name.familyName | LastName |
userName | Login |
manager | ManagerPersonID |
name.middleName | MiddleName |
phoneNumbers[?@.type=='mobile'].value | MobilePhone |
addresses[?@.type=='other'].formatted | Office |
externalAudience | OofAudience |
scheduledEndDateTime | OofEndDate |
externalReplyMessage | OofExternalMsg |
internalReplyMessage | OofInternalMsg |
scheduledStartDateTime | OofStartDate |
status | OofStatus |
photos[?@.type=='work'].value | PhotoURL |
addresses[?@.type=='work'].postalCode | PostalCode |
preferredLanguage | PreferredLanguage |
state | State |
addresses[?@.type=='work'].streetAddress | StreetAddress |
phoneNumbers[?@.type=='other'].value | Telephone |
title | Title |
Permissions Requirements
The EmpowerID Azure AD SCIM Connector requires specific permissions to interact effectively with various APIs and services. These permissions must be assigned to the Managed Identity used by the SCIM App Service and the Service Principal to ensure the connector can perform the necessary operations within Azure AD and Azure services.
Graph REST API Permissions
The following table outlines the required permissions for each Graph API operation performed by the SCIM Connector:
Operation Description | Microsoft Graph API v1.0 Endpoint | Least Privileged Permission Needed |
---|---|---|
Check Deleted Group | Get group | Group.Read.All |
Check Deleted User | List users | User.Read.All |
Create Group | Create group | Group.Create |
Create User | Create user | User.ReadWrite.All |
Get All Deleted Groups | Get delta (group) | Group.Read.All |
Get All Deleted Users | Get delta (user) | User.Read.All |
Get All Org Contacts | Get contact | Contacts.Read |
Get Applications | Get application | Application.ReadWrite.OwnedBy |
Get AppRole Assignments | Get appRoleAssignment | Directory.Read.All |
Get/Delete/Update Directory Role by ID | List members | RoleManagement.Read.Directory |
Add or Remove directory role member | RoleManagement.ReadWrite.Directory | |
Get/Delete/Update Group by ID | Get group | Group.Read.All |
Delete group | Group.ReadWrite.All | |
Update group | Group.ReadWrite.All | |
Get/Delete/Update Service Principal by ID | Get servicePrincipal | Application.ReadWrite.OwnedBy |
Delete servicePrincipal | Application.ReadWrite.OwnedBy | |
Update servicePrincipal | Application.ReadWrite.OwnedBy | |
Get/Delete/Update User by ID | Create a User | User.ReadWrite.All |
Get a User | User.Read.All | |
Delete a user | User.ReadWrite.All | |
Update a user | User.ReadWrite.All | |
Get Directory Role Member | List members | RoleManagement.Read.Directory |
Get Directory Role Template | List unifiedRoleDefinitions | RoleManagement.Read.Directory |
Get Directory Role | Get directoryRole | RoleManagement.Read.Directory |
Activate directoryRole | RoleManagement.ReadWrite.Directory | |
Add or Remove member | RoleManagement.ReadWrite.Directory | |
Get Domain | List domains | Directory.Read.All |
Get Group Member | List members | User.Read.All |
Add members | GroupMember.ReadWrite.All | |
Get New or Updated Groups | Get delta (group) | Group.Read.All |
Get New or Updated Users | Get delta (user) | User.Read.All |
Get Subscribed Skus | Get subscribedSku | Organization.Read.All |
Get Service Principals | Get service principal | Application.ReadWrite.OwnedBy |
Get Unified Role Assignment | Get unifiedRoleAssignment | RoleManagement.Read.Directory |
Get Sign-In Activity | List sign-ins | AuditLog.Read.All |
Query Groups | Get group | Group.Read.All |
Delete group | Group.ReadWrite.All | |
Update group | Group.ReadWrite.All | |
Query Users | Get a User | User.Read.All |
Update a User | User.ReadWrite.All | |
Delete a user | User.ReadWrite.All | |
Reset User Password | Update a User | Directory.AccessAsUser.All |
Insert excerpt | ||||||
---|---|---|---|---|---|---|
|
Operation Description | Azure REST API Endpoint | Permission Needed |
---|---|---|
Create Managed Identity | User Assigned Identities - Create | Microsoft.ManagedIdentity/userAssignedIdentities/write |
Create Role Assignment | Role Assignments - Create | Microsoft.Authorization/roleAssignments/write |
Delete Role Assignment | Role Assignments - Delete | Microsoft.Authorization/roleAssignments/read |
Get Classic Administrators | Classic Administrators - List | Microsoft.Authorization/classicAdministrators/read |
Get/Delete/Update Managed Identity by ID | User Assigned Identities - List By Resource Group / Subscription | Microsoft.ManagedIdentity/userAssignedIdentities/read |
User Assigned Identities - Delete | Microsoft.ManagedIdentity/userAssignedIdentities/delete | |
User Assigned Identities - Create Or Update (UPDATE) | Microsoft.ManagedIdentity/userAssignedIdentities/write | |
Get/Delete/Update Role Assignment by ID | Role Assignments - Get | Microsoft.Authorization/roleAssignments/read |
Role Assignments - Delete | Microsoft.Authorization/roleAssignments/delete | |
Role Assignments - Create | Microsoft.Authorization/roleAssignments/write | |
Get/Delete/Update Role Definition by ID | Role Definitions - Get | Microsoft.Authorization/roleDefinitions/read |
Role Definitions - Create | Microsoft.Authorization/roleDefinitions/write | |
Role Definitions - Delete | Microsoft.Authorization/roleDefinitions/delete | |
Role Definitions - Update | Microsoft.Authorization/roleDefinitions/write | |
Get Managed Identities | User Assigned Identities - List By Resource Group / Subscription | Microsoft.ManagedIdentity/userAssignedIdentities/read |
Get Management Group by Name | Management Groups - Get | domain |
Get Management Groups | Management Groups - Get | Microsoft.Management/managementGroups/read |
Get Resource Groups | Resource Groups - List | Microsoft.Resources/subscriptions/resourceGroups/read |
Get Resources | Resources - List | Microsoft.Resources/subscriptions/resources |
Get Role Assignments | Role Assignments - List | Microsoft.Authorization/roleAssignments/read |
Get Role Definitions | Role Definitions - List | Microsoft.Authorization/roleDefinitions/read |
Get Tenant | Tenants - List | Microsoft.Resources/tenant/read |
Get Subscriptions | Subscriptions | Microsoft.Resources/subscriptions/read |
Get Subscription Usage by ID | Usage Details - List | Microsoft.Consumption/usageDetails/read |
Service Principal Permissions
The Service Principal requires Reports.Read.All permissions.
Configuration Parameters and Required Permissions
Enabling certain configuration parameters in the Azure AD Resource System within EmpowerID requires the following permissions to function correctly. Below is a detailed explanation of each configuration parameter, its purpose, and the associated permissions required.
EnableAzureApplicationInventory
Description: When set to True
, this parameter allows EmpowerID to inventory Azure application data.
Inventory data and Required Permissions:
Inventory Data | Least Privileged Permission | Higher Privileged Permissions |
---|---|---|
Azure Applications | Application.ReadWrite.OwnedBy | Application.ReadWrite.All, Directory.Read.All |
Azure Application Templates | Same as above | Same as above |
Conditional Access Policies | Policy.Read.All | N/A |
Application.ReadWrite.OwnedBy | User.ReadWrite.All | Application.ReadWrite.All, Directory.Read.All |
Application Role Assignments for Service Principals | Directory.Read.All | Directory.ReadWrite.All |
EnableAzureLicenseInventory
Description: When set to True
, this parameter allows EmpowerID to inventory Azure license data.
Inventory Data and Required Permissions:
Inventory Data | Least Privileged Permission | Higher Privileged Permissions |
---|---|---|
Subscribed SKU | Organization.Read.All | Directory.Read.All, Organization.ReadWrite.All, Directory.ReadWrite.All |
EnableAzureRbacInventory (H4)
Description: When set to True
, this parameter allows EmpowerID to inventory Azure RBAC (Role-Based Access Control) data.
Inventory Data and Required Permissions:
Inventory Data | Permissions |
---|---|
Management Groups | Microsoft.Management/managementGroups/read |
Subscriptions | Microsoft.Resources/subscriptions/read |
Resource Groups | Microsoft.Resources/subscriptions/resourceGroups/read |
RBAC Role Definitions | Microsoft.Authorization/roleDefinitions/readResources |
Resources | Microsoft.Resources/subscriptions/resources/read |
RBAC Role Assignments | Microsoft.Authorization/roleAssignments/read |
Managed Identities | Microsoft.ManagedIdentity/userAssignedIdentities/read |
Classic Administrators | Microsoft.Authorization/classicAdministrators/read |
EnableDirectoryRoleMemberInventoryWithScope (H4)
Description: When set to True
, this parameter allows EmpowerID to inventory Azure directory role member data. It includes data scoped to applications and directories.
Inventory Data and Required Permissions:
Inventory Data | Least Privileged Permission | Higher Privileged Permissions |
---|---|---|
Directory Role Members Scoped to Directory | RoleManagement.Read.Directory | Directory.Read.All, Directory.ReadWrite.All, RoleManagement.ReadWrite.Directory |
Directory Role Members Scoped to Application | Same as above | Same as above |
EnableSignInActivityInventory
Description: When set to True
, this parameter allows EmpowerID to inventory Azure sign-in activity data.
Inventory Data and Required Permissions:
Inventory Data | Least Privileged Permission | Higher Privileged Permissions |
---|---|---|
Azure Sign-In Activity | Reports.Read.All | Reports.Read.All |