...
To ensure seamless integration, the EmpowerID Azure AD SCIM Connector maps attributes from Azure AD to the appropriate fields within EmpowerID. This mapping process ensures that all relevant data is captured and aligns with the data models used by EmpowerID. Below is an example of how key attributes are mapped:
Azure AD Attribue | EmpowerID Person Attribute |
|---|---|
profileUrl | AboutMe |
active | Active |
phoneNumbers[?@.type=='work'].value | BusinessPhone |
city | City |
companyName | Company |
employeeOrgData.costCenter | CostCenter |
country | Country |
usageLocation | CustomAttribute10 |
['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User'].['department'] | Department |
description | Description |
employeeOrgData.division | Division |
endDateTime | effectiveEndDate |
startDateTime | EffectiveStartDate |
emails[?@.type=='work'].value | |
externalId | EmailAlias |
['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User'].['employeeNumber'] | EmployeeID |
employeeType | EmployeeType |
['urn:ietf:params:scim:schemas:extension:azureOnPremData:2.0:User'].['onPremisesExtensionAttributes'].['extensionAttribute1'] | ExtensionAttribute1 |
['urn:ietf:params:scim:schemas:extension:azureOnPremData:2.0:User'].['onPremisesExtensionAttributes'].['extensionAttribute10'] | ExtensionAttribute10 |
['urn:ietf:params:scim:schemas:extension:azureOnPremData:2.0:User'].['onPremisesExtensionAttributes'].['extensionAttribute11'] | ExtensionAttribute11 |
['urn:ietf:params:scim:schemas:extension:azureOnPremData:2.0:User'].['onPremisesExtensionAttributes'].['extensionAttribute12'] | ExtensionAttribute12 |
['urn:ietf:params:scim:schemas:extension:azureOnPremData:2.0:User'].['onPremisesExtensionAttributes'].['extensionAttribute13'] | ExtensionAttribute13 |
['urn:ietf:params:scim:schemas:extension:azureOnPremData:2.0:User'].['onPremisesExtensionAttributes'].['extensionAttribute14'] | ExtensionAttribute14 |
['urn:ietf:params:scim:schemas:extension:azureOnPremData:2.0:User'].['onPremisesExtensionAttributes'].['extensionAttribute15'] | ExtensionAttribute15 |
['urn:ietf:params:scim:schemas:extension:azureOnPremData:2.0:User'].['onPremisesExtensionAttributes'].['extensionAttribute2'] | ExtensionAttribute2 |
['urn:ietf:params:scim:schemas:extension:azureOnPremData:2.0:User'].['onPremisesExtensionAttributes'].['extensionAttribute3'] | ExtensionAttribute3 |
['urn:ietf:params:scim:schemas:extension:azureOnPremData:2.0:User'].['onPremisesExtensionAttributes'].['extensionAttribute4'] | ExtensionAttribute4 |
['urn:ietf:params:scim:schemas:extension:azureOnPremData:2.0:User'].['onPremisesExtensionAttributes'].['extensionAttribute5'] | ExtensionAttribute5 |
['urn:ietf:params:scim:schemas:extension:azureOnPremData:2.0:User'].['onPremisesExtensionAttributes'].['extensionAttribute6'] | ExtensionAttribute6 |
['urn:ietf:params:scim:schemas:extension:azureOnPremData:2.0:User'].['onPremisesExtensionAttributes'].['extensionAttribute7'] | ExtensionAttribute7 |
['urn:ietf:params:scim:schemas:extension:azureOnPremData:2.0:User'].['onPremisesExtensionAttributes'].['extensionAttribute8'] | ExtensionAttribute8 |
['urn:ietf:params:scim:schemas:extension:azureOnPremData:2.0:User'].['onPremisesExtensionAttributes'].['extensionAttribute9'] | ExtensionAttribute9 |
phoneNumbers[?@.type=='fax'].value | Fax |
name.givenName | FirstName |
displayName | FriendlyName |
name.honorificSuffix | GenerationalSuffix |
phoneNumbers[?@.type=='home'].value | HomeTelephone |
name.familyName | LastName |
userName | Login |
manager | ManagerPersonID |
name.middleName | MiddleName |
phoneNumbers[?@.type=='mobile'].value | MobilePhone |
addresses[?@.type=='other'].formatted | Office |
externalAudience | OofAudience |
scheduledEndDateTime | OofEndDate |
externalReplyMessage | OofExternalMsg |
internalReplyMessage | OofInternalMsg |
scheduledStartDateTime | OofStartDate |
status | OofStatus |
photos[?@.type=='work'].value | PhotoURL |
addresses[?@.type=='work'].postalCode | PostalCode |
preferredLanguage | PreferredLanguage |
state | State |
addresses[?@.type=='work'].streetAddress | StreetAddress |
phoneNumbers[?@.type=='other'].value | Telephone |
title | Title |
Permissions Requirements
The EmpowerID Azure AD SCIM Connector requires specific permissions to interact effectively with various APIs and services. These permissions must be assigned to the Managed Identity used by the SCIM App Service and the Service Principal to ensure the connector can perform the necessary operations within Azure AD and Azure services.
...
The following table outlines the required permissions for each Graph API operation performed by the SCIM Connector:
Operation Description | Microsoft Graph API v1.0 Endpoint | Least Privileged Permission Needed |
|---|---|---|
Check Deleted Group | Get group | Group.Read.All |
Check Deleted User | List users | User.Read.All |
Create Group | Create group | Group.Create |
Create User | Create user | User.ReadWrite.All |
Get All Deleted Groups | Get delta (group) | Group.Read.All |
Get All Deleted Users | Get delta (user) | User.Read.All |
Get All Org Contacts | Get contact | Contacts.Read |
Get Applications | Get application | Application.ReadWrite.OwnedBy |
Get AppRole Assignments | Get appRoleAssignment | Directory.Read.All |
Get/Delete/Update Directory Role by ID | List members | RoleManagement.Read.Directory |
Add or Remove directory role member | RoleManagement.ReadWrite.Directory | |
Get/Delete/Update Group by ID | Get group | Group.Read.All |
Delete group | Group.ReadWrite.All | |
Update group | Group.ReadWrite.All | |
Get/Delete/Update Service Principal by ID | Get servicePrincipal | Application.ReadWrite.OwnedBy |
Delete servicePrincipal | Application.ReadWrite.OwnedBy | |
Update servicePrincipal | Application.ReadWrite.OwnedBy | |
Get/Delete/Update User by ID | Create a User | User.ReadWrite.All |
Get a User | User.Read.All | |
Delete a user | User.ReadWrite.All | |
Update a user | User.ReadWrite.All | |
Get Directory Role Member | List members | RoleManagement.Read.Directory |
Get Directory Role Template | List unifiedRoleDefinitions | RoleManagement.Read.Directory |
Get Directory Role | Get directoryRole | RoleManagement.Read.Directory |
Activate directoryRole | RoleManagement.ReadWrite.Directory | |
Add or Remove member | RoleManagement.ReadWrite.Directory | |
Get Domain | List domains | Directory.Read.All |
Get Group Member | List members | User.Read.All |
Add members | GroupMember.ReadWrite.All | |
Get New or Updated Groups | Get delta (group) | Group.Read.All |
Get New or Updated Users | Get delta (user) | User.Read.All |
Get Subscribed Skus | Get subscribedSku | Organization.Read.All |
Get Service Principals | Get service principal | Application.ReadWrite.OwnedBy |
Get Unified Role Assignment | Get unifiedRoleAssignment | RoleManagement.Read.Directory |
Get Sign-In Activity | List sign-ins | AuditLog.Read.All |
Query Groups | Get group | Group.Read.All |
Delete group | Group.ReadWrite.All | |
Update group | Group.ReadWrite.All | |
Query Users | Get a User | User.Read.All |
Update a User | User.ReadWrite.All | |
Delete a user | User.ReadWrite.All | |
Reset User Password | Update a User | Directory.AccessAsUser.All |
| Insert excerpt | ||||||
|---|---|---|---|---|---|---|
|
Operation Description | Azure REST API Endpoint | Permission Needed |
|---|---|---|
Create Managed Identity | User Assigned Identities - Create | Microsoft.ManagedIdentity/userAssignedIdentities/write |
Create Role Assignment | Role Assignments - Create | Microsoft.Authorization/roleAssignments/write |
Delete Role Assignment | Role Assignments - Delete | Microsoft.Authorization/roleAssignments/read |
Get Classic Administrators | Classic Administrators - List | Microsoft.Authorization/classicAdministrators/read |
Get/Delete/Update Managed Identity by ID | User Assigned Identities - List By Resource Group / Subscription | Microsoft.ManagedIdentity/userAssignedIdentities/read |
User Assigned Identities - Delete | Microsoft.ManagedIdentity/userAssignedIdentities/delete | |
User Assigned Identities - Create Or Update (UPDATE) | Microsoft.ManagedIdentity/userAssignedIdentities/write | |
Get/Delete/Update Role Assignment by ID | Role Assignments - Get | Microsoft.Authorization/roleAssignments/read |
Role Assignments - Delete | Microsoft.Authorization/roleAssignments/delete | |
Role Assignments - Create | Microsoft.Authorization/roleAssignments/write | |
Get/Delete/Update Role Definition by ID | Role Definitions - Get | Microsoft.Authorization/roleDefinitions/read |
Role Definitions - Create | Microsoft.Authorization/roleDefinitions/write | |
Role Definitions - Delete | Microsoft.Authorization/roleDefinitions/delete | |
Role Definitions - Update | Microsoft.Authorization/roleDefinitions/write | |
Get Managed Identities | User Assigned Identities - List By Resource Group / Subscription | Microsoft.ManagedIdentity/userAssignedIdentities/read |
Get Management Group by Name | Management Groups - Get | domain |
Get Management Groups | Management Groups - Get | Microsoft.Management/managementGroups/read |
Get Resource Groups | Resource Groups - List | Microsoft.Resources/subscriptions/resourceGroups/read |
Get Resources | Resources - List | Microsoft.Resources/subscriptions/resources |
Get Role Assignments | Role Assignments - List | Microsoft.Authorization/roleAssignments/read |
Get Role Definitions | Role Definitions - List | Microsoft.Authorization/roleDefinitions/read |
Get Tenant | Tenants - List | Microsoft.Resources/tenant/read |
Get Subscriptions | Subscriptions | Microsoft.Resources/subscriptions/read |
Get Subscription Usage by ID | Usage Details - List | Microsoft.Consumption/usageDetails/read |
Service Principal Permissions
...