Azure Active Directory

The EmpowerID Azure Active Directory connector is a SCIM-compliant REST API microservice that you can deploy to Azure Active Directory to inventory user, group, group membership, role, and license information from an Azure tenant. The microservice is an enterprise-scale, high-security product that can be run on-premise or as Software-as-a-Service run by EmpowerID as Web and Application Server containers in the cloud or on-premise.

To access Azure Active Directory tenant data, the tenant needs to be configured for the microservice. Part of this configuration involves registering a service principal application for EmpowerID in Azure Active Directory and creating an Azure App Service to host the microservice. The microservice leverages certificate authentication, a system-assigned managed identity and app service authentication to enable secure fine-grained Graph API access, which includes read and write access to organization, user, group, role and license date in Azure Active Directory. The below image depicts the deployment model.

To connect EmpowerID to Azure involves the following:

1. Register a service principal application for EmpowerID in Azure AD. As part of the registration process, you will upload to Azure the base-64 encoded public key certificate to secure HTTP traffic between EmpowerID and the microservice. The public key certificate that you upload to Azure must have a corresponding private key in the EmpowerID certificate store; otherwise, an error will occur when calling Azure’s API.

2. Create an app service to host EmpowerID AD SCIM microservice in Azure, configure it to use the service principal application for authentication, and create a managed identity for it.

3. Publish the Azure AD SCIM microservice to Azure.

4. Set permissions needed by the managed identity to call Azure AD and Graph APIs on your behalf.

5. Connect EmpowerID to Azure.

Demonstration of Configuring the EmpowerID Azure AD Connection