You are viewing an earlier version of the admin guide. For the latest version, please visit EmpowerID Admin Guide v7.211.0.0.

Skip to end of banner
Go to start of banner

Connecting EmpowerID to Azure AD

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

Before connecting EmpowerID to an external directory, please review the Getting Started with Directory Systems topic. The topic walks you through the prerequisites you need to complete before connecting to an external directory for the first time. These prerequisites include:

  • Configuring the appropriate server roles for your EmpowerID servers

  • Reviewing the Join and Provision Rules for your environment

  • Reviewing the Join and Provision Filters for your environment

If you have already connected EmpowerID to another external directory, you can skip the above prerequisites.

EmpowerID provides connectors for a wide range of user directories and resource systems. As an administrator, you can use these connectors to quickly connect EmpowerID to your organization's identity-aware systems and applications. When you do so, you create an account store for that application in the EmpowerID Identity Warehouse and use that account store to configure how you want EmpowerID to manage the identity information in that system.

EmpowerID Azure AD SCIM connector allows organizations to bring the user and group data in their Box system to EmpowerID, where it can be managed and synchronized with data in any connected back-end user directories. Once connected, you can manage this data from EmpowerID in the following ways:

  • Account Management

    • Inventory Azure AD user accounts

    • Create, Update and Delete Azure AD user accounts

    • Enable and Disable Azure AD user accounts

    • Update passwords for Azure AD user accounts

  • Group Management

    • Inventory Azure AD groups

    • Inventory Azure AD group memberships

    • Create and Delete Azure AD groups

    • Add and Remove members to and from Azure AD groups

  • Attribute Flow
    Users in Azure AD are inventoried as accounts in EmpowerID, which are then linked EmpowerID Person objects. The below table shows the attribute mappings of Box user attributes to EmpowerID Person attributes.

Azure AD Attribute

Corresponding EmpowerID Attribute

Description

Name

Name

Name of the user

name.familyName

LastName

Last name of the user

name.givenName

FirstName

First name of the user

name.middleName

MiddleName

Middle name of the user

displayName

FriendlyName

Display Name of the user

name.honorificSuffix

GenerationalSuffix

title

Title

Title of the user

email[?(@type=='work')].value

Email

Work email address of the user

['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User'].['department']

Department

Department of the user

['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User'].['EmployeeNumber']

EmployeeID

Employee ID of the user

addresses[?(@.type=='work')].streetAddress

StreetAddress

Street address of the user

addresses[?(@.type=='work')].locality

City

City in which the user resides or works

addresses[?(@.type=='work')].region

State

State in which the user resides or works

addresses[?(@.type=='work')].country

Country

Country of the user

addresses[?(@.type=='work')].postalCode

PostalCode

Postal code of the user

phoneNumbers[?(@.type=='home')].value

HomeTelephone

Home telephone of the user

preferredLanguage

PreferredLanguage

Preferred language of the user

phoneNumbers[?(@.type=='other')].value

Telephone

Telephone number for the person

phoneNumbers[?(@.type=='fax')].value

Fax

Fax number for the person

Additionally, EmpowerID provides Provisioning policies or Resource Entitlements that allow you to automatically provision Azure AD user accounts for any person within your organization based on your policy requirements.

To connect EmpowerID to Azure AD, In order to connect EmpowerID to Azure AD, the following prerequisites need to be met:

  1. Your organization must have an Azure subscription with Azure Active Directory.

  2. You need to register an application for EmpowerID in Azure Active Directory in the Registering an application for EmpowerID in Azure AD topic.

  3. You need to create an App Service in EmpowerID by following the instructions outlined in the Creating an App Service in Azure topic.

  4. You need to publish the EmpowerID SCIM Microservice to your Azure tenant by following the instructions outlined in the Publishing the EmpowerID SCIM Microservice to Azure topic.

EmpowerID “Proxy” or Connection Account Requirements

EmpowerID uses highly privileged user accounts when connecting to user directories such as Azure Active Directory, LDAP or database systems. These user "account stores" use saved proxy accounts for connecting to these systems and performing user account management operations. EmpowerID requires one privileged account per domain or directory. This account requires all of the privileges matching the functions that EmpowerID may perform (user creation, deletion, password reset, group creation, etc).

IN THIS ARTICLE

  • No labels