You are viewing an earlier version of the admin guide. For the latest version, please visit EmpowerID Admin Guide v7.211.0.0.

Skip to end of banner
Go to start of banner

Connect Azure License Manager to Azure AD

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 15 Next »

In order to bring the user, group and license data in your Azure AD into Azure License Manager, you need to create a tenant for for your Azure AD in ALM.

To create an Azure AD tenant in ALM

  1. On the navbar, expand Azure License Manager and click Configuration.

  2. Select the Tenants tab and then click the Add New Tenant button above the grid.

  3. In the Tenant form that appears, fill in the following information:

    1. Account Store Name — Enter a name for the Azure AD tenant you are creating.

    2. App Service Url — Enter the URL for the Azure App Service. This is the base URL on the App service on the portal. EmpowerID uses this URL to make all calls to the EmpowerID SCIM microservice.

    3. Application ID — Enter the Application ID for the EmpowerID application you registered for EmpowerID in Azure AD.

    4. Tenant ID — Enter the ID of your Tenant. EmpowerID uses this to get the context for the submitting the access token that is used to inventory the resources in Azure and perform authorized CRUD operations against those resources.

    5. Auth Certificate Thumbprint — Enter the thumbprint of the certificate you uploaded for the application you registered for EmpowerID in Azure AD and added to the EmpowerID Identity Warehouse. The thumbprint ensures that whenever the SCIM microservice calls are made for the account store, the handshake with Azure completes and an access token is granted.

  4. When ready, click Save to create the tenant.



    You should see the tenant in the grid.

Now that the tenant has been created, the next steps include configuring the setting for the account store and turning on inventory.

To configure account store settings

  1. From the Tenants tab of the Azure License Manager Configuration page, click the Edit button for the tenant you just provisioned.


    This opens the update page for the account store. This page allows you to specify how you want Azure License Manager to handle the user information it discovers during inventory. Settings that can be edited are described in the table below the image.


    Setting

    Description

    General Settings

    Allow Person Provisioning (Joiner Source)

    Specifies whether EmpowerID Persons can be provisioned from user accounts in the account store.

    Allow Password Sync

    Enables or disables the synchronization of password changes to user accounts in the domain based on password changes for the owning person object or another account owned by the person. This setting does not prevent password changes by users running the reset user account password workflows.

    Allow Attribute Flow

    Specifies whether attribute changes should flow between ALM and the account store.

    Allow Provisioning (By RET)

    Allows or disallows the Resource Entitlement (RET) Inbox process to auto-provision accounts for this domain for users who receive RET policy-assigned user accounts, but have not yet had them provisioned.

    Allow Deprovisioning (By RET)

    Allows or disallows the Resource Entitlement Inbox process to auto de-provision accounts for this domain for users who still have RET policy-assigned user accounts, but no longer receive a policy that grants them a user account in the domain. De-provisioning only occurs if the de-provision action on the Resource Entitlement policy is set to De-Provision.

    Allow Account Creation on Membership Request

    Specifies whether EmpowerID creates user accounts in the account store when an EmpowerID Person without one requests membership within a group belonging to the account store.

    Recertify All Group Changes as Detected

    Specifies whether detected group changes should trigger recertification.

    Inventory Settings

    Inventory Enabled

    Allows inventory of the user and group information in Azure

    Inventory Every X Minutes

    Specifies the time span that occurs before EmpowerID performs a complete inventory of the Azure account store. The default value is 10 minutes.

    Enable Azure License Inventory

    Allows inventory of the license information in Azure

    Enable Azure RBAC Inventory

    Allows inventory of the role information in Azure (should be disabled if not using Azure RBAC Manager)

    Inbox Inventory Settings

    Inbox Inventory Enabled

    Allows inventory of the Inbox

    Inbox Inventory Every X minutes

    Specifies the time span that occurs before EmpowerID runs the Inbox Inventory job. The default value is 10 minutes.

    Membership Settings

    Enable Group Membership Reconciliation

    Allows EmpowerID to manage the membership of the account store’s groups, adding and removing user to and from groups based on policy-based assignment rules.

    Reconcile Membership Every X Minutes

    Specifies the time span that occurs before EmpowerID runs the Group Membership Reconciliation job. The default value is 10 minutes.

  2. Edit tenant settings as needed and then click Save to save your changes.

IN THIS ARTICLE

  • No labels