Overview of Azure AD SCIM Connector

Owned by Phillip Hanegan
Last updated: Aug 15, 2024
2 min read

The EmpowerID Azure Active Directory (Azure AD) SCIM Connector provides organizations with a comprehensive solution for managing and synchronizing user, group, role, license, application, and other data hosted in their Azure Cloud. By integrating this data into EmpowerID, organizations can ensure consistent management and synchronization across all connected back-end user directories, enhancing their identity governance and access management capabilities.

Architecture Overview

The EmpowerID Azure AD SCIM Connector's architecture is designed to securely interface with Azure Active Directory (Azure AD), facilitating the management and synchronization of user identities, groups, roles, licenses, and related data. The architecture comprises several key components that interact to ensure seamless data exchange between EmpowerID and Azure AD.

System Components and Data Flow

The EmpowerID Azure AD SCIM Connector architecture comprises several key components that enable secure and efficient data exchange between EmpowerID and Azure AD. Central to this architecture are the EmpowerID Web & App Server Containers, which host the necessary services and applications. These containers execute inventory and job tasks to collect and process data from Azure AD, storing the results in the EmpowerID Identity Warehouse – an SQL-based database for managing user identities, groups, roles, and other related attributes.

The system uses certificate-based authentication to establish secure communication between EmpowerID and the Azure AD tenant. This approach ensures that the EmpowerID Azure AD SCIM App Service can interact securely with Azure AD, maintaining data integrity and preventing unauthorized access.

The EmpowerID Azure AD SCIM App Service is deployed within the customer’s Azure tenant and serves as the interface between EmpowerID and Azure AD. It utilizes the SCIM 2.0 protocol to manage and synchronize data. The App Service communicates with Azure AD via the Microsoft Graph API, performing CRUD (Create, Read, Update, Delete) operations on resources such as users, groups, roles, and licenses.

In the Azure environment, the SCIM App Service uses a Managed Identity to interact securely with Azure AD and other Azure services. Azure automatically manages managed identities, streamlining the authentication and authorization processes and eliminating the need for manual credential management.

The Microsoft Graph API allows the SCIM App Service to access and manipulate Azure AD data directly. The service can retrieve and update user data, group memberships, roles, licenses, and other critical resources through the API, ensuring that the information is consistent across both EmpowerID and Azure AD.

Secure Data Inventory and Management

The EmpowerID Azure AD SCIM Connector offers several data management capabilities, allowing organizations to efficiently manage their Azure AD resources within EmpowerID.

Account Management

  • Inventory User Accounts: Collect and manage user account data from Azure AD.

  • Create, Update, and Delete User Accounts: Perform CRUD operations on user accounts directly from EmpowerID.

  • Enable and Disable User Accounts: Manage the active status of user accounts.

  • Reset User Account Passwords: Initiate password resets for user accounts.

Group Management

  • Inventory Groups and Group Memberships: Collect and manage group data, including membership details.

  • Create and Delete Groups: Perform CRUD operations on groups within Azure AD.

  • Add and Remove Group Memberships: Manage user memberships within groups.

  • Add or Remove Group Members: Directly manage individual users within group memberships.

Role Management

  • Inventory Azure Roles and Role Memberships: Collect and manage role data and role memberships from Azure AD.

  • Create Azure RBAC and Custom Directory Roles: Define and manage RBAC roles and custom directory roles.

  • Assign Users to Azure Roles: Assign or modify user roles directly within EmpowerID.

License Management

  • Inventory License Bundles, License Pools, and Tenant Subscriptions: Collect and manage licensing data from Azure AD.

  • Add or Remove License Assignments for Users: Manage individual user license assignments.

  • Add or Remove License Assignments for Groups: Manage group-based license assignments.

Application Management

  • Inventory Azure Applications, Credentials, App Roles, Scopes, App Role Assignments, and Scope Assignments: Collect and manage application-related data.

  • Create Azure OIDC, SAML (Non-Gallery), and SAML (Gallery) Applications: Define and manage different applications within Azure AD.

  • Edit and Delete Azure Applications: Perform CRUD operations on Azure AD applications.

  • Create and Delete Client Secrets and Certificates: Manage application secrets and certificates.

  • Create and Delete Scopes and App Roles: Define and manage application scopes and roles.

  • Update API Permissions and Token Configurations: Modify permissions and token settings for Azure AD applications.

Data Synchronization and Lifecycle Management

Once data from Azure AD is inventoried and mapped in EmpowerID, it becomes part of the platform's broader identity lifecycle management processes. The following sections outline how the connector handles data synchronization and supports key lifecycle events.

Data Synchronization

The EmpowerID Azure AD SCIM Connector enables synchronization between Azure AD and EmpowerID. This synchronization ensures that any changes made in Azure AD, such as updates to user roles, group memberships, or application assignments, are promptly reflected in EmpowerID. Synchronization is bidirectional, meaning that updates made in EmpowerID can also be propagated back to Azure AD if needed.

Lifecycle Management

The EmpowerID Azure AD SCIM Connector integrates with EmpowerID’s lifecycle management processes, allowing for seamless user, group, and role lifecycle management based on Azure AD data. The following processes are supported:

  • Provisioning: Automatically create new users, groups, and roles in EmpowerID based on Azure AD data, ensuring these entities are assigned the correct attributes and access rights defined in Azure AD.

  • Updating: Synchronize changes made to existing users, groups, and roles in Azure AD with EmpowerID, reflecting modifications such as role changes, group reassignments, or updates to user attributes across both systems.

  • Deprovisioning: When users, groups, or roles are removed from Azure AD, they can be automatically deprovisioned in EmpowerID. This process ensures that deactivated entities are appropriately handled, including removing access rights and deleting them as required.

Attribute Mapping

To ensure seamless integration, the EmpowerID Azure AD SCIM Connector maps attributes from Azure AD to the appropriate fields within EmpowerID. This mapping process ensures that all relevant data is captured and aligns with the data models used by EmpowerID. Below is an example of how key attributes are mapped:

Azure AD Attribue

EmpowerID Person Attribute

Azure AD Attribue

EmpowerID Person Attribute

profileUrl

AboutMe

active

Active

phoneNumbers[?@.type=='work'].value

BusinessPhone

city

City

companyName

Company

employeeOrgData.costCenter

CostCenter

country

Country

usageLocation

CustomAttribute10

['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User'].['department']

Department

description

Description

employeeOrgData.division

Division

endDateTime

effectiveEndDate

startDateTime

EffectiveStartDate

emails[?@.type=='work'].value

Email

externalId

EmailAlias

['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User'].['employeeNumber']

EmployeeID

employeeType

EmployeeType

['urn:ietf:params:scim:schemas:extension:azureOnPremData:2.0:User'].['onPremisesExtensionAttributes'].['extensionAttribute1']

ExtensionAttribute1

['urn:ietf:params:scim:schemas:extension:azureOnPremData:2.0:User'].['onPremisesExtensionAttributes'].['extensionAttribute10']

ExtensionAttribute10

['urn:ietf:params:scim:schemas:extension:azureOnPremData:2.0:User'].['onPremisesExtensionAttributes'].['extensionAttribute11']

ExtensionAttribute11

['urn:ietf:params:scim:schemas:extension:azureOnPremData:2.0:User'].['onPremisesExtensionAttributes'].['extensionAttribute12']

ExtensionAttribute12

['urn:ietf:params:scim:schemas:extension:azureOnPremData:2.0:User'].['onPremisesExtensionAttributes'].['extensionAttribute13']

ExtensionAttribute13

['urn:ietf:params:scim:schemas:extension:azureOnPremData:2.0:User'].['onPremisesExtensionAttributes'].['extensionAttribute14']

ExtensionAttribute14

['urn:ietf:params:scim:schemas:extension:azureOnPremData:2.0:User'].['onPremisesExtensionAttributes'].['extensionAttribute15']

ExtensionAttribute15

['urn:ietf:params:scim:schemas:extension:azureOnPremData:2.0:User'].['onPremisesExtensionAttributes'].['extensionAttribute2']

ExtensionAttribute2

['urn:ietf:params:scim:schemas:extension:azureOnPremData:2.0:User'].['onPremisesExtensionAttributes'].['extensionAttribute3']

ExtensionAttribute3

['urn:ietf:params:scim:schemas:extension:azureOnPremData:2.0:User'].['onPremisesExtensionAttributes'].['extensionAttribute4']

ExtensionAttribute4

['urn:ietf:params:scim:schemas:extension:azureOnPremData:2.0:User'].['onPremisesExtensionAttributes'].['extensionAttribute5']

ExtensionAttribute5

['urn:ietf:params:scim:schemas:extension:azureOnPremData:2.0:User'].['onPremisesExtensionAttributes'].['extensionAttribute6']

ExtensionAttribute6

['urn:ietf:params:scim:schemas:extension:azureOnPremData:2.0:User'].['onPremisesExtensionAttributes'].['extensionAttribute7']

ExtensionAttribute7

['urn:ietf:params:scim:schemas:extension:azureOnPremData:2.0:User'].['onPremisesExtensionAttributes'].['extensionAttribute8']

ExtensionAttribute8

['urn:ietf:params:scim:schemas:extension:azureOnPremData:2.0:User'].['onPremisesExtensionAttributes'].['extensionAttribute9']

ExtensionAttribute9

phoneNumbers[?@.type=='fax'].value

Fax

name.givenName

FirstName

displayName

FriendlyName

name.honorificSuffix

GenerationalSuffix

phoneNumbers[?@.type=='home'].value

HomeTelephone

name.familyName

LastName

userName

Login

manager

ManagerPersonID

name.middleName

MiddleName

phoneNumbers[?@.type=='mobile'].value

MobilePhone

addresses[?@.type=='other'].formatted

Office

externalAudience

OofAudience

scheduledEndDateTime

OofEndDate

externalReplyMessage

OofExternalMsg

internalReplyMessage

OofInternalMsg

scheduledStartDateTime

OofStartDate

status

OofStatus

photos[?@.type=='work'].value

PhotoURL

addresses[?@.type=='work'].postalCode

PostalCode

preferredLanguage

PreferredLanguage

state

State

addresses[?@.type=='work'].streetAddress

StreetAddress

phoneNumbers[?@.type=='other'].value

Telephone

title

Title

Permissions Requirements

The EmpowerID Azure AD SCIM Connector requires specific permissions to interact effectively with various APIs and services. These permissions must be assigned to the Managed Identity used by the SCIM App Service and the Service Principal to ensure the connector can perform the necessary operations within Azure AD and Azure services.

Graph REST API Permissions

The following table outlines the required permissions for each Graph API operation performed by the SCIM Connector:

Operation Description

Microsoft Graph API v1.0 Endpoint

Least Privileged Permission Needed

Operation Description

Microsoft Graph API v1.0 Endpoint

Least Privileged Permission Needed

Check Deleted Group

Get group

Group.Read.All

Check Deleted User

List users

User.Read.All

Create Group

Create group

Group.Create

Create User

Create user

User.ReadWrite.All

Get All Deleted Groups

Get delta (group)

Group.Read.All

Get All Deleted Users

Get delta (user)

User.Read.All

Get All Org Contacts

Get contact

Contacts.Read

Get Applications

Get application

Application.ReadWrite.OwnedBy

Get AppRole Assignments

Get appRoleAssignment

Directory.Read.All

Get/Delete/Update Directory Role by ID

List members

RoleManagement.Read.Directory

 

Add or Remove directory role member

RoleManagement.ReadWrite.Directory

Get/Delete/Update Group by ID

Get group

Group.Read.All

 

Delete group

Group.ReadWrite.All

 

Update group

Group.ReadWrite.All

Get/Delete/Update Service Principal by ID

Get servicePrincipal

Application.ReadWrite.OwnedBy

 

Delete servicePrincipal

Application.ReadWrite.OwnedBy

 

Update servicePrincipal

Application.ReadWrite.OwnedBy

Get/Delete/Update User by ID

Create a User

User.ReadWrite.All

 

Get a User

User.Read.All

 

Delete a user

User.ReadWrite.All

 

Update a user

User.ReadWrite.All

Get Directory Role Member

List members

RoleManagement.Read.Directory

Get Directory Role Template

List unifiedRoleDefinitions

RoleManagement.Read.Directory

Get Directory Role

Get directoryRole

RoleManagement.Read.Directory

 

Activate directoryRole

RoleManagement.ReadWrite.Directory

 

Add or Remove member

RoleManagement.ReadWrite.Directory

Get Domain

List domains

Directory.Read.All

Get Group Member

List members

User.Read.All

 

Add members

GroupMember.ReadWrite.All

Get New or Updated Groups

Get delta (group)

Group.Read.All

Get New or Updated Users

Get delta (user)

User.Read.All

Get Subscribed Skus

Get subscribedSku

Organization.Read.All

Get Service Principals

Get service principal

Application.ReadWrite.OwnedBy

Get Unified Role Assignment

Get unifiedRoleAssignment

RoleManagement.Read.Directory

Get Sign-In Activity

List sign-ins

AuditLog.Read.All

Query Groups

Get group

Group.Read.All

 

Delete group

Group.ReadWrite.All

 

Update group

Group.ReadWrite.All

Query Users

Get a User

User.Read.All

 

Update a User

User.ReadWrite.All

 

Delete a user

User.ReadWrite.All

Reset User Password

Update a User

Directory.AccessAsUser.All

Azure REST API Permissions

Operation Description

Azure REST API Endpoint

Permission Needed

Operation Description

Azure REST API Endpoint

Permission Needed

Create Managed Identity

User Assigned Identities - Create

Microsoft.ManagedIdentity/userAssignedIdentities/write

Create Role Assignment

Role Assignments - Create

Microsoft.Authorization/roleAssignments/write

Delete Role Assignment

Role Assignments - Delete

Microsoft.Authorization/roleAssignments/read

Get Classic Administrators

Classic Administrators - List

Microsoft.Authorization/classicAdministrators/read

Get/Delete/Update Managed Identity by ID

User Assigned Identities - List By Resource Group / Subscription

Microsoft.ManagedIdentity/userAssignedIdentities/read

 

User Assigned Identities - Delete

Microsoft.ManagedIdentity/userAssignedIdentities/delete

 

User Assigned Identities - Create Or Update (UPDATE)

Microsoft.ManagedIdentity/userAssignedIdentities/write

Get/Delete/Update Role Assignment by ID

Role Assignments - Get

Microsoft.Authorization/roleAssignments/read

 

Role Assignments - Delete

Microsoft.Authorization/roleAssignments/delete

 

Role Assignments - Create

Microsoft.Authorization/roleAssignments/write

Get/Delete/Update Role Definition by ID

Role Definitions - Get

Microsoft.Authorization/roleDefinitions/read

 

Role Definitions - Create

Microsoft.Authorization/roleDefinitions/write

 

Role Definitions - Delete

Microsoft.Authorization/roleDefinitions/delete

 

Role Definitions - Update

Microsoft.Authorization/roleDefinitions/write

Get Managed Identities

User Assigned Identities - List By Resource Group / Subscription

Microsoft.ManagedIdentity/userAssignedIdentities/read

Get Management Group by Name

Management Groups - Get

domain

Get Management Groups

Management Groups - Get

Microsoft.Management/managementGroups/read

Get Resource Groups

Resource Groups - List

Microsoft.Resources/subscriptions/resourceGroups/read

Get Resources

Resources - List

Microsoft.Resources/subscriptions/resources

Get Role Assignments

Role Assignments - List

Microsoft.Authorization/roleAssignments/read

Get Role Definitions

Role Definitions - List

Microsoft.Authorization/roleDefinitions/read

Get Tenant

Tenants - List

Microsoft.Resources/tenant/read

Get Subscriptions

Subscriptions

Microsoft.Resources/subscriptions/read

Get Subscription Usage by ID

Usage Details - List

Microsoft.Consumption/usageDetails/read

Service Principal Permissions

The Service Principal requires Reports.Read.All permissions.

Configuration Parameters and Required Permissions

Enabling certain configuration parameters in the Azure AD Resource System within EmpowerID requires the following permissions to function correctly. Below is a detailed explanation of each configuration parameter, its purpose, and the associated permissions required.

EnableAzureApplicationInventory

Description: When set to True, this parameter allows EmpowerID to inventory Azure application data.

Inventory data and Required Permissions:

Inventory Data

Least Privileged Permission

Higher Privileged Permissions

Inventory Data

Least Privileged Permission

Higher Privileged Permissions

Azure Applications

Application.ReadWrite.OwnedBy

Application.ReadWrite.All, Directory.Read.All

Azure Application Templates

Same as above

Same as above

Conditional Access Policies

Policy.Read.All

N/A

Application.ReadWrite.OwnedBy

User.ReadWrite.All

Application.ReadWrite.All, Directory.Read.All

Application Role Assignments for Service Principals

Directory.Read.All

Directory.ReadWrite.All

EnableAzureLicenseInventory

Description: When set to True, this parameter allows EmpowerID to inventory Azure license data.

Inventory Data and Required Permissions:

Inventory Data

Least Privileged Permission

Higher Privileged Permissions

Inventory Data

Least Privileged Permission

Higher Privileged Permissions

Subscribed SKU

Organization.Read.All

Directory.Read.All, Organization.ReadWrite.All, Directory.ReadWrite.All

EnableAzureRbacInventory (H4)

Description: When set to True, this parameter allows EmpowerID to inventory Azure RBAC (Role-Based Access Control) data.

Inventory Data and Required Permissions:

Inventory Data

Permissions

Inventory Data

Permissions

Management Groups

Microsoft.Management/managementGroups/read

Subscriptions

Microsoft.Resources/subscriptions/read

Resource Groups

Microsoft.Resources/subscriptions/resourceGroups/read

RBAC Role Definitions

Microsoft.Authorization/roleDefinitions/readResources

Resources

Microsoft.Resources/subscriptions/resources/read

RBAC Role Assignments

Microsoft.Authorization/roleAssignments/read

Managed Identities

Microsoft.ManagedIdentity/userAssignedIdentities/read

Classic Administrators

Microsoft.Authorization/classicAdministrators/read

EnableDirectoryRoleMemberInventoryWithScope (H4)

Description: When set to True, this parameter allows EmpowerID to inventory Azure directory role member data. It includes data scoped to applications and directories.

Inventory Data and Required Permissions:

Inventory Data

Least Privileged Permission

Higher Privileged Permissions

Inventory Data

Least Privileged Permission

Higher Privileged Permissions

Directory Role Members Scoped to Directory

RoleManagement.Read.Directory

Directory.Read.All, Directory.ReadWrite.All, RoleManagement.ReadWrite.Directory

Directory Role Members Scoped to Application

Same as above

Same as above

EnableSignInActivityInventory

Description: When set to True, this parameter allows EmpowerID to inventory Azure sign-in activity data.

Inventory Data and Required Permissions:

Inventory Data

Least Privileged Permission

Higher Privileged Permissions

Inventory Data

Least Privileged Permission

Higher Privileged Permissions

Azure Sign-In Activity

Reports.Read.All

Reports.Read.All