Native Connectors - Customer instructions for Entra ID
How to setup authentication between Native Connector and Entra ID
Native Connectors - Customer instructions for Entra ID
How to setup authentication between Native Connector and Entra ID
Microsoft Graph API (former Entra ID and former Azure AD) connector is part of native connectors and it is used for reading and writing data towards/from to customers Azure/Entra ID, using Microsoft Graph API. It can be used in all Professional and IGA solutions.
The Entra ID administrator user will need to create a dedicated App Registration application to Entra for the Native Connectors on Professional and IGA solutions. Usually, this Entra configuration is carried out by the organisations Entra ID or authentication specialist.
Note
This App Registration application is supposed to be used only with Microsoft Graph API Native Connectors.
If you also use OIDC or SAML authentication to your solution with Secure Access, it is suggested to create separate application for those. In those cases see OIDC and SAML
Customer actions
Register application to Entra ID
Application needs to be configured to allow Native Connectors (EPE) component to read/write objects which are handled from EPE, e.g. user accounts and groups. Registering application can be made from Microsoft Entra Admin center: https://entra.microsoft.com.
Select App Registration and then +New registration
Note! This is NOT Enterprise application.
Give descriptive name and select Accounts in this organizational directory only (Efecte Baseline only - Single tenant) option
Create Secret or certificate for EPE in Entra ID console
Select your application you created on this guidance step “Register application to Entra ID”
Select Certificates & secrets and then on Client secrets tab click + New client secret
Store that secret value on safe place(secret ID is not needed), you need to also send that to Matrix42 consultant so they can configure it to your solutions Microsoft Graph API connector.
Grant needed permissions in Entra ID console
Add permissions to your application you created on this guidance step “Register application to Entra ID”. Based on what object types Native Connector is handling, you need to set permissions according to Microsoft Graph API documentation https://learn.microsoft.com/en-us/graph/permissions-reference
Grant Write permissions only if needed, these are described and documented in more detailed level in Entra ID integration description, provided by ongoing project.
Select API permissions and then click + Add a permission
After you have given correct permissions, click “Grant admin consent for <Organization name>” and click “Yes”. After this the application is ready to be used by Secure Access for authentication of users to Matrix42 Professional and IGA solutions.
If you don't grant those, then permissions are not taken into use.
Most Used Permissions
Confirm correct permissions case by case. Use Application -type permissions.
| Usage | Entra permission | Type | Notes |
|---|---|---|---|
| Read users | User.Read.All |
Application | |
| Read, Create and Edit users | User.ReadWrite.All |
Application | |
| Read groups | Group.Read.All |
Application | Consider using GroupMember.Read.All instead of this more powerfull permission |
| Read, Create and Edit groups | Group.ReadWrite.All |
Application | |
| Read all group memberships and basic group properties | GroupMember.Read.All |
Application |
Allows the app to read memberships and basic group properties for all groups Not as powerful as |
| Manage all directory objects | Directory.ReadWrite.All |
Application | Powerful permission, usually not needed |
| Read Intune devices and softwares | DeviceManagementManagedDevices.Read.All |
Application | Intune |
| Edit Intune devices and softwares | DeviceManagementManagedDevices.ReadWrite.All |
Application | Intune |
Customer deliverables
Deliver following information to Matrix42, so they can then configure these to Microsoft Graph API connector on solution.
| Information | Example |
|---|---|
|
Application (client) ID GUID object of the client application you created Can be seen from your application overview |
56cf0dabc-1a1b-12ca-3bca-bca4bc56a78b  |
|
Directory (tenant) ID GUID object of the Entra tenant |
abc1fb23-dd24-5a67-8b91-1a123ab123a12 |
|
Login URL Custom domain name of the Entra tenant |
https://login.microsoftonline.com/example.onmicrosoft.com/ |
| Graph API URL Usually set to 'https://graph.microsoft.com',editable for custom reasons |
https://graph.microsoft.com |
|
Import users parameter Optional. Additional Graph API query filter applied when Users are being extracted |
$filter=startswith(givenName, 'J') |
|
Import groups parameter Optional. Additional Graph API query filter applied when Groups are being extracted |
$filter=startswith groupName, ‘E’ |
|
Users to be excluded from import to ESM Optional. Object IDs of the Users to be exclude |
a11b1fc1-1234-1de1-f1dg-h1i2j345k123 |
|
Groups to be excluded from import to ESM Optional. Object IDs of the Groups to be exclude |
a11b1fc1-1234-1de1-f1dg-h1i2j345k123 |
|
Include Users with specific groups Optional. Allows to define lists of the Groups based on which Users will be included into the final result set. Object IDs of the Groups memberships to include |
a11b1fc1-1234-1de1-f1dg-h1i2j345k123 |
|
Exclude Users with specific groups Optional, Allows to define lists of the Groups based on which Users will be excluded into the final result set. Object IDs of the Groups memberships to exclude |
a11b1fc1-1234-1de1-f1dg-h1i2j345k123 |
| Authentication method Secret or Certificate Microsoft Graph API connector supports secure connection between Entra ID by using either Client Secret or Certificate. |
Provide secret with secure delivery way to Matrix42. If Certificate is used, Matrix42 delivers certificate to the customer. Certificate must be uploaded to the Entra ID web console for appropriate application by customer. |
Microsoft Graph API connector
More info about Microsoft Graph API connector can be found from here.
Table of Contents