Supported objects and operations
Azure AD is a connector that gives users a cloud-based platform for their on-premises resources. Using single sign-on, companies have access to any number of network or web-based applications along with hosting access and identity management resources.
Azure AD connectors are available for use with One Identity Safeguard for Privileged Passwords.
NOTE: Update the synchronization shell or create a new synchronization shell in One Identity Manager as changes are introduced in the schema.
Connector Configuration
Azure AD connector requires customer consent to retrieve resource details using the REST APIs. The Azure AD connector supports the configuration of both single tenant and multi tenant connectors. You can switch from a single tenant connector to a multi tenant connector while configuring the connector in Starling Connect UI.
Supervisor configuration parameters for single tenant connector
To configure the single tenant connector, following parameters are required:
-
Connector name
-
Client Id for the app
-
Client Secret of the app
-
Directory Id of the Active Directory
-
Target URL (Cloud application's instance URL used as target URI in payload - For example, https://graph.microsoft.com/v1.0).
-
Instance DateTime Offset (refer Configuring additional datetime offset in connectors for more details).
Supervisor configuration parameters for multi tenant connector
To configure the multi tenant connector, following parameters are required:
- Directory Id of the Active Directory
-
Target URL (Cloud application's instance URL used as target URI in payload - For example, https://graph.microsoft.com/v1.0).
-
Instance DateTime Offset (refer Configuring additional datetime offset in connectors for more details).
Users
Table 172: Supported operations for Users
Create User |
POST |
Update User |
PATCH |
Delete User |
DELETE |
Get User |
GET |
Get All Users |
GET |
Groups
Table 173: Supported operations for Groups
Create Group |
POST |
Update Group |
PATCH |
Delete Group |
DELETE |
Get Group |
GET |
Get All Groups |
GET |
Application
Table 174: Supported operations for Application
Get Application |
GET |
Get All Applications |
GET |
Mandatory fields
Create/Update User
- email.value
- userType
-
nickName
-
displayName
-
password
- active
Groups
Invite User
- redirectUrl
- emails[].value
- userType
User Group and Application mapping
The user, group and application mappings are listed in the tables below:
Table 175: User mapping
active |
accountEnabled |
addresses[0].country |
country |
addresses[0].locality |
city |
addresses[0].postalCode |
postalcode |
addresses[0].region |
state |
addresses[0].streetAddress |
streetAddress |
displayName |
displayName |
emails[0].value |
userPrincipalName |
groups[].display |
memberOf[].displayName |
groups[].value |
memberOf[].id |
Id |
id |
meta.created |
createdDateTime |
name.familyName |
surname |
name.givenName |
givenName |
nickName |
mailNickname |
phoneNumbers[0].value |
businessPhones[0] |
preferredLanguage |
preferredLanguage |
redemptionUrl |
inviteRedeemUrl |
redirectUrl |
inviteRedirectUrl |
title |
jobTitle |
userExtension.applications[].display |
applications[].displayName |
userExtension.applications[].principalId |
applications[].principalId |
userExtension.applications[].principalType |
applications[].principalType |
userExtension.applications[].value |
applications[].appId |
userExtension.department |
department |
userExtension.employeeNumber |
employeeId |
userExtension.manager.displayName |
manager.displayName |
userExtension.manager.value |
manager.id |
userExtension.organization |
companyName |
userName |
userPrincipalName |
userType |
userType |
Groups
Table 176: Group mapping
enterpriseExtension.applications[].value |
applications[].appId |
enterpriseExtension.applications[].display |
applications[].displayName |
enterpriseExtension.applications[].principalId |
applications[].principalId |
enterpriseExtension.applications[].principalType |
applications[].principalType |
displayName |
displayName |
enterpriseExtension.description |
description |
enterpriseExtension.mailNickname |
mailNickname |
Id |
id |
members[].display |
members[].displayName |
members[].value |
members[].id |
meta.created |
createdDateTime |
Application
Table 177: Application Mapping
appId |
appId |
displayName |
displayName |
Id |
id |
meta.created |
createdDateTime |
publisherDomain |
publisherDomain |
Connector limitations
-
lastModified is not provided along with the Users, Groups and Applications.
-
Groups are of two types: Security groups and Office 365 groups. Azure AD supports users and groups as the members of groups. Security groups can have users and other Security groups as members. However, only users can be added as members for Office 365 groups.
-
With the trial Azure AD account, it is possible to create only Security groups through APIs. For information on mapping the appropriate properties, see User and Group section.
-
If an appRole is assigned to a group, then only the direct user members of that group will also have these appRoles assigned to them, but not group members of that group.
-
Azure AD resource Id's follow GUID formats. When trying to edit, retrieve, or delete a group by Id with an invalid GUID format, the connector displays 400 as the response code. However with invalid id and a proper GUID format, connector displays 404 as the response code.
-
Email value for the user should have only those domains which are verified in the selected Active Directory. To find out the verified domain, go to the Azure Active Directory in the Azure portal and in the Overview page above the directory name, the verified domain names are displayed.
- You can create multiple groups with the same name.
-
For more information on password policy settings applied to user accounts that are created and managed in Azure AD, see, Password policies that only apply to cloud user accounts.
Azure AD connector for Safeguard for Privileged Passwords
-
For Safeguard for Privileged Passwords, you must assign at least the Helpdesk Administrator role for the application created, but should assign a higher role if you want to manage special accounts (for example, Billing Administrator or Global Administrator).
-
For Safeguard for Privileged Passwords, the Azure AD application registration must be public.
-
Safeguard for Privileged Passwords only allows for a single tenant connector configuration.
Mandatory fields
Azure AD is a connector that gives users a cloud-based platform for their on-premises resources. Using single sign-on, companies have access to any number of network or web-based applications along with hosting access and identity management resources.
Azure AD connectors are available for use with One Identity Safeguard for Privileged Passwords.
NOTE: Update the synchronization shell or create a new synchronization shell in One Identity Manager as changes are introduced in the schema.
Connector Configuration
Azure AD connector requires customer consent to retrieve resource details using the REST APIs. The Azure AD connector supports the configuration of both single tenant and multi tenant connectors. You can switch from a single tenant connector to a multi tenant connector while configuring the connector in Starling Connect UI.
Supervisor configuration parameters for single tenant connector
To configure the single tenant connector, following parameters are required:
-
Connector name
-
Client Id for the app
-
Client Secret of the app
-
Directory Id of the Active Directory
-
Target URL (Cloud application's instance URL used as target URI in payload - For example, https://graph.microsoft.com/v1.0).
-
Instance DateTime Offset (refer Configuring additional datetime offset in connectors for more details).
Supervisor configuration parameters for multi tenant connector
To configure the multi tenant connector, following parameters are required:
- Directory Id of the Active Directory
-
Target URL (Cloud application's instance URL used as target URI in payload - For example, https://graph.microsoft.com/v1.0).
-
Instance DateTime Offset (refer Configuring additional datetime offset in connectors for more details).
Supported objects and operations
Users
Table 172: Supported operations for Users
Create User |
POST |
Update User |
PATCH |
Delete User |
DELETE |
Get User |
GET |
Get All Users |
GET |
Groups
Table 173: Supported operations for Groups
Create Group |
POST |
Update Group |
PATCH |
Delete Group |
DELETE |
Get Group |
GET |
Get All Groups |
GET |
Application
Table 174: Supported operations for Application
Get Application |
GET |
Get All Applications |
GET |
Create/Update User
- email.value
- userType
-
nickName
-
displayName
-
password
- active
Groups
Invite User
- redirectUrl
- emails[].value
- userType
User Group and Application mapping
The user, group and application mappings are listed in the tables below:
Table 175: User mapping
active |
accountEnabled |
addresses[0].country |
country |
addresses[0].locality |
city |
addresses[0].postalCode |
postalcode |
addresses[0].region |
state |
addresses[0].streetAddress |
streetAddress |
displayName |
displayName |
emails[0].value |
userPrincipalName |
groups[].display |
memberOf[].displayName |
groups[].value |
memberOf[].id |
Id |
id |
meta.created |
createdDateTime |
name.familyName |
surname |
name.givenName |
givenName |
nickName |
mailNickname |
phoneNumbers[0].value |
businessPhones[0] |
preferredLanguage |
preferredLanguage |
redemptionUrl |
inviteRedeemUrl |
redirectUrl |
inviteRedirectUrl |
title |
jobTitle |
userExtension.applications[].display |
applications[].displayName |
userExtension.applications[].principalId |
applications[].principalId |
userExtension.applications[].principalType |
applications[].principalType |
userExtension.applications[].value |
applications[].appId |
userExtension.department |
department |
userExtension.employeeNumber |
employeeId |
userExtension.manager.displayName |
manager.displayName |
userExtension.manager.value |
manager.id |
userExtension.organization |
companyName |
userName |
userPrincipalName |
userType |
userType |
Groups
Table 176: Group mapping
enterpriseExtension.applications[].value |
applications[].appId |
enterpriseExtension.applications[].display |
applications[].displayName |
enterpriseExtension.applications[].principalId |
applications[].principalId |
enterpriseExtension.applications[].principalType |
applications[].principalType |
displayName |
displayName |
enterpriseExtension.description |
description |
enterpriseExtension.mailNickname |
mailNickname |
Id |
id |
members[].display |
members[].displayName |
members[].value |
members[].id |
meta.created |
createdDateTime |
Application
Table 177: Application Mapping
appId |
appId |
displayName |
displayName |
Id |
id |
meta.created |
createdDateTime |
publisherDomain |
publisherDomain |
Connector limitations
-
lastModified is not provided along with the Users, Groups and Applications.
-
Groups are of two types: Security groups and Office 365 groups. Azure AD supports users and groups as the members of groups. Security groups can have users and other Security groups as members. However, only users can be added as members for Office 365 groups.
-
With the trial Azure AD account, it is possible to create only Security groups through APIs. For information on mapping the appropriate properties, see User and Group section.
-
If an appRole is assigned to a group, then only the direct user members of that group will also have these appRoles assigned to them, but not group members of that group.
-
Azure AD resource Id's follow GUID formats. When trying to edit, retrieve, or delete a group by Id with an invalid GUID format, the connector displays 400 as the response code. However with invalid id and a proper GUID format, connector displays 404 as the response code.
-
Email value for the user should have only those domains which are verified in the selected Active Directory. To find out the verified domain, go to the Azure Active Directory in the Azure portal and in the Overview page above the directory name, the verified domain names are displayed.
- You can create multiple groups with the same name.
-
For more information on password policy settings applied to user accounts that are created and managed in Azure AD, see, Password policies that only apply to cloud user accounts.
Azure AD connector for Safeguard for Privileged Passwords
-
For Safeguard for Privileged Passwords, you must assign at least the Helpdesk Administrator role for the application created, but should assign a higher role if you want to manage special accounts (for example, Billing Administrator or Global Administrator).
-
For Safeguard for Privileged Passwords, the Azure AD application registration must be public.
-
Safeguard for Privileged Passwords only allows for a single tenant connector configuration.
User Group and Application mapping
Azure AD is a connector that gives users a cloud-based platform for their on-premises resources. Using single sign-on, companies have access to any number of network or web-based applications along with hosting access and identity management resources.
Azure AD connectors are available for use with One Identity Safeguard for Privileged Passwords.
NOTE: Update the synchronization shell or create a new synchronization shell in One Identity Manager as changes are introduced in the schema.
Connector Configuration
Azure AD connector requires customer consent to retrieve resource details using the REST APIs. The Azure AD connector supports the configuration of both single tenant and multi tenant connectors. You can switch from a single tenant connector to a multi tenant connector while configuring the connector in Starling Connect UI.
Supervisor configuration parameters for single tenant connector
To configure the single tenant connector, following parameters are required:
-
Connector name
-
Client Id for the app
-
Client Secret of the app
-
Directory Id of the Active Directory
-
Target URL (Cloud application's instance URL used as target URI in payload - For example, https://graph.microsoft.com/v1.0).
-
Instance DateTime Offset (refer Configuring additional datetime offset in connectors for more details).
Supervisor configuration parameters for multi tenant connector
To configure the multi tenant connector, following parameters are required:
- Directory Id of the Active Directory
-
Target URL (Cloud application's instance URL used as target URI in payload - For example, https://graph.microsoft.com/v1.0).
-
Instance DateTime Offset (refer Configuring additional datetime offset in connectors for more details).
Supported objects and operations
Users
Table 172: Supported operations for Users
Create User |
POST |
Update User |
PATCH |
Delete User |
DELETE |
Get User |
GET |
Get All Users |
GET |
Groups
Table 173: Supported operations for Groups
Create Group |
POST |
Update Group |
PATCH |
Delete Group |
DELETE |
Get Group |
GET |
Get All Groups |
GET |
Application
Table 174: Supported operations for Application
Get Application |
GET |
Get All Applications |
GET |
Mandatory fields
Create/Update User
- email.value
- userType
-
nickName
-
displayName
-
password
- active
Groups
Invite User
- redirectUrl
- emails[].value
- userType
The user, group and application mappings are listed in the tables below:
Table 175: User mapping
active |
accountEnabled |
addresses[0].country |
country |
addresses[0].locality |
city |
addresses[0].postalCode |
postalcode |
addresses[0].region |
state |
addresses[0].streetAddress |
streetAddress |
displayName |
displayName |
emails[0].value |
userPrincipalName |
groups[].display |
memberOf[].displayName |
groups[].value |
memberOf[].id |
Id |
id |
meta.created |
createdDateTime |
name.familyName |
surname |
name.givenName |
givenName |
nickName |
mailNickname |
phoneNumbers[0].value |
businessPhones[0] |
preferredLanguage |
preferredLanguage |
redemptionUrl |
inviteRedeemUrl |
redirectUrl |
inviteRedirectUrl |
title |
jobTitle |
userExtension.applications[].display |
applications[].displayName |
userExtension.applications[].principalId |
applications[].principalId |
userExtension.applications[].principalType |
applications[].principalType |
userExtension.applications[].value |
applications[].appId |
userExtension.department |
department |
userExtension.employeeNumber |
employeeId |
userExtension.manager.displayName |
manager.displayName |
userExtension.manager.value |
manager.id |
userExtension.organization |
companyName |
userName |
userPrincipalName |
userType |
userType |
Groups
Table 176: Group mapping
enterpriseExtension.applications[].value |
applications[].appId |
enterpriseExtension.applications[].display |
applications[].displayName |
enterpriseExtension.applications[].principalId |
applications[].principalId |
enterpriseExtension.applications[].principalType |
applications[].principalType |
displayName |
displayName |
enterpriseExtension.description |
description |
enterpriseExtension.mailNickname |
mailNickname |
Id |
id |
members[].display |
members[].displayName |
members[].value |
members[].id |
meta.created |
createdDateTime |
Application
Table 177: Application Mapping
appId |
appId |
displayName |
displayName |
Id |
id |
meta.created |
createdDateTime |
publisherDomain |
publisherDomain |
Connector limitations
-
lastModified is not provided along with the Users, Groups and Applications.
-
Groups are of two types: Security groups and Office 365 groups. Azure AD supports users and groups as the members of groups. Security groups can have users and other Security groups as members. However, only users can be added as members for Office 365 groups.
-
With the trial Azure AD account, it is possible to create only Security groups through APIs. For information on mapping the appropriate properties, see User and Group section.
-
If an appRole is assigned to a group, then only the direct user members of that group will also have these appRoles assigned to them, but not group members of that group.
-
Azure AD resource Id's follow GUID formats. When trying to edit, retrieve, or delete a group by Id with an invalid GUID format, the connector displays 400 as the response code. However with invalid id and a proper GUID format, connector displays 404 as the response code.
-
Email value for the user should have only those domains which are verified in the selected Active Directory. To find out the verified domain, go to the Azure Active Directory in the Azure portal and in the Overview page above the directory name, the verified domain names are displayed.
- You can create multiple groups with the same name.
-
For more information on password policy settings applied to user accounts that are created and managed in Azure AD, see, Password policies that only apply to cloud user accounts.
Azure AD connector for Safeguard for Privileged Passwords
-
For Safeguard for Privileged Passwords, you must assign at least the Helpdesk Administrator role for the application created, but should assign a higher role if you want to manage special accounts (for example, Billing Administrator or Global Administrator).
-
For Safeguard for Privileged Passwords, the Azure AD application registration must be public.
-
Safeguard for Privileged Passwords only allows for a single tenant connector configuration.
Connector limitations
Azure AD is a connector that gives users a cloud-based platform for their on-premises resources. Using single sign-on, companies have access to any number of network or web-based applications along with hosting access and identity management resources.
Azure AD connectors are available for use with One Identity Safeguard for Privileged Passwords.
NOTE: Update the synchronization shell or create a new synchronization shell in One Identity Manager as changes are introduced in the schema.
Connector Configuration
Azure AD connector requires customer consent to retrieve resource details using the REST APIs. The Azure AD connector supports the configuration of both single tenant and multi tenant connectors. You can switch from a single tenant connector to a multi tenant connector while configuring the connector in Starling Connect UI.
Supervisor configuration parameters for single tenant connector
To configure the single tenant connector, following parameters are required:
-
Connector name
-
Client Id for the app
-
Client Secret of the app
-
Directory Id of the Active Directory
-
Target URL (Cloud application's instance URL used as target URI in payload - For example, https://graph.microsoft.com/v1.0).
-
Instance DateTime Offset (refer Configuring additional datetime offset in connectors for more details).
Supervisor configuration parameters for multi tenant connector
To configure the multi tenant connector, following parameters are required:
- Directory Id of the Active Directory
-
Target URL (Cloud application's instance URL used as target URI in payload - For example, https://graph.microsoft.com/v1.0).
-
Instance DateTime Offset (refer Configuring additional datetime offset in connectors for more details).
Supported objects and operations
Users
Table 172: Supported operations for Users
Create User |
POST |
Update User |
PATCH |
Delete User |
DELETE |
Get User |
GET |
Get All Users |
GET |
Groups
Table 173: Supported operations for Groups
Create Group |
POST |
Update Group |
PATCH |
Delete Group |
DELETE |
Get Group |
GET |
Get All Groups |
GET |
Application
Table 174: Supported operations for Application
Get Application |
GET |
Get All Applications |
GET |
Mandatory fields
Create/Update User
- email.value
- userType
-
nickName
-
displayName
-
password
- active
Groups
Invite User
- redirectUrl
- emails[].value
- userType
User Group and Application mapping
The user, group and application mappings are listed in the tables below:
Table 175: User mapping
active |
accountEnabled |
addresses[0].country |
country |
addresses[0].locality |
city |
addresses[0].postalCode |
postalcode |
addresses[0].region |
state |
addresses[0].streetAddress |
streetAddress |
displayName |
displayName |
emails[0].value |
userPrincipalName |
groups[].display |
memberOf[].displayName |
groups[].value |
memberOf[].id |
Id |
id |
meta.created |
createdDateTime |
name.familyName |
surname |
name.givenName |
givenName |
nickName |
mailNickname |
phoneNumbers[0].value |
businessPhones[0] |
preferredLanguage |
preferredLanguage |
redemptionUrl |
inviteRedeemUrl |
redirectUrl |
inviteRedirectUrl |
title |
jobTitle |
userExtension.applications[].display |
applications[].displayName |
userExtension.applications[].principalId |
applications[].principalId |
userExtension.applications[].principalType |
applications[].principalType |
userExtension.applications[].value |
applications[].appId |
userExtension.department |
department |
userExtension.employeeNumber |
employeeId |
userExtension.manager.displayName |
manager.displayName |
userExtension.manager.value |
manager.id |
userExtension.organization |
companyName |
userName |
userPrincipalName |
userType |
userType |
Groups
Table 176: Group mapping
enterpriseExtension.applications[].value |
applications[].appId |
enterpriseExtension.applications[].display |
applications[].displayName |
enterpriseExtension.applications[].principalId |
applications[].principalId |
enterpriseExtension.applications[].principalType |
applications[].principalType |
displayName |
displayName |
enterpriseExtension.description |
description |
enterpriseExtension.mailNickname |
mailNickname |
Id |
id |
members[].display |
members[].displayName |
members[].value |
members[].id |
meta.created |
createdDateTime |
Application
Table 177: Application Mapping
appId |
appId |
displayName |
displayName |
Id |
id |
meta.created |
createdDateTime |
publisherDomain |
publisherDomain |
-
lastModified is not provided along with the Users, Groups and Applications.
-
Groups are of two types: Security groups and Office 365 groups. Azure AD supports users and groups as the members of groups. Security groups can have users and other Security groups as members. However, only users can be added as members for Office 365 groups.
-
With the trial Azure AD account, it is possible to create only Security groups through APIs. For information on mapping the appropriate properties, see User and Group section.
-
If an appRole is assigned to a group, then only the direct user members of that group will also have these appRoles assigned to them, but not group members of that group.
-
Azure AD resource Id's follow GUID formats. When trying to edit, retrieve, or delete a group by Id with an invalid GUID format, the connector displays 400 as the response code. However with invalid id and a proper GUID format, connector displays 404 as the response code.
-
Email value for the user should have only those domains which are verified in the selected Active Directory. To find out the verified domain, go to the Azure Active Directory in the Azure portal and in the Overview page above the directory name, the verified domain names are displayed.
- You can create multiple groups with the same name.
-
For more information on password policy settings applied to user accounts that are created and managed in Azure AD, see, Password policies that only apply to cloud user accounts.
Azure AD connector for Safeguard for Privileged Passwords
-
For Safeguard for Privileged Passwords, you must assign at least the Helpdesk Administrator role for the application created, but should assign a higher role if you want to manage special accounts (for example, Billing Administrator or Global Administrator).
-
For Safeguard for Privileged Passwords, the Azure AD application registration must be public.
-
Safeguard for Privileged Passwords only allows for a single tenant connector configuration.