Azure AD connector for Safeguard for Privileged Passwords
Azure AD is a connector that gives users a cloud-based platform for their on-premises resources. Using single sign-on, companies have access to any number of network or web-based applications along with hosting access and identity management resources.
Azure AD connectors are available for use with One Identity Safeguard for Privileged Passwords.
NOTE: Update the synchronization shell or create a new synchronization shell in One Identity Manager as changes are introduced in the schema.
Connector Configuration
Azure AD connector requires customer consent to retrieve resource details using the REST APIs. The Azure AD connector supports the configuration of both single tenant and multi tenant connectors. You can switch from a single tenant connector to a multi tenant connector while configuring the connector in Starling Connect UI.
Supervisor configuration parameters for single tenant connector
To configure the single tenant connector, following parameters are required:
-
Connector name
-
Client Id for the app
-
Client Secret of the app
-
Directory Id of the Active Directory
-
Target URL (Cloud application's instance URL used as target URI in payload - For example, https://graph.microsoft.com/v1.0).
-
Instance DateTime Offset (refer Configuring additional datetime offset in connectors for more details).
Supervisor configuration parameters for multi tenant connector
To configure the multi tenant connector, following parameters are required:
- Directory Id of the Active Directory
-
Target URL (Cloud application's instance URL used as target URI in payload - For example, https://graph.microsoft.com/v1.0).
-
Instance DateTime Offset (refer Configuring additional datetime offset in connectors for more details).
Supported objects and operations
Users
Table 174: Supported operations for Users
Create User |
POST |
Update User |
PATCH |
Delete User |
DELETE |
Get User |
GET |
Get All Users |
GET |
Groups
Table 175: Supported operations for Groups
Create Group |
POST |
Update Group |
PATCH |
Delete Group |
DELETE |
Get Group |
GET |
Get All Groups |
GET |
Application
Table 176: Supported operations for Application
Get Application |
GET |
Get All Applications |
GET |
Mandatory fields
Create/Update User
- email.value
- userType
-
nickName
-
displayName
-
password
- active
Groups
Invite User
- redirectUrl
- emails[].value
- userType
User Group and Application mapping
The user, group and application mappings are listed in the tables below:
Table 177: User mapping
active |
accountEnabled |
addresses[0].country |
country |
addresses[0].locality |
city |
addresses[0].postalCode |
postalcode |
addresses[0].region |
state |
addresses[0].streetAddress |
streetAddress |
displayName |
displayName |
emails[0].value |
userPrincipalName |
groups[].display |
memberOf[].displayName |
groups[].value |
memberOf[].id |
Id |
id |
meta.created |
createdDateTime |
name.familyName |
surname |
name.givenName |
givenName |
nickName |
mailNickname |
phoneNumbers[0].value |
businessPhones[0] |
preferredLanguage |
preferredLanguage |
redemptionUrl |
inviteRedeemUrl |
redirectUrl |
inviteRedirectUrl |
title |
jobTitle |
userExtension.applications[].display |
applications[].displayName |
userExtension.applications[].principalId |
applications[].principalId |
userExtension.applications[].principalType |
applications[].principalType |
userExtension.applications[].value |
applications[].appId |
userExtension.department |
department |
userExtension.employeeNumber |
employeeId |
userExtension.manager.displayName |
manager.displayName |
userExtension.manager.value |
manager.id |
userExtension.organization |
companyName |
userName |
userPrincipalName |
userType |
userType |
Groups
Table 178: Group mapping
enterpriseExtension.applications[].value |
applications[].appId |
enterpriseExtension.applications[].display |
applications[].displayName |
enterpriseExtension.applications[].principalId |
applications[].principalId |
enterpriseExtension.applications[].principalType |
applications[].principalType |
displayName |
displayName |
enterpriseExtension.description |
description |
enterpriseExtension.mailNickname |
mailNickname |
Id |
id |
members[].display |
members[].displayName |
members[].value |
members[].id |
meta.created |
createdDateTime |
Application
Table 179: Application Mapping
appId |
appId |
displayName |
displayName |
Id |
id |
meta.created |
createdDateTime |
publisherDomain |
publisherDomain |
Connector limitations
-
lastModified is not provided along with the Users, Groups and Applications.
-
Groups are of two types: Security groups and Office 365 groups. Azure AD supports users and groups as the members of groups. Security groups can have users and other Security groups as members. However, only users can be added as members for Office 365 groups.
-
With the trial Azure AD account, it is possible to create only Security groups through APIs. For information on mapping the appropriate properties, see User and Group section.
-
If an appRole is assigned to a group, then only the direct user members of that group will also have these appRoles assigned to them, but not group members of that group.
-
Azure AD resource Id's follow GUID formats. When trying to edit, retrieve, or delete a group by Id with an invalid GUID format, the connector displays 400 as the response code. However with invalid id and a proper GUID format, connector displays 404 as the response code.
-
Email value for the user should have only those domains which are verified in the selected Active Directory. To find out the verified domain, go to the Azure Active Directory in the Azure portal and in the Overview page above the directory name, the verified domain names are displayed.
- You can create multiple groups with the same name.
-
For more information on password policy settings applied to user accounts that are created and managed in Azure AD, see, Password policies that only apply to cloud user accounts.
-
For Safeguard for Privileged Passwords, you must assign at least the Helpdesk Administrator role for the application created, but should assign a higher role if you want to manage special accounts (for example, Billing Administrator or Global Administrator).
-
For Safeguard for Privileged Passwords, the Azure AD application registration must be public.
-
Safeguard for Privileged Passwords only allows for a single tenant connector configuration.
Google Workspace
Google Workspace (formerly GSuite) is a cloud computing, productivity, and collaboration tool. It includes the Google web applications Gmail, Drive, Hangouts, Calendar, and Docs. It also includes an interactive whiteboard. The enterprise version offers custom-domain email addresses, additional storage, and 24/7 phone and email support.
You must create a service account to access the Google Workspace services. For information on creating a service account, see Creating a service account in Google Workspace.
Supervisor configuration parameters
To configure the connector, following parameters are required:
-
Connector name
-
UserName
-
Private Key (Whole JSON content of private key file created for service account)
-
Target URL (Cloud application's instance URL used as targetURI in payload, for example: https://www.googleapis.com/admin/directory/v1)
- Customer Id
-
Instance DateTime Offset (refer Configuring additional datetime offset in connectors for more details).
Supported objects and operations
Users
Table 180: Supported operations for Users
Create User |
POST |
Update User |
PUT |
Delete User |
DELETE |
Get User |
GET |
Get All Users |
GET |
Get All Users with Pagination |
GET |
Groups
Table 181: Supported operations for Groups
Create Group |
POST |
Update Group |
PUT |
Delete Group |
DELETE |
Get Group |
GET |
Get All Groups |
GET |
Get All Groups with Pagination |
GET |
Mandatory fields
Users
-
FirstName
-
LastName
-
Password
Groups
Email
User and Group mapping
The user and group mappings are listed in the tables below.
Table 182: User mapping
Id |
id |
userName |
primaryEmail |
Name.GivenName |
name.givenName |
Name.FamilyName |
name.familyName |
Name.Formatted |
name.fullName |
DisplayName |
name.fullName |
Emails[0].value |
primaryEmail |
Addresses[0].StreetAddress |
streetAddress |
Addresses[0].Locality |
locality |
Addresses[0].Region |
region |
Addresses[0].PostalCode |
postalcode |
PhoneNumbers[0].Value |
phones[0].value |
PhoneNumbers[0].Type |
phones[0].type |
Active |
suspended |
ExternalId |
externalIds.value |
Extension.Organization |
organizations.name |
Extension.Department |
organizations.department |
Extension.Division |
organizations.location |
Created |
creationTime |
Groups
Table 183: User mapping
Id |
id |
displayName |
name |
members.value |
groupMembers.id |
members.type |
groupMembers.type |
groupExtension.Email |
email |
groupExtension.Description |
description |
Connector limitations
-
Connector supports cursor based pagination even with any change at count in subsequent requests.
-
Created date is displayed for Users. Created date and Modified date are not displayed for Groups.
-
Group information of user is not displayed in user details.
-
The Email ID of Users and Groups to be created should be provided along with the domain name of target instance.
Google Workspace connector for Safeguard for Privileged Passwords
- The following OAuth scopes need to be authorized:
Supervisor configuration parameters
Google Workspace (formerly GSuite) is a cloud computing, productivity, and collaboration tool. It includes the Google web applications Gmail, Drive, Hangouts, Calendar, and Docs. It also includes an interactive whiteboard. The enterprise version offers custom-domain email addresses, additional storage, and 24/7 phone and email support.
You must create a service account to access the Google Workspace services. For information on creating a service account, see Creating a service account in Google Workspace.
To configure the connector, following parameters are required:
-
Connector name
-
UserName
-
Private Key (Whole JSON content of private key file created for service account)
-
Target URL (Cloud application's instance URL used as targetURI in payload, for example: https://www.googleapis.com/admin/directory/v1)
- Customer Id
-
Instance DateTime Offset (refer Configuring additional datetime offset in connectors for more details).
Supported objects and operations
Users
Table 180: Supported operations for Users
Create User |
POST |
Update User |
PUT |
Delete User |
DELETE |
Get User |
GET |
Get All Users |
GET |
Get All Users with Pagination |
GET |
Groups
Table 181: Supported operations for Groups
Create Group |
POST |
Update Group |
PUT |
Delete Group |
DELETE |
Get Group |
GET |
Get All Groups |
GET |
Get All Groups with Pagination |
GET |
Mandatory fields
Users
-
FirstName
-
LastName
-
Password
Groups
Email
User and Group mapping
The user and group mappings are listed in the tables below.
Table 182: User mapping
Id |
id |
userName |
primaryEmail |
Name.GivenName |
name.givenName |
Name.FamilyName |
name.familyName |
Name.Formatted |
name.fullName |
DisplayName |
name.fullName |
Emails[0].value |
primaryEmail |
Addresses[0].StreetAddress |
streetAddress |
Addresses[0].Locality |
locality |
Addresses[0].Region |
region |
Addresses[0].PostalCode |
postalcode |
PhoneNumbers[0].Value |
phones[0].value |
PhoneNumbers[0].Type |
phones[0].type |
Active |
suspended |
ExternalId |
externalIds.value |
Extension.Organization |
organizations.name |
Extension.Department |
organizations.department |
Extension.Division |
organizations.location |
Created |
creationTime |
Groups
Table 183: User mapping
Id |
id |
displayName |
name |
members.value |
groupMembers.id |
members.type |
groupMembers.type |
groupExtension.Email |
email |
groupExtension.Description |
description |
Connector limitations
-
Connector supports cursor based pagination even with any change at count in subsequent requests.
-
Created date is displayed for Users. Created date and Modified date are not displayed for Groups.
-
Group information of user is not displayed in user details.
-
The Email ID of Users and Groups to be created should be provided along with the domain name of target instance.
Google Workspace connector for Safeguard for Privileged Passwords
- The following OAuth scopes need to be authorized:
Supported objects and operations
Google Workspace (formerly GSuite) is a cloud computing, productivity, and collaboration tool. It includes the Google web applications Gmail, Drive, Hangouts, Calendar, and Docs. It also includes an interactive whiteboard. The enterprise version offers custom-domain email addresses, additional storage, and 24/7 phone and email support.
You must create a service account to access the Google Workspace services. For information on creating a service account, see Creating a service account in Google Workspace.
Supervisor configuration parameters
To configure the connector, following parameters are required:
-
Connector name
-
UserName
-
Private Key (Whole JSON content of private key file created for service account)
-
Target URL (Cloud application's instance URL used as targetURI in payload, for example: https://www.googleapis.com/admin/directory/v1)
- Customer Id
-
Instance DateTime Offset (refer Configuring additional datetime offset in connectors for more details).
Users
Table 180: Supported operations for Users
Create User |
POST |
Update User |
PUT |
Delete User |
DELETE |
Get User |
GET |
Get All Users |
GET |
Get All Users with Pagination |
GET |
Groups
Table 181: Supported operations for Groups
Create Group |
POST |
Update Group |
PUT |
Delete Group |
DELETE |
Get Group |
GET |
Get All Groups |
GET |
Get All Groups with Pagination |
GET |
Mandatory fields
Users
-
FirstName
-
LastName
-
Password
Groups
Email
User and Group mapping
The user and group mappings are listed in the tables below.
Table 182: User mapping
Id |
id |
userName |
primaryEmail |
Name.GivenName |
name.givenName |
Name.FamilyName |
name.familyName |
Name.Formatted |
name.fullName |
DisplayName |
name.fullName |
Emails[0].value |
primaryEmail |
Addresses[0].StreetAddress |
streetAddress |
Addresses[0].Locality |
locality |
Addresses[0].Region |
region |
Addresses[0].PostalCode |
postalcode |
PhoneNumbers[0].Value |
phones[0].value |
PhoneNumbers[0].Type |
phones[0].type |
Active |
suspended |
ExternalId |
externalIds.value |
Extension.Organization |
organizations.name |
Extension.Department |
organizations.department |
Extension.Division |
organizations.location |
Created |
creationTime |
Groups
Table 183: User mapping
Id |
id |
displayName |
name |
members.value |
groupMembers.id |
members.type |
groupMembers.type |
groupExtension.Email |
email |
groupExtension.Description |
description |
Connector limitations
-
Connector supports cursor based pagination even with any change at count in subsequent requests.
-
Created date is displayed for Users. Created date and Modified date are not displayed for Groups.
-
Group information of user is not displayed in user details.
-
The Email ID of Users and Groups to be created should be provided along with the domain name of target instance.
Google Workspace connector for Safeguard for Privileged Passwords
- The following OAuth scopes need to be authorized: