Synchronization Service reads and writes data in Microsoft Azure Active Directory by using an application existing in your Microsoft Azure Active Directory environment. This step describes how to configure such an application.
To configure an application
You can assign the required permissions to the application by running a Windows PowerShell script. Below is an example of such a script. To run the script, you need to install Microsoft Azure PowerShell on your computer.
# Replace <ClientId> with the Client ID of the Active Roles Azure AD Connector Application (example format: 455ad643-332g-32h7-q004-8ba89ce65ae26)
$Id = "<ClientID>"
# Prompt for Microsoft Azure AD Global Admin credentials.
# Save the supplied credentials to the $creds variable.
$creds=get-credential
# Connect to Azure AD using the credentials stored in $creds.
connect-msolservice -credential $creds
# Get the Principal ID of the Active Roles Azure AD Connector Application and save it to the $servicePrincipal variable
$servicePrincipal = Get-MsolServicePrincipal -AppPrincipalId $Id
# Get the required role ID from the Active Roles Azure AD Connector Application and save it to the $roleId variable
$roleId = (Get-MsolRole -RoleName "Company Administrator").ObjectId
# Assign the required permissions to the Active Roles Azure AD Connector Application
Add-MsolRoleMember -RoleObjectId $roleId -RoleMemberObjectId $servicePrincipal.ObjectId -RoleMemberType servicePrincipal
You need to supply the copied client ID and key when creating a new or modifying an existing connection to Microsoft Azure Active Directory in the Synchronization Service Administration Console.
To create a new connection
This section assumes that your Microsoft Azure Active Directory environment already includes an application through which Synchronization Service can read and write data. For more information, see Step 1: Configure an application in Microsoft Azure Active Directory.
To modify connection settings
The next table lists the Microsoft Azure Active Directory object types supported by the Microsoft Azure AD Connector out of the box. The table also provides information about the operations you can perform on these objects by using the Microsoft Azure AD Connector.
Object |
Read |
Create |
Delete |
Update |
User |
Yes |
Yes |
Yes |
Yes |
Group |
Yes |
Yes |
Yes |
Yes |
The next sections describe the attributes provided by the Microsoft Azure AD Connector. By using these attributes, you can read and/or write data related to a particular object in Microsoft Azure Active Directory.
In the next sections:
© 2021 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy