Synchronizing Entra ID (Azure) Groups to IAP
  • 01 Dec 2023
  • Dark
    Light
  • PDF

Synchronizing Entra ID (Azure) Groups to IAP

  • Dark
    Light
  • PDF

Article Summary

When Itential Automation Platform (IAP) is configured to use Microsoft Entra ID (formerly known as Azure Active Directory) as its AAA source, IAP permissions can be assigned to users via Entra ID group membership. To do this, Entra ID groups present in the connected tenant are synchronized to IAP. An IAP administrator can then assign roles to these groups, and users will receive the corresponding permissions when they log in to IAP with their Azure credentials.

In this guide, you will learn how to configure the Azure adapter to synchronize Entra ID groups to IAP.

Select a Method for Group Tracking

The Azure adapter's group synchronization behavior is controlled by its service configuration -- specifically, by the parameters of the groupSync property, listed below.

Parameter Description
interval Required. How often, in seconds, Entra ID groups are synchronized to IAP.
method Required. The method used to synchronize Entra ID groups to IAP. Available synchronization methods are:
all - Synchronizes all Entra ID groups present in the connected tenant. This can cause performance issues when dealing with a large number of groups.
master - Designates an Entra ID group as the synchronization source. All child groups will be synchronized.
account - Designates an Entra ID account as the synchronization source. Any groups this account is a member of will be synchronized.
masterGroup Only required when using the master method. The Object ID of the Entra ID group to be used as the synchronization source.
serviceAccount Only required when using the account method. The Object ID of the Entra ID account to be used as the synchronization source.

Figure 1: Azure Adapter Service Configuration
Azure Adapter Service Configuration

Configure Entra ID Group Synchronization

The exact steps needed to configure group synchronization depend on your environment. In general:

  1. Optionally, fine-tune the synchronization interval as desired.
  2. Determine which synchronization method to use based on your needs. For example, all may be acceptable for development environments, but is likely to cause performance issues in production environments.
  3. If using the master or account synchronization method, retrieve the desired group or account Object ID from Azure, respectively.
  4. Provide this Object ID to masterGroup or serviceAccount as appropriate.
ⓘ Note:

Object IDs are retrieved from the Azure portal. For further information about Object IDs, refer to the Microsoft Azure documentation.

Figure 2: Azure Object ID
Azure Object ID


Was this article helpful?

Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.