Platform On-PremControl accessAuthenticationAzure AD

Synchronize Entra ID groups with Itential Platform

When Itential Platform is configured to use Microsoft Entra ID (formerly Azure Active Directory) as its AAA source, Itential Platform permissions can be assigned to users via Entra ID group membership. To do this, Entra ID groups present in the connected tenant are synchronized to Itential Platform. An Itential Platform administrator can then assign roles to these groups, and users receive the corresponding permissions when they log in with their Azure credentials.

Select a method for group tracking

The Azure adapter’s group synchronization behavior is controlled by its service configuration — specifically, by the parameters of the groupSync property:

ParameterDescription
intervalRequired. How often, in seconds, Entra ID groups are synchronized to Itential Platform.
methodRequired. The method used to synchronize Entra ID groups to Itential Platform. Available methods: all — synchronizes all Entra ID groups in the connected tenant (can cause performance issues with large numbers of groups); master — designates an Entra ID group as the synchronization source and synchronizes all child groups; account — designates an Entra ID account as the synchronization source and synchronizes any groups the account is a member of.
masterGroupOnly required when using the master method. The Object ID of the Entra ID group to be used as the synchronization source.
serviceAccountOnly required when using the account method. The Object ID of the Entra ID account to be used as the synchronization source.
Azure adapter service configuration

Configure Entra ID group synchronization

The exact steps needed to configure group synchronization depend on your environment. In general:

  1. Optionally, fine-tune the synchronization interval as desired.
  2. Determine which synchronization method to use based on your needs. For example, all may be acceptable for development environments, but is likely to cause performance issues in production environments.
  3. If using the master or account synchronization method, retrieve the desired group or account Object ID from Azure.
  4. Provide this Object ID to masterGroup or serviceAccount as appropriate.

Object IDs are retrieved from the Azure portal. For further information about Object IDs, refer to the Microsoft Azure documentation.

Azure Object ID