Versions Compared

Version Old Version 40 New Version Current
Changes made by

Sowmya Manian

Sowmya Manian

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Include Page
API Header
API Header

Prerequisites

InfoNote: To configure sync with Microsoft Entra ID (AAD) you need to be an admin or application owner within Zilla AND have admin access to your organization's Microsoft Entra ID application, specifically Global administrator role.This article covers the following topics:

Table of Contents
minLevel1
maxLevel6
outlinefalse
styledefault
typelist
printabletrue

Minimum Required Permissions

  • Admin or application owner permissions in Zilla

  • Global administrator permissions in Microsoft Entra ID (AAD)

Obtaining API Information

  1. Login to Microsoft Azure with your global admin credentials.

  2. Click Microsoft Entra ID to be redirected to your tenant’s overview page.

    Image Removed

...

  1. Copy and save the Primary domain for the tenant you want to sync for use in a later step in Zilla while configuring Microsoft Entra ID.

...

...

Set Up the Integration in Zilla

...

  1. Add the desired application to Zilla. For instructions on this process, refer to this article.

  2. Click Sync now in the top right corner

...

2. You will see Add Application screen with Search Library tab. Type entra as search text, and click Add to Applications button on the right side of the Microsoft Entra ID (Azure Active Directory) entry.

...

  1. Fill in the form with appropriate details and click Add to Applications button.

...

  1. The Entra ID instance will be added to your Applications, and you will be brought to a detailed application instance page. Click Sync now in the top right corner.

...

  1. A dialogue appears, enable API Integration.

...

  1. Upon enabling the API Integration more customization options appear. Information is given for each configuration field below the screenshot.

...

  1. on the application instance page for Entra ID.

...

  1. Use the toggle to enable API Integration in the dialog that appears.

...

Additional fields will appear. See the list under the image below for information on each.

...

  • AAD tenant's domain name* - This is a required : Required field. Fill in Enter the Primary domain name saved above under Prerequisites sectionin step 3.

  • Sync Groups data? (Yes/No)*- This is a required : Required field. This controls the overall behavior as to whether or not to sync any groups group data. The default value is Yes. When set to No, Zilla will not sync any group details from Graph.

  • Sync Security Enabled Groups Only? (Yes/No)*- This is a required : Required field. The default value is Yes and Zilla will sync only Security Enabled Groups. When set to No, Zilla will sync all the groups provided the above field Sync Groups data is set to Yes.

  • Comma - separated attributes that identify a user - : Provide an Entra ID-specific attribute (eex. g., employeeId, jobTitle, or department, etc.) for which you want to sync Entra ID users. For example, if you specify department, only accounts that have a defined department will be imported. If multiple attributes are specified, all accounts having at least one of the attributes defined will be imported. Be sure to refer to this document before entering the attribute, otherwise all the accounts will be marked as Service if the attribute does not match with what is specified in the document.

  • Comma separated unique identifier attributes for a User: Provide a comma separated list of Entra ID specific attribute(s) (ex. employeeId, mail, profile.id etc.). These attributes will be used to uniquely identify Users with the Accounts that are synced. Apart from id (that is saved as a Universal ID by default), all attributes that are found will be added to the list of Universal IDs for the Account / User.

  • Auto Discover Azure Cloud subscriptions? (Yes/No)* - This is a required field: Required field. The default value is No. Yes will auto-discover all the Azure Cloud subscriptions and create application instances for them in Zilla. Default value: No.

  • Auto Sync discovered subscriptions? (Yes/No)* - This is a required : Required field. Yes will automatically sync the auto-discovered subscriptions when the parent is synced. This value should be set to No if Auto Discover Azure Cloud subscriptions? (Yes/No) is set to No. Default The default value : is No.

  • Sync last login? (Yes/No) - : Yes will bring lastLogin activity of users. Default The default value is No.

...

Note for syncing Last login:

    • To complete the configuration of the last login setting

...

    • , the global admin must re-authenticate after

...

    • selecting Yes

...

    • and check

...

    • the Re-authenticate API

...

    • integration box if this is not the first sync

...

    • .

    • The last login data that is synced in Zilla

...

    • will match what is displayed

...

    • in the

...

    • Overview

...

    • tab of Azure.

...

  • Comma separated custom select fields (e.g., country, id) - : This configuration allows you to retrieve additional fields from Microsoft Entra ID by specifying a comma-separated list of field names. For example, you can input "city, officeLocation" to retrieve the city and office location field. For more info information, refer this https://learn.microsoft.com/en-us/graph/query-parameters?tabs=http#select-parameterto this document.

  • Enable account modifications? (Yes/No)* - This is a required : Required field. Yes will automatically revoke group memberships, group ownerships and permissions that have been flagged for revocation after an access review during a sync. Note: This setting is only available if Account Modifications are enabled in the tenant Settings.

  1. Click Sync Now/Next.

  2. In the next pop-updialog, click Next.

...

  1. You will be taken to the Microsoft site where you need to log in with as a user with the Admin ( Global administrator ) role for the Azure portal and check the box to grant consent on behalf of the organization.

The consent screen will look like the image below when Auto Discover Azure Cloud subscriptions? (Yes/No) is set to Yes.

...

The consent screen will look like the image below when Auto Discover Azure Cloud subscriptions? (Yes/No) is set to No.

...

The consent screen will look like the image below when Enable account modifications? (Yes/No)(Yes/No) is set to Yes. Highlighted permissions are the new ones for consent if you have previously synced Entra ID with Enable account modifications? (Yes/No) set as No.

...

  1. Click Accept. On successful OAuth, you will be redirected to Zilla with Sync in progress... message for the newly added Entra ID application instance. Click Done

...

  1. .

...

If the sync was successful, a notification indicating that the sync completed will appear.

...

  1. Review the sync summary, click Close. Review the information in Zilla that was synced.

...

...

Set Up the Integration with Global Reader Permissions

In some cases, the process of configuring and using Entra ID API through Zilla to sync permissions and users with your organization's Entra ID may be done by an Azure user with Global Reader permissions. When an Azure Global Reader makes the initial sync request the request will need to be approved within the Azure portal by a Global Administrator as shown in the steps below:.Step 1.

  1. Global Reader initiates Entra ID sync with Zilla.

...

  1.  A consent request will be created in the Azure portal.

...

    ...

    1. In Entra ID go to Enterprise applications, then Admin consent requests. The pending request appears waiting for approval.

    ...

      ...

      1. The Global Administrator approves the permissions request by clicking Accept.

      ...

      Note:If you try to sync in a tenant other than the one for which you have entered the domain, Microsoft will return an error message.

      ...

      Note:

      ...

      If a user has already consented to the sync with Enable account modifications?

      ...

      Yes/No

      ...

      and Auto Discover Azure Cloud subscriptions

      ...

      (Yes/No) set to No,

      ...

      when re-authenticating the consent screen will not be shown for the same Azure user performing the sync. If the

      ...

      values are set to Yes

      ...

      , the same user will

      ...

      see the consent screen

      ...

      without re-authentication until

      ...

      the user gives consent for these permissions.

      Azure Cloud Subscription Instances

      Azure Cloud is a Child Application of Microsoft Entra ID. Its configuration looks something like this:

      ...

      The 3rd configuration - Sync Classic Administrators ( Yes/No ) - is for syncing the Classic Administrator roles. It has a default value of Yes. This concept is soon going to be deprecated by Microsoft, and hence might cause your syncs to fail. In case that starts happening, you could switch the config value to No. This will not bring in any of the CoAdministrator roles in your account.

      Troubleshooting guide

      Expand
      titleAuthentication Issues like 401 or 403

      401 Unauthorized

      This error occurs when your session has expired or the authentication token is invalid.

      How to Fix

      1. Go to the configuration settings.

        image-20250214-101611.png

      2. Enable the "Re-authenticate API integration" option.

      3. Click on “Sync Now” Sync Now to refresh authentication.

      403 Forbidden

      This error indicates insufficient permissions to access the Microsoft API.

      How to Fix

      1. Verify Admin Consent in Microsoft Entra ID

        • Go to Microsoft Azure Portal and log in.

        • Navigate to Enterprise Applications.

          image-20250214-102302.png

        • Search for your application and select it.

          image-20250221-061622.png

        • Under the Security section, go to Permissions.

          image-20250221-061710.png

        • Ensure the required permissions have Admin Consent.

          image-20250217-094219.png

      2. Re-authenticate & Sync Again

        • Re-authenticate your account , then and click on Sync Now.

          image-20250214-101611.png

        • Proceed with the usual sync steps.

      1. Revoke and Reauthorize Permissions (if the issue persists)

        • Follow the steps above to access the Permissions list.

        • Revoke all security permissions for Zilla in Microsoft Entra ID.

        • Grant the required permissions again.

        • Reauthorize access through the sync process.

      info
      Expand
      titleNot able to bring last login date?

      Note for syncing Last login:

      To complete the configuration of the last login

      configuration

      setting,

      set the Sync last login? (Yes/No) field to Yes. If this is not the first sync, check the "

      the global admin must re-authenticate after selecting Yes and check the Re-authenticate API integration

      " box and re-authenticate.Also, user who is authorizing the sync should have Global Administrator role

      box if this is not the first sync.

      The last login data that is synced in Zilla

      matches with

      will match what is displayed

      on

      in the

      User’s

      Overview

      page

      tab of Azure.

      image-20250326-130257.pngImage AddedImage Removed

      Additional Resources

      Include Page
      Integrations Footer
      Integrations Footer