Versions Compared

Version Old Version 11 New Version Current
Changes made by

Nathaniel Lichauco (Unlicensed)

Sowmya Manian

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Include Page
API Header
API Header
This page outlines the process of configuring and using the Azure Active Directory API through Zilla to sync permissions and users.

Prerequisites

Info

Note: To

do this operation

configure sync with Microsoft Entra ID (AAD) you need to be an admin or application owner within Zilla

&

AND have admin access

with

to your organization's

Azure Active Directory-AAD ( Specifically

Microsoft Entra ID application, specifically Global administrator role

) application

.

  1. Login to

...

  1. Microsoft Azure with your admin credentials

...

  • You will see your Zilla applications tab, Locate Add Application button at the right top, click it,

...

  1. .

  2. Click Microsoft Entra ID to be redirected to your tenant’s overview page.

    Image Added

  3. Copy and save the Primary domain for the tenant you want to sync for use in a later step in Zilla while configuring Microsoft Entra ID.

    Image Added

Setup Microsoft Entra ID instance in Zilla

  1. Login to Zilla with your admin credentials. Click Add Application in the top right corner.

...

2. You will see Add Application screen with Search Library tab

...

. Type entra as search text,

...

and click Add to Applications button on the right side

...

  • A dialog appears, add the required field Instance Name & you can choose to fill in optional fields for Owner & criticality. Click Add to Applications

...

  • The AAD instance will get added to your Applications, You can see it appear there. Click on the AAD app name,

...

  • You will see a detailed AAD Application page. On the right top, you will see Sync now button click it,

...

  • A dialog appears, Enable API Integration

...

of the Microsoft Entra ID (Azure Active Directory) entry.

...

  1. Fill in the form with appropriate details and click Add to Applications button.

...

  1. The Entra ID instance will be added to your Applications, and you will be brought to a detailed application instance page. Click Sync now in the top right corner.

...

  1. A dialogue appears, enable API Integration.

...

  1. Upon enabling the API Integration more customization options appear

...

First, in the Comma separated roles to be synced provide an AAD Specific roles list, if you want only users of certain roles on AAD to get synced. e.g. If you want to sync all Azure AD users leave this box empty. If you only want all users which are having Global administrator & Global reader roles your configuration will look like as follows:

...

Note: If any roles are provided, the Sync All Accounts? (Yes/No) value will be considered No, even if you say Yes

...

Second, Is this a directory? (Yes/No) if this is your organization directory then say Yes otherwise if it is a non-directory app say No, e.g. An organization that uses AAD as the directory will have the following configuration, By default, it will be No

...

...

Sync All Accounts? ( Yes/No ) filling Yes here would sync all your organization users, No will sync only users who have any roles assigned to them, User without any roles will not be synced. Default value Yes (unless roles are specified under Comma separated roles to be synced in which case this configuration will always be No

...

Finally, Sync All Groups? ( Yes/No ) will sync all groups from AAD if provided Yes otherwise only security-enabled groups are synced. Default is No

None of the above 1-4 configs are mandatory. Click the Next button,

  • Next, you will see a small dialog In the next step, you may be asked to log in to Azure Active Directory - first instance, and then sync will start automatically. Click Next

...

...

  1. . Information is given for each configuration field below the screenshot.

...

  • AAD tenant's domain name* - This is a required field. Fill in the domain name saved above under Prerequisites section.

  • Sync Groups data? (Yes/No)*- This is a required field. This controls the overall behavior as to whether or not sync any groups data. The default value is Yes. When set to No, Zilla will not sync any group details from Graph.

  • Sync Security Enabled Groups Only? (Yes/No)*- This is a required field. The default value is Yes and Zilla will sync only Security Enabled Groups. When set to No, Zilla will sync all the groups provided the above field Sync Groups data is set to Yes.

  • Comma-separated attributes that identify a user - Provide an Entra ID specific attribute (e.g., employeeId, jobTitle, department, etc) for which you want to sync Entra ID users. For example, if you specify department, only accounts that have a defined department will be imported. If multiple attributes are specified, all accounts having at least one of the attributes defined will be imported. Be sure to refer to this document before entering the attribute, otherwise all the accounts will be marked as Service if the attribute does not match with what is specified in the document.

  • Auto Discover Azure Cloud subscriptions? (Yes/No)* - This is a required field. Yes will auto-discover all the Azure Cloud subscriptions and create application instances for them in Zilla. Default value: No.

  • Auto Sync discovered subscriptions? (Yes/No)* - This is a required field. Yes will automatically sync the auto-discovered subscriptions when the parent is synced. This value should be set to No if Auto Discover Azure Cloud subscriptions? (Yes/No) is set to No. Default value: No.

  • Sync last login? (Yes/No) - Yes will bring lastLogin activity of users. Default No.

Info

Note for syncing Last login:

  1. To complete configuration of last login setting you must re-authenticate after setting Yes, check “Re-authenticate API integration” box if this is not the first sync.

  2. Also, user who is authorizing the sync should have Global Administrator role.

  3. The last login data that is synced in Zilla matches what is displayed on the User’s Overview page.

    Image Added

  • Comma separated custom select fields (e.g., country, id) - This configuration allows you to retrieve additional fields from Microsoft Entra ID by specifying a comma-separated list of field names. For example, you can input "city, officeLocation" to retrieve the city and office location field. For more info refer this https://learn.microsoft.com/en-us/graph/query-parameters?tabs=http#select-parameter.

  • Enable account modifications? (Yes/No)* - This is a required field. Yes will automatically revoke group memberships, group ownerships and permissions that have been flagged for revocation after an access review during a sync. Note: This setting is only available if Account Modifications are enabled in the tenant Settings.

  1. Click Sync Now/Next.

  2. In the next pop-up, click Next.

...

  1. You will be taken to the Microsoft site where you need to log in with

...

  1. a user with the Admin (Global administrator) role for

...

  1. Azure portal and grant consent on behalf of the organization.

  2. The consent screen will look like the image below when Auto Discover Azure Cloud subscriptions? (Yes/No) is set to Yes.

    Image Added

  3. The consent screen will look like the image below when Auto Discover Azure Cloud subscriptions? (Yes/No) is set to No.

    Image Added

  4. The consent screen will look like the image below when Enable account modifications? (Yes/No)(Yes/No) is set to Yes.

...

  1. Highlighted permissions are the new ones for consent if you have previously synced Entra ID with Enable account modifications? (Yes/No) set as No.

    Image Added

  2. Click Accept. On successful OAuth, you will be redirected to Zilla

...

  1. with Sync in progress... message for newly added

...

  1. Entra ID application instance.

...

  1. Click Done on the below pop-up screen.

...

  1. On successful sync, you will see

...

You are done, now you can visit various tabs of the Application Details page for AAD on Zilla, to see what application data is brought in by sync, e.g. Accounts tab will have details of user accounts that are brought in.

...

  1. the following notification:

...

  1. Review the sync summary, click Close. Review the information in Zilla that was synced.

...

Note: In some cases, the process of configuring and using the Azure Active Directory Entra ID API through Zilla to sync permissions and users with your organization's AAD Entra ID may be done by an Azure user with Global Reader permissions. When an Azure Global Reader makes the initial sync request the request will need to be approved within the Azure portal by a Global Administrator as shown in the steps below:

Step 1. Global Reader initiates Azure AD Sync to Entra ID sync with Zilla.  A consent request will be created in the Azure AD portal.

...

Step 2. In Azure AD Entra ID go to Enterprise Applicationsapplications, then Admin Consent Requestsconsent requests. The pending request appears waiting for approval.

...

Step 3. The Global Administrator approves the permissions request by clicking Accept.

...

Note: If you try to sync in a tenant other than for which you have entered the domain, Microsoft will return an error message.

...

Info

Note:

If user has already consented the sync with Enable account modifications? (Yes/No) and Auto Discover Azure Cloud subscriptions? (Yes/No) set to No, then when re-authenticating the consent screen will not be shown for the same Azure user performing the sync. If the above values are set to Yes then the same user will now see the consent screen even without re-authentication until that user gives consent for these permissions.

Include Page
Integrations Footer
Integrations Footer

...