Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Info

Azure Active Directory (AAD) is now known as Entra ID

Include Page
API Header
API Header

Prerequisites

Info

Note: To configure sync with Microsoft Entra ID (AAD) you need to be an admin or application owner within Zilla AND have admin access to your organization's Azure Active Directory (AAD) Microsoft Entra ID application, specifically Global administrator role.

  1. Login to Microsoft Azure Active Directory with your admin credentials.

  2. Click Azure Active Directory Microsoft Entra ID to be redirected to your tenant’s overview page.

    Image RemovedImage Added

  3. Copy and save the Primary domain for the tenant you want to sync for use in a later step in Zilla while configuring Microsoft Entra ID.

Setup Microsoft Entra ID instance in Zilla

  1. Login to Zilla with your admin credentials.

    Image Removed

    You will see your Zilla Applications tab, click Click Add Application button at in the top right corner.

    Image Removed

...

2. You will see Add Application screen with Search Library tab. Type

...

entra as search text, and click Add to Applications button on the right side of the Microsoft Entra ID (Azure Active Directory) entry.

...

  1. Fill in the form with appropriate details and click Add to Applications button.

...

  1. The

...

  1. Entra ID instance will be added to your Applications,

...

...

  1. and you will be brought to a detailed application instance page. Click Sync now in the top right corner.

...

  1. A dialogue appears, enable API Integration.

...

  1. Upon enabling the API Integration more

...

  1. customization options appear.

...

  1. Information is given for each configuration field below the screenshot.

...

  • AAD tenant's domain name* - This is a required field. Fill in the domain name saved above under Prerequisites section.

  • Sync

...

  • Groups data? (Yes/No)*- This is a required field. This controls the overall behavior as to whether or not sync any groups data. The default value is Yes. When set to No, Zilla will not sync

...

  • any group details from Graph.

  • Sync Security Enabled Groups Only? (Yes/No)*- This is a required field. The default value is Yes and Zilla will sync only Security Enabled Groups. When set to No, Zilla will sync all the groups provided the above field Sync Groups data is set to Yes.

  • Comma-separated attributes that identify a user - Provide an

...

  • Entra ID specific attribute (e.g., employeeId, jobTitle, department, etc) for which you want to sync

...

  • Entra ID users. For example, if you specify department, only accounts that have a defined department will be imported. If multiple attributes are specified, all accounts having at least one of the attributes defined will be imported. Be sure to refer to this document before entering the attribute, otherwise all the accounts will be marked as Service if the attribute does not match with what is specified in the document.

  • Auto Discover Azure Cloud subscriptions? (Yes/No)* - This is a required field. Yes will auto-discover all the Azure Cloud subscriptions and create application instances for them in Zilla. Default value: No.

  • Auto Sync discovered subscriptions? (Yes/No)* - This is a required field. Yes will automatically sync the auto-discovered subscriptions when the parent is synced. This value should be set to No if Auto Discover Azure Cloud subscriptions? (Yes/No) is set to No. Default value: No.

...

  • Sync last login? (Yes/No) - Yes will

...

  • bring lastLogin activity of users. Default No.

Info

Note for syncing Last login:

  1. To complete configuration of last login setting you must re-authenticate after setting Yes, check “Re-authenticate API integration” box if this is not the first sync.

  2. Also, user who is authorizing the sync should have Global Administrator role.

  3. The last login data that is synced in Zilla matches what is displayed on the User’s Overview page.

    Image Added

  • Comma separated custom select fields (e.g., country, id) - This configuration allows you to retrieve additional fields from

...

Click Sync Now.

Click Next.

...

  1. Note:

    1. To complete configuration of this setting you must reauthenticate after setting Yes, check “Reauthenticate API integration” box if this is not the first sync.

    2. Also, user who is authorizing the sync should have one of the following roles:

      1. Global Administrator

      2. Global Reader

      3. Security Administrator

      4. Security Reader

      5. Conditional Access Administrator

    3. The last login data that is synced matches what is displayed on the User’s Overview page.

      Image Removed
  • Enable account modifications? (Yes/No)* - This is a required field. Yes will automatically revoke group memberships, group ownerships and permissions that have been flagged for revocation after an access review during a sync. Note: This setting is only available if Account Modifications are enabled in the tenant Settings.

  1. Click Sync Now/Next.

  2. In the next pop-up, click Next.

...

  1. You will be taken to the Microsoft site where you need to log in with a user with the Admin (Global administrator) role for

...

  1. Azure portal and grant consent on behalf of the organization.

  2. The consent screen will look like the image below when Auto Discover Azure Cloud subscriptions? (Yes/No) is set to Yes.

    Image Modified

  3. The consent screen will look like the image below when Auto Discover Azure Cloud subscriptions? (Yes/No) is set to No.

    Image Modified

  4. The consent screen will look like the image below when Enable account modifications? (Yes/No)(Yes/No) is set to Yes. Highlighted permissions are the new ones for consent if you have previously synced

...

  1. Entra ID with Enable account modifications? (Yes/No) set as No.

    Image Modified

  2. Click Accept. On successful OAuth, you will be redirected to Zilla with Sync in progress... message for newly added

...

  1. Entra ID application instance. Click Done on the below pop-up screen.

...

  1. On successful sync, you will see the following notification:

...

...

  1. Review the sync summary, click Close. Review the information in Zilla that was synced.

...

Note: In some cases, the process of configuring and using the Azure Active Directory Entra ID API through Zilla to sync permissions and users with your organization's AAD Entra ID may be done by an Azure user with Global Reader permissions. When an Azure Global Reader makes the initial sync request the request will need to be approved within the Azure portal by a Global Administrator as shown in the steps below:

Step 1. Global Reader initiates Azure Active Directory Entra ID sync with Zilla.  A consent request will be created in the Azure Active Directory portal.

...

Step 2. In Azure Active Directory Entra ID go to Enterprise applications, then Admin consent requests. The pending request appears waiting for approval.

...

Step 3. The Global Administrator approves the permissions request by clicking Accept.

...

Info

Note:

If user has already consented the sync with Enable account modifications? (Yes/No) and Auto Discover Azure Cloud subscriptions? (Yes/No) set to No, then when re-authenticating the consent screen will not be shown for the same AAD Azure user performing the sync. If the above values are set to Yes then the same user will now see the consent screen even without re-authentication until that user gives consent for these permissions.

Include Page
Integrations Footer
Integrations Footer