Info |
---|
Azure Active Directory (AAD) is now known as Entra ID |
Include Page | ||||
---|---|---|---|---|
|
Prerequisites
Info |
---|
Note: To configure sync with Microsoft Entra ID (AAD) you need to be an admin or application owner within Zilla AND have admin access to your organization's Azure Active Directory (AAD) Microsoft Entra ID application, specifically |
Login to Microsoft Azure Active Directory with your admin credentials.
Click
Azure Active Directory
Microsoft Entra ID
to be redirected to your tenant’s overview page.Copy and save the Primary domain for the tenant you want to sync for use in a later step in Zilla while configuring Microsoft Entra ID.
Setup Microsoft Entra ID instance in Zilla
Login to Zilla with your admin credentials.
You will see your Zilla Applications tab, click Click
Add Application
button at in the top right corner.
...
2. You will see Add Application screen with Search Library tab. Type
...
entra
as search text, and click Add to Applications
button on the right side of the Microsoft Entra ID (Azure Active Directory) entry.
...
Fill in the form with appropriate details and click
Add to Applications
button.
...
The
...
Entra ID instance will be added to your Applications,
...
...
and you will be brought to a detailed application instance page. Click
Sync now
in the top right corner.
...
A dialogue appears, enable API Integration.
...
Upon enabling the API Integration more
...
customization options appear.
...
Information is given for each configuration field below the screenshot.
...
AAD tenant's domain name*
- This is a required field. Fill in the domain name saved above under Prerequisites section.Sync
...
Groups data? (Yes/No)*
- This is a required field. This controls the overall behavior as to whether or not sync any groups data. The default value isYes
. When set toNo
, Zilla will not sync
...
any group details from Graph.
Sync Security Enabled Groups Only? (Yes/No)*
- This is a required field. The default value isYes
and Zilla will sync only Security Enabled Groups. When set toNo
, Zilla will sync all the groups provided the above fieldSync Groups data
is set toYes
.Comma-separated attributes that identify a user
- Provide an
...
Entra ID specific attribute (e.g.,
employeeId
,jobTitle
,department
, etc) for which you want to sync
...
Entra ID users. For example, if you specify department, only accounts that have a defined department will be imported. If multiple attributes are specified, all accounts having at least one of the attributes defined will be imported. Be sure to refer to this document before entering the attribute, otherwise all the accounts will be marked as
Service
if the attribute does not match with what is specified in the document.Auto Discover Azure Cloud subscriptions? (Yes/No)*
- This is a required field.Yes
will auto-discover all the Azure Cloud subscriptions and create application instances for them in Zilla. Default value:No
.Auto Sync discovered subscriptions? (Yes/No)*
- This is a required field.Yes
will automatically sync the auto-discovered subscriptions when the parent is synced. This value should be set toNo
ifAuto Discover Azure Cloud subscriptions? (Yes/No)
is set toNo
. Default value:No
.
...
Sync last login? (Yes/No)
-Yes
will
...
bring
lastLogin
activity of users. DefaultNo
.
Info |
---|
Note for syncing Last login:
|
Comma separated custom select fields (e.g., country, id)
- This configuration allows you to retrieve additional fields from
...
Click Sync Now
.
Click Next
.
...
Microsoft Entra ID by specifying a comma-separated list of field names. For example, you can input "city, officeLocation" to retrieve the city and office location field. For more info refer this https://learn.microsoft.com/en-us/graph/query-parameters?tabs=http#select-parameter.
Note:
To complete configuration of this setting you must reauthenticate after setting
Yes
, check “Reauthenticate API integration” box if this is not the first sync.Also, user who is authorizing the sync should have one of the following roles:
Global Administrator
Global Reader
Security Administrator
Security Reader
Conditional Access Administrator
The last login data that is synced matches what is displayed on the User’s Overview page.
Enable account modifications? (Yes/No)*
- This is a required field.Yes
will automatically revoke group memberships, group ownerships and permissions that have been flagged for revocation after an access review during a sync. Note: This setting is only available if Account Modifications are enabled in the tenant Settings.
Click
Sync Now/Next
.In the next pop-up, click
Next
.
...
You will be taken to the
Microsoft
site where you need to log in with a user with the Admin (Global administrator
) role for
...
Azure portal and grant consent on behalf of the organization.
The consent screen will look like the image below when
Auto Discover Azure Cloud subscriptions? (Yes/No)
is set toYes
.The consent screen will look like the image below when
Auto Discover Azure Cloud subscriptions? (Yes/No)
is set toNo
.The consent screen will look like the image below when
Enable account modifications? (Yes/No)(Yes/No)
is set toYes
. Highlighted permissions are the new ones for consent if you have previously synced
...
Entra ID with
Enable account modifications? (Yes/No)
set asNo
.Click
Accept
. On successful OAuth, you will be redirected to Zilla withSync in progress...
message for newly added
...
Entra ID application instance. Click
Done
on the below pop-up screen.
...
On successful sync, you will see the following notification:
...
...
Review the sync summary, click
Close
. Review the information in Zilla that was synced.
...
Note: In some cases, the process of configuring and using the Azure Active Directory Entra ID API through Zilla to sync permissions and users with your organization's AAD Entra ID may be done by an Azure user with Global Reader permissions. When an Azure Global Reader makes the initial sync request the request will need to be approved within the Azure portal by a Global Administrator as shown in the steps below:
Step 1. Global Reader initiates Azure Active Directory Entra ID sync with Zilla. A consent request will be created in the Azure Active Directory portal.
...
Step 2. In Azure Active Directory Entra ID go to Enterprise applications, then Admin consent requests. The pending request appears waiting for approval.
...
Step 3. The Global Administrator approves the permissions request by clicking Accept
.
...
Info |
---|
Note: If user has already consented the sync with |
Include Page | ||||
---|---|---|---|---|
|