This article covers the following topics:
Minimum Required Permissions
Obtaining API Information
Login to Microsoft Azure with your global admin credentials.
Click Microsoft Entra ID to be redirected to your tenant’s overview page.
Copy and save the Primary domain for the tenant you want to sync for use in a later step in Zilla while configuring Microsoft Entra ID.
Set Up the Integration in Zilla
Add the desired application to Zilla. For instructions on this process, refer to this article.
Click Sync now in the top right corner on the application instance page for Entra ID.
Use the toggle to enable API Integration in the dialog that appears.
Additional fields will appear. See the list under the image below for information on each.
AAD tenant's domain name*: Required field. Enter the Primary domain name saved in step 3.
Sync Groups data? (Yes/No)*: Required field. This controls the overall behavior as to whether or not to sync group data. The default value is Yes. When set to No, Zilla will not sync any group details.
Sync Security Enabled Groups Only? (Yes/No)*: Required field. The default value is Yes and Zilla will sync only Security Enabled Groups. When set to No, Zilla will sync all the groups provided the above field Sync Groups data is set to Yes.
Comma separated attributes that identify a user: Provide an Entra ID-specific attribute (ex. employeeId, jobTitle, or department, etc.) for which you want to sync Entra ID users. For example, if you specify department, only accounts that have a defined department will be imported. If multiple attributes are specified, all accounts having at least one of the attributes defined will be imported. Be sure to refer to this document before entering the attribute, otherwise all the accounts will be marked as Service if the attribute does not match with what is specified in the document.
Comma separated unique identifier attributes for a User: Provide a comma separated list of Entra ID specific attribute(s) (ex. employeeId, mail, profile.id etc.). These attributes will be used to uniquely identify Users with the Accounts that are synced. Apart from id (that is saved as a Universal ID by default), all attributes that are found will be added to the list of Universal IDs for the Account / User.
Auto Discover Azure Cloud subscriptions? (Yes/No)*: Required field. The default value is No. Yes will auto-discover all the Azure Cloud subscriptions and create application instances for them in Zilla.
Auto Sync discovered subscriptions? (Yes/No)*: Required field. Yes will automatically sync the auto-discovered subscriptions when the parent is synced. This value should be set to No if Auto Discover Azure Cloud subscriptions? (Yes/No) is set to No. The default value is No.
Sync last login? (Yes/No): Yes will bring lastLogin activity of users. The default value is No.
To complete the configuration of the last login setting, the global admin must re-authenticate after selecting Yes and check the Re-authenticate API integration box if this is not the first sync.
The last login data that is synced in Zilla will match what is displayed in the Overview tab of Azure.
Comma separated custom select fields (e.g., country, id): This configuration allows you to retrieve additional fields from Entra ID by specifying a comma-separated list of field names. For example, you can input "city, officeLocation" to retrieve the city and office location field. For more information, refer to this document.
Enable account modifications? (Yes/No)*: Required field. Yes will automatically revoke group memberships, group ownerships and permissions that have been flagged for revocation after an access review during a sync. This setting is only available if Account Modifications are enabled in the tenant Settings.
Click Sync Now/Next.
In the next dialog, click Next.
You will be taken to the Microsoft site where you need to log in as a Global administrator role for the Azure portal and check the box to grant consent on behalf of the organization.
The consent screen will look like the image below when Auto Discover Azure Cloud subscriptions? (Yes/No) is set to Yes.
The consent screen will look like the image below when Auto Discover Azure Cloud subscriptions? (Yes/No) is set to No.
The consent screen will look like the image below when Enable account modifications? (Yes/No)(Yes/No) is set to Yes. Highlighted permissions are the new ones for consent if you have previously synced Entra ID with Enable account modifications? (Yes/No) set as No.
Click Accept. On successful OAuth, you will be redirected to Zilla with Sync in progress... message for the newly added Entra ID application instance. Click Done.
If the sync was successful, a notification indicating that the sync completed will appear.
Review the sync summary, click Close. Review the information in Zilla that was synced.
Set Up the Integration with Global Reader Permissions
In some cases, the process of configuring and using Entra ID API through Zilla to sync permissions and users with your organization's Entra ID may be done by an Azure user with Global Reader permissions. When an Azure Global Reader makes the initial sync request the request will need to be approved within the Azure portal by a Global Administrator as shown in the steps below.
Global Reader initiates Entra ID sync with Zilla. A consent request will be created in the Azure portal.
In Entra ID go to Enterprise applications, then Admin consent requests. The pending request appears waiting for approval.
The Global Administrator approves the permissions request by clicking Accept.
Note: If you try to sync in a tenant other than the one for which you entered the domain, Microsoft will return an error message.
Note: If a user has already consented to the sync with Enable account modifications? Yes/No and Auto Discover Azure Cloud subscriptions (Yes/No) set to No, when re-authenticating the consent screen will not be shown for the same Azure user performing the sync. If the values are set to Yes, the same user will see the consent screen without re-authentication until the user gives consent for these permissions.
Azure Cloud Subscription Instances
Azure Cloud is a Child Application of Microsoft Entra ID. Its configuration looks something like this:
The 3rd configuration - Sync Classic Administrators ( Yes/No ) - is for syncing the Classic Administrator roles. It has a default value of Yes. This concept is soon going to be deprecated by Microsoft, and hence might cause your syncs to fail. In case that starts happening, you could switch the config value to No. This will not bring in any of the CoAdministrator roles in your account.
Troubleshooting guide
401 UnauthorizedThis error occurs when your session has expired or the authentication token is invalid. How to FixGo to the configuration settings.  Enable the Re-authenticate API integration option. Click on Sync Now to refresh authentication.
403 ForbiddenThis error indicates insufficient permissions to access the Microsoft API. How to FixVerify Admin Consent in Microsoft Entra ID Go to Microsoft Azure Portal and log in. Navigate to Enterprise Applications.  Search for your application and select it.  Under the Security section, go to Permissions.  Ensure the required permissions have Admin Consent. 
Re-authenticate & Sync Again
Revoke and Reauthorize Permissions (if the issue persists) Follow the steps above to access the Permissions list. Revoke all security permissions for Zilla in Microsoft Entra ID. Grant the required permissions again. Reauthorize access through the sync process.
|
To complete the configuration of the last login setting, the global admin must re-authenticate after selecting Yes and check the Re-authenticate API integration box if this is not the first sync. The last login data that is synced in Zilla will match what is displayed in the Overview tab of Azure. |
Additional Resources
