Skip to main content
Feedback

Configuring Microsoft Entra ID (Azure active directory)

info

Microsoft Entra ID (Azure Active Directory) provisioning is currently in private preview.

You can integrate a system for Cross-domain Identity Management (SCIM) and Single Sign-On (SSO) using "Microsoft Entra ID (Azure Active Directory)". You can streamline user authentication and management within your organization's identity provider (IdP) in Data Integration.

Prerequisites

  • Access to a Microsoft Entra ID (Azure Active Directory) tenant with Administrative privileges.
  • Access to Data Integration with an Enterprise plan account.

Procedure

Step 1: Configuring Microsoft Entra ID new application

To configure "Microsoft Entra ID" for a new application, create an app registration in Azure Entra ID, define its settings, such as permissions and authentication methods, to authenticate and access resources within your "Azure Entra ID" tenant. This process enables users and services within your organization to have secure and controlled access to your application.

  1. Log in to your Azure Portal and navigate to Entra ID in the search panel.

  2. Select Enterprise Applications from the left-hand menu.

  3. Click New Application.

  4. Choose Create your own application.

  5. Enter a name (For example, Data Integration), and choose Integrate any other application you don't find in the gallery.

  1. Select Create.

Step 2: Configuring SCIM provisioning

You can set up SCIM (System for Cross-domain Identity Management) provisioning to automatically provision and de-provision users and groups in external applications supporting SCIM. This process ensures that user accounts and access rights synchronize between "Azure Entra ID" and the target applications, reducing manual effort and ensuring consistent identity management across systems.

  1. Navigate to the Data Integration Console.

  2. Click Setting and select Account Settings.

  3. Click the Security tab.

  4. Click Generate Token under "Users and Groups Provisioning".

  5. Copy the Service URL (Tenant URL) and Token (Secret Token) and store them in a safe location.

  6. Navigate to the Azure portal and search for Entra ID in the top search panel.

  7. Select Enterprise applications from the left-hand menu under the "Manage" section.

  8. Search for the application you created in the application gallery.

  9. Locate the Provisioning section in the application overview page.

  10. Click Get started.

  11. Select Automatic as the provisioning method.

  12. Enter the Service URL (Tenant URL) and Token (Secret Token) that you copied and saved from the Data Integration console, for System for Cross-domain Identity Management (SCIM) Provisioning, then click Test the connection.

  13. If a success notification appears, save the provisioning configuration.

  14. Access the Mapping drop-down list and choose the option to Provision Microsoft Entra ID Users.

  15. This list automatically populates "Azure Entra ID" attributes, but Data Integration requires only:

    • userName
    • active
    • displayName
    • emails[type eq "work"].value
    • name.givenName
    • name.familyName
    • name.formatted
    • externalId
info

When your userPrincipalName attribute does not match all users' Email attribute values, use Email as the Microsoft Entra ID Attribute field for the "userName" attribute mapping.

  1. In the Mapping drop-down list, choose Provision Microsoft Entra ID Groups. Data Integration requires only the following specific attributes:
  • displayName
  • externalId
  • members Feel free to remove any other attributes that are not mentioned here.
note

If provisioning errors or delays occur due to your "Microsoft Entra ID" configuration, you can experience a one-way lockout from Data Integration. To avoid this scenario, we recommend designating the Data Integration Administrator user is 'not provisioned'. This lets manual configuration of permissions and user management within Data Integration by an Administrator.

  1. After you set the mappings, go to Provisioning > Settings.
  2. Choose Sync only assigned users and groups under the scope option and click Save to save the provisioning configuration. Wait for Azure to sync users and groups to Data Integration.
note

Note that Azure syncs with Data Integration every 40 minutes. Check if any changes are reflected within that timeframe.

Step 3: Configure Microsoft Entra ID single sign-on

With Microsoft Entra ID single sign-on, you can access Data Integration using your Microsoft Entra ID account.

  1. To set up "Microsoft Entra ID SSO" and add users to the application, follow the instructions in Single Sign-On Using Microsoft Entra ID (Azure Active Directory) topic.

  2. Complete the setup and establish the connection to Data Integration.

Step 4: configure user and teams in Data Integration

After setup, the "Users" and "Teams" sections auto-populate with your Azure Entra ID setups.

Azure Entra ID Groups appears as Teams in Data Integration.

  1. Navigate to the Data Integration console.
  2. Click Settings and select Users.

The Users and Teams tabs are auto-populated with your configurations.

note

Note that Azure syncs with Data Integration every 40 minutes. The changes will be reflected within that time frame.

User management

Adding a new user

Entra ID provisioning automatically generates users, guaranteeing precision and uniformity without manual inclusion in Data Integration (the Add User feature in the user interface is tailored for including Data Integration Users who do not exist in the "Azure Entra ID" portal and will only be present within Data Integration).

Understanding user permissions

You determine user permissions based on their teams in "Entra ID," and their permissions come from configurations designated to those teams.

Administrators can modify team permissions.

note

  • Once you assign a user to a team, individual permissions cannot be directly assigned to that user, which inherit the team's configured settings.

  • To assign a user different roles across multiple Environments, you can add the user to multiple teams and assign permissions across those teams.

  • Permission Hierarchy: When a user belongs to multiple teams, the most permissive role (the "strongest" permission) takes precedence. For example:

  • If Team 1 has Viewer permissions for Environment 'A', and Team 2 has Admin permissions for the same Environment, the user will inherit Admin permissions for Environment 'A'.

Editing a user

You can only view provisioned users in Data Integration. To make changes, edit them in Microsoft Entra ID.

Admin users can modify the information of Data Integration Users (those created in Data Integration and not provisioned from Azure Entra ID) such as Name, Email address, and Environments. You can click Edit from the right-hand menu of the corresponding row in the user list.

Deactivate or delete a user

Deactivating or deleting a user is managed via the "Azure Entra ID portal" for provisioned users. For Data Integration users (created directly in the platform), you can deactivate or delete them using the options in the right-side menu of their row in the user list.

Associating Data Integration users to Azure Entra ID

Enabling association between a Data Integration user and a Directory lets you manage the user and their team memberships using Azure Entra ID. You will establish a connection between this Data Integration user and the Directory to manage the user and their team memberships through an external directory.

note

  • You cannot reverse this action and update the user's designation to Directory, adjusting their teams and permissions according to the Azure Entra ID settings.

  • Only after the Data Integration user is designated as Directory (by turning on the toggle), the Admin can add this user to the provisioning. Trying to add before this may cause errors on your Entra ID.

  • If the user logs in via SSO before the provisioning cycle is complete, they will be re-created as a Data Integration User. This feature relies on the provisioning cycles, with designation modifications taking effect only after a successful provisioning cycle.

image.png

Team management

Adding a new team

Azure Entra ID provisioning automatically creates teams in Data Integration so you do not add them manually. The "Add Team" option in the user interface lets you add Data Integration Teams not appearing in the Azure Entra ID portal exist only within Data Integration.

Editing a team

Admin users can modify team details like Name, Description, and Environments through the Teams management tab.

Procedure

  1. Navigate to the Data Integration console.
  2. Navigate to the Teams management tab.
  3. Find the team you want to update.
  4. Click Edit on the right side of the team’s row.
  5. Update the team’s Name, Description, and Environments as needed.
  • In the Edit Team section, you can set the Environments for your team and view the list of users associated with that team in the Users tab.
  • If the team is provisioned from Microsoft Entra ID, you can view the list of users in the Users tab and edit any team member through the Azure interface.
  1. Click Save.

Administrators can designate a default Environment for a particular team within the Permissions tab. This feature streamlines team operations by ensuring team members consistently work within the pre-determined environment, enhancing workflow efficiency.

Deactivate or delete a team

You cannot manually deactivate or delete teams as they are automatically created through "Azure provisioning".

On this Page