Documentation

Azure AD

Suggest Edits

Overview

Opal's integration with Azure AD supports the following:

  • Users can request time-bounded access to your Azure AD groups.
    • Both Security Groups and Microsoft 365 Groups are supported
  • Auditors can initiate access reviews that assign managers or group admins to periodically review users with long-lived access to Azure AD groups.
  • Admins can add resources from other Opal integrations to an Azure AD group so the group's members can automatically gain birthright access to, for example, a GitHub repo, AWS IAM role, etc.
  • All access changes are tracked in a permanent audit log that can be logged to a Slack channel or exported to your favorite tools.

Requirements

  • Opal associates Azure AD users to Opal users through their primary email address in Azure AD.

Setup

You will need to be an Azure AD and Opal admin.

Setup an Azure AD app registration

1. Create the app registration

In your Azure AD portal, go to Azure Active Directory -> App registrations -> New Registration

  • Use Opal for the name.
  • For the supported account types, choose the option that fits your Azure AD needs. Typically, you can leave this as the default value.
  • For Redirect URI, use https://app.opal.dev/apps/create/azure_ad/callback if you use a Cloud Opal instance.
    • Otherwise, use the URL for your on-premise instance, i.e. https://<my-on-premise-opal>/apps/create/azure_ad/callback.
    • Choose "Single-page Application (SPPA)" as the type.

Once the app registration is created, note the "Application (client) ID" and "Directory (tenant) ID" on the Overview page. We will need these values in the next step.

2. Next, generate a client secret.

On the app registration page, go to Certificates & Secrets -> New client secret. Choose a name and expiration.

Note that you will need to create a new client secret at the expiration interval for your Azure AD connection to continue working. The maximum allowed by Microsoft is 2 years.

Copy the secret value down. We will need this value in the next step. You will not be able to fetch the secret value after leaving this page.

3. Finally, add permissions

In the sidebar, go to API Permissions and select Add a permission. Choose Microsoft Graph -> Application Permissions and add the following permissions:

  • Directory.ReadWrite.All
  • RoleManagement.ReadWrite.Directory
  • CustomSecAttributeAssignment.ReadWrite.All

These permissions allow Opal to manage the user membership in groups on your behalf as well as import user attributes as your IDP.

Set up the Opal connection

1. Create the Azure AD connection

In the Opal dashboard, navigate to Apps, click on the + icon, and find the Azure AD App. Fill out the details for the integration, using the secret from the previous step. The Tenant ID and Client ID are available from the Azure AD app registration page.

2. Click the Authorize & Create button

This step will open a pop-up to authorize your newly created app registration with Azure AD. Once the permissions have been accepted, the connection will be created.

From here, the connection is complete.

Updated about 1 year ago

What’s Next