Documentation

Azure

Learn how to connect Opal to Azure to manage access.

Suggest Edits

Opal's integration with Azure supports the following:

  • Users can request time-bounded access to:
    • Azure AD groups, including both Security Groups and Microsoft 365 Groups
    • Azure Management Groups
    • Azure Subscriptions
    • Azure Resource Groups
  • Auditors can initiate access reviews that assign managers or group admins to periodically review users with long-lived access to Azure AD groups, Azure Subscriptions, and Azure Resource Groups.
  • Admins can add resources from other Opal integrations to an Azure AD group so the group's members can automatically gain birthright access to, for example, a GitHub repo, AWS IAM role, etc.
  • All access changes are tracked in a permanent audit log that can be logged to a Slack channel or exported to your favorite tools.

Requirements

  • You must be an Azure and Opal admin.
  • Opal associates Azure AD users to Opal users through their primary email address in Azure AD.

Set up Azure app registration

1. Create app registration

In your Azure portal, go to Azure Active Directory > App registrations > New Registration.

Use the following settings.

FieldValue
NameOpal
Supported account typesChoose the option that fits your needs. Typically, you can use the default value.
Redirect URIIf you use a Cloud Opal instance, use https://app.opal.dev/apps/create/azure_ad/callback. If you use self-hosted Opal, https\://<my-on-premise-opal>/apps/create/azure_ad/callback.
TypeWeb

Once the app registration is created, save the Application (client) ID and Directory (tenant) ID on the Overview page. You'll use these values in the following step.

2. Generate a client secret

On the app registration page, go to Certificates & Secrets > New client secret. Choose a name and expiration.

Note that you need to create a new client secret at the expiration interval for your Azure AD connection to continue working. The maximum allowed by Microsoft is 2 years.

Save the secret value, which you'll use in the following step. You cannot fetch the secret value after leaving this page.

3. Add permissions

In the sidebar, go to API Permissions and select Add a permission. Choose Microsoft Graph -> **Application Permissions** and add the following permissions:

  • Directory.ReadWrite.All
  • CustomSecAttributeAssignment.ReadWrite.All
  • RoleManagement.ReadWrite.Directory

These permissions allow Opal to manage the user membership in groups on your behalf as well as import user attributes as your IDP.

4. Create and assign Opal Service Role

To manage access to Azure Subscriptions and Resource Groups, follow the instructions here before continuing. Note that this step can be skipped if you only want to manage Azure AD groups with Opal.

Set up Opal connection

1. Create the Azure connection

In the Opal dashboard, navigate to Apps, click on the + icon, and find the Azure App. Fill out the details for the integration, using the secret from the previous step. The Tenant ID and Client ID are available from the Azure AD app registration page.

2. Click the Authorize & Create button

This step will open a pop-up to authorize your newly created app registration with Azure AD. Once the permissions have been accepted, the connection will be created.

From here, the connection is complete.

Run app validation checks

After you save your app, you can view existing sync issues from the Setup tab on the app detail page. Missing permissions and sync issues show in the App Validations section. Select the refresh icon to rerun validation checks.

You can hover over the validation icons to learn why Opal needs a given permission. To correctly sync your app to Opal, ensure you address any sync errors, marked with the red ! icon. Inspect warnings on a case-by-case basis: warnings might impact features you’re not using and may be safely ignored, but this depends on your use case.

Updated 17 days ago