Azure
Overview
Opal's integration with Azure supports the following:
- Users can request time-bounded access to:
- Azure AD groups
- Both Security Groups and Microsoft 365 Groups are supported
- Azure Management Groups
- Azure Subscriptions
- Azure Resource Groups
- Azure AD groups
- Auditors can initiate access reviews that assign managers or group admins to periodically review users with long-lived access to Azure AD groups, Azure Subscriptions, and Azure Resource Groups.
- Admins can add resources from other Opal integrations to an Azure AD group so the group's members can automatically gain birthright access to, for example, a GitHub repo, AWS IAM role, etc.
- All access changes are tracked in a permanent audit log that can be logged to a Slack channel or exported to your favorite tools.
Requirements
- You will need to be an Azure and Opal admin.
- Opal associates Azure AD users to Opal users through their primary email address in Azure AD.
Setup Azure app registration
1. Create app registration
In your Azure portal, go to Azure Active Directory
-> App registrations
-> New Registration
- Use
Opal
for the name. - For the supported account types, choose the option that fits your Azure AD needs. Typically, you can leave this as the default value.
- For Redirect URI, use
https://app.opal.dev/apps/create/azure_ad/callback
if you use a Cloud Opal instance.- Otherwise, use the URL for your on-premise instance, i.e.
https://<my-on-premise-opal>/apps/create/azure_ad/callback
. - Choose "Web" as the type.
- Otherwise, use the URL for your on-premise instance, i.e.
Once the app registration is created, note the "Application (client) ID" and "Directory (tenant) ID" on the Overview page. We will need these values in the next step.
2. Generate a client secret.
On the app registration page, go to Certificates & Secrets
-> New client secret
. Choose a name and expiration.
Note that you will need to create a new client secret at the expiration interval for your Azure AD connection to continue working. The maximum allowed by Microsoft is 2 years.
Copy the secret value down. We will need this value in the next step. You will not be able to fetch the secret value after leaving this page.
3. Add permissions
In the sidebar, go to API Permissions
and select Add a permission
. Choose Microsoft Graph
-> Application Permissions
and add the following permissions:
Directory.ReadWrite.All
CustomSecAttributeAssignment.ReadWrite.All
RoleManagement.ReadWrite.Directory
These permissions allow Opal to manage the user membership in groups on your behalf as well as import user attributes as your IDP.
4. Create and assign Opal Service Role
To manage access to Azure Subscriptions and Resource Groups, follow the instructions here before continuing. Note that this step can be skipped if you only want to manage Azure AD groups with Opal.
Set up Opal connection
1. Create the Azure connection
In the Opal dashboard, navigate to Apps, click on the + icon, and find the Azure App. Fill out the details for the integration, using the secret from the previous step. The Tenant ID and Client ID are available from the Azure AD app registration page.
2. Click the Authorize & Create button
This step will open a pop-up to authorize your newly created app registration with Azure AD. Once the permissions have been accepted, the connection will be created.
From here, the connection is complete.
Updated about 2 months ago