Overview

Opal's integration with Azure supports the following:

  • Users can request time-bounded access to:
    • Azure AD groups
      • Both Security Groups and Microsoft 365 Groups are supported
    • Azure Management Groups
    • Azure Subscriptions
    • Azure Resource Groups
  • Auditors can initiate access reviews that assign managers or group admins to periodically review users with long-lived access to Azure AD groups, Azure Subscriptions, and Azure Resource Groups.
  • Admins can add resources from other Opal integrations to an Azure AD group so the group's members can automatically gain birthright access to, for example, a GitHub repo, AWS IAM role, etc.
  • All access changes are tracked in a permanent audit log that can be logged to a Slack channel or exported to your favorite tools.

Requirements

  • You will need to be an Azure and Opal admin.
  • Opal associates Azure AD users to Opal users through their primary email address in Azure AD.

Setup Azure app registration

1. Create app registration

In your Azure portal, go to Azure Active Directory -> App registrations -> New Registration

  • Use Opal for the name.
  • For the supported account types, choose the option that fits your Azure AD needs. Typically, you can leave this as the default value.
  • For Redirect URI, use https://app.opal.dev/apps/create/azure_ad/callback if you use a Cloud Opal instance.
    • Otherwise, use the URL for your on-premise instance, i.e. https://<my-on-premise-opal>/apps/create/azure_ad/callback.
    • Choose "Web" as the type.

Once the app registration is created, note the "Application (client) ID" and "Directory (tenant) ID" on the Overview page. We will need these values in the next step.

2. Generate a client secret.

On the app registration page, go to Certificates & Secrets -> New client secret. Choose a name and expiration.

Note that you will need to create a new client secret at the expiration interval for your Azure AD connection to continue working. The maximum allowed by Microsoft is 2 years.

Copy the secret value down. We will need this value in the next step. You will not be able to fetch the secret value after leaving this page.

3. Add permissions

In the sidebar, go to API Permissions and select Add a permission. Choose Microsoft Graph -> Application Permissions and add the following permissions:

  • Directory.ReadWrite.All
  • CustomSecAttributeAssignment.ReadWrite.All
  • RoleManagement.ReadWrite.Directory

These permissions allow Opal to manage the user membership in groups on your behalf as well as import user attributes as your IDP.

4. Create and assign Opal Service Role

To manage access to Azure Subscriptions and Resource Groups, follow the instructions here before continuing. Note that this step can be skipped if you only want to manage Azure AD groups with Opal.

Set up Opal connection

1. Create the Azure connection

In the Opal dashboard, navigate to Apps, click on the + icon, and find the Azure App. Fill out the details for the integration, using the secret from the previous step. The Tenant ID and Client ID are available from the Azure AD app registration page.

2. Click the Authorize & Create button

This step will open a pop-up to authorize your newly created app registration with Azure AD. Once the permissions have been accepted, the connection will be created.

From here, the connection is complete.