Provision the Azure Service Principal Account for data synchronization
search cancel

Provision the Azure Service Principal Account for data synchronization

book

Article ID: 171105

calendar_today

Updated On:

Products

Email Security.cloud Web Security.cloud

Issue/Introduction

An administrator is using the LDAP Synchronization Tool (Schemus) and would like to set up the data sync to use the Microsoft Azure data source.

Environment

  • Windows Server 2012 64-bit and later, Windows 10 and later
  • Install the 64-bit Windows version of the LDAP Synchronization Tool
  • Schemus 1.52 or later
  • Email security cloud
  • Web Security Cloud

Resolution

In order to synchronize data from Azure, a Service Principal account must be created on the Office 365 portal. The Service Principal account can be created either using the Microsoft Windows Azure Management portal or by using the Windows Azure PowerShell modules.

Schemus will require the Service Principal account ID and associated secret information in order to access the Azure online Active Directory.

 

Using the Microsoft Azure Management Portal

In order to create a Service Principal account using the Microsoft Windows Azure Management Portal, the following subscriptions are required:

  1. An Microsoft 365 subscription;
  2. A Windows Azure subscription.

Note: A trial Windows Azure subscription is available, from which the Microsoft Windows Azure Management Portal can be accessed. In order to create a trial subscription, sign in to the Office 365 portal with an Administrator account at https://office.microsoft.com  then go to the management portal https://portal.azure.com 
At the time of writing, the trial is free of charge although credit card details may be required.

When signed into the Microsoft Windows Azure Management Portal, create the Service Principal account as follows:

  1. Click on Azure Active Directory;
  2. Click on App Registrations on the left panel;
  3. Click on New registration in the bar at the top of the window;
    • Name the application, i.e. Schemus
    • Leave Accounts in this organizational directory only (YourTenantName only - Single tenant) selected
    • Leave Redirect URI empty
    • Register
  4. Click API permissions;
    • Click on Add a permission
    • Select Microsoft Graph
    • Select Application permissions
    • Type Directory in search box
    • Select Directory.Read.All
    • Click Add Permission
    • Click on Grant admin concent for YourUsername and confirm with Yes
  5. Click on Certificates & secrets
    • Click on New client secret
    • Name the secret and pick a expiry date
    • Add the secret
    • Take note of the secret value (as its displayed only once)
  6. Back to Overview take note of Application (client) ID and Directory (tenant) ID
  7. The 3 values can now be input in Schemus
 
Powered by Wolken Software