Provision the Azure Service Principal Account for data synchronization
search cancel

Provision the Azure Service Principal Account for data synchronization

book

Article ID: 171105

calendar_today

Updated On:

Products

Email Security.cloud Web Security.cloud

Issue/Introduction

An administrator is using the LDAP Synchronization Tool (Schemus) and would like to set up the data sync to use the Microsoft Azure data source.

Environment

  • Windows 7 SP1 64-bit, Windows 8 R2 64-bit, or Windows Server 2012 64-bit
  • Install the 64-bit Windows version of the LDAP Synchronization Tool
  • Schemus 1.52 or later

Resolution

In order to synchronize data from Azure, a Service Principal account must be created on the Office 365 portal. The Service Principal account can be created either using the Microsoft Windows Azure Management portal or by using the Windows Azure PowerShell modules.

Schemus will require the Service Principal account ID and associated secret information in order to access the Azure online Active Directory.

 

Using the Microsoft Windows Azure Management Portal

In order to create a Service Principal account using the Microsoft Windows Azure Management Portal, the following subscriptions are required:

  1. An Office 365 subscription;
  2. A Windows Azure subscription.

Note: A trial Windows Azure subscription is available, from which the Microsoft Windows Azure Management Portal can be accessed. In order to create a trial subscription, sign in to the Office 365 portal with an Administrator account at https://office.microsoft.com then go to the management portal https://portal.azure.com.
At the time of writing, the trial is free of charge although credit card details may be required.

When signed into the Microsoft Windows Azure Management Portal, create the Service Principal account as follows:

  1. Click on Azure Active Directory;
  2. Click on App Registrations on the left panel;
  3. Click on New registration in the bar at the top of the window;
    • Name the application, ie Schemus
    • Leave Accounts in this organizational directory only (YourTenantName only - Single tenant) selected
    • Leave Redirect URI empty
    • Register
  4. Click API permissions;
    • Click on Add a permission
    • Select Microsoft Graph
    • Select Application permissions
    • Type Directory in search box
    • Select Directory.Read.All
    • Click Add Permission
    • Click on Grant admin concent for YourUsername and confirm with Yes
  5. Click on Certificates & secrets
    • Click on New client secret
    • Name the secret and pick a expiry date
    • Add the secret
    • Take note of the secret value (as its displayed only once)
  6. Back to Overview take note of Application (client) ID and Directory (tenant) ID
  7. The 3 values can now be input in Schemus
 
Powered by Wolken Software