# Azure AD ## Overview This document describes a brief overview of the functionality and the requirements of AzureAD Oauth connector. ## Setup 1. In your Microsoft Azure UI, navigate to the Azure Active Directory service. 2. In App registrations, create a new app.

3. From there copy the following information. 1. **Client Id:**

b. **Tenant ID:**

4. From the **Endpoints** copy the following:

OAuth 2.0 authorization endpoint (v2) & OAuth 2.0 token endpoint (v2)

5. You will also need a Client Secret. To get it, open the **Certificates & Secrets** page and click **New Client Secret**:

6. Copy the generated value: 7. Finally, you will need to set the redirect URL. Click on the redirect URLs:

8. And add the redirect url:

`https://.login.aisera.cloud/?id=aisera.oauth.oauthCommand` \ \ where instead of `` you will insert your company's tenant id, that you received from your Aisera team. 9. Assign the API permission.

10. Click **Add permissions** and select **Microsoft Graph** in the **API permissions** screen.

## Create the Azure Integration: 1. In the Aisera Admin UI, navigate to **Settings > Integration > New Integration.** 2. Search for and select **Azure Active Directory.** 3. Click **Next**.

4. Enter the configuration details: 1. **Name** - Enter a Name for the Integration. 2. **Endpoint** - Enter the of your Azure AD application. 3. **Public** - Determines whether the integration can be used outside the firewall. 4. **Description** - Enter the description (Optional).

5. Enter the Authentication Details: 1. **Authorization URL** - Value from the OAuth 2.0 authorization endpoint (v2) and append the scope parameter:\ \ Example:\ Add the following command after the tenant URL, within the Administration URL field.\ `?scope=offline_access%20Device.Read.All%20Device.Command` \ \ The scopes chosen in the example above are: 1. offline\_access (you should always add this scope) 2. Device.Read.All Device.Command separated with space (encoded as %20). \ You may choose any additional permission/scope you want depending on your use case. 2. **Client ID** - You will insert the value you copied on step 1a). 3. **Client Secret**- Insert the value from step 2. 4. **Access Token URL** - Add the OAuth 2.0 token endpoint (v2) that you created previously.

6. Click **OK** and you will be prompted to authorize:

Have the Aisera Service User who is authorized to log into the customer's data source to finalize the authorization procedure.

## Use Query Scripts in Azure AD Data Source Configuration The Azure AD Connector supports arbitrary query parameters, specifically the select and expand parameters, for API calls within the Custom Query field of the Data Source Configuration window in the Aisera Admin UI.

This allows you to define arbitrary query parameters for each content type (such as User or UserProfile) separately. ``` { "User": { "$select": "id, name, country", "$expand": "transitiveMemberOf" }, "UserProfile": { "$select": "id, name, country", "$expand": "transitiveMemberOf" } } ``` Arbitrary query parameters are values that are not explicitly defined or expected in the API's specification. These parameters provide you with greater flexibility and control over the data retrieved from Azure AD. You can specify your own values for both $expand and $select, to enable more tailored and efficient data synchronization. ## User Privileges required or Oauth Authorization For delegated scenarios where an admin is acting on another user, the admin needs one of the following Azure AD roles: * Global Administrator * Privileged Authentication Administrator * Authentication Administrator