Microsoft Azure and Active Directory (AD) Integration Setup

Getting Started

BalkanID recommends creating a separate service account for the purposes of this integration, instead of using personal or employee named accounts.

Requirements:

• Application (client) ID

• BalkanID Secret Key

• Directory (tenant) ID

Note: The organization should possess an Azure AD Premium P1/P2 license and assign it to the user responsible for setting up the configuration. It is recommended for this user to have the Global Administrator Role.

Getting the configuration

Register the BalkanID application within Azure

1. Within your Azure portal, from the Dashboard search and navigate to App Registrations.

   
2. Click New Registration.

   
3. Fill in the details to register the application as mentioned in the screenshot.

   
4. Copy the Application (client) ID and Directory (tenant) ID after app registration. You will need these values to configure Azure within BalkanID.

   

Configure API permissions for the BalkanID application

1. Within your Azure portal, navigate to API Permissions and select Add a permission. Select Microsoft Graph.

   
2. Within Microsoft Graph section, you will see a choice between Delegated or Application permissions. Select Application permissions.

   
3. As shown in the screenshots below:

   • From the RoleManagement section, select RoleManagement.Read.All

     
   • From the AuditLog section, select AuditLog.Read.All.

     
   • From the AdministrativeUnit section, select AdministrativeUnit.Read.All.

     
   • From the Application section, select Application.Read.All.

   • From the Directory section, select Directory.Read.All.

     
   • From the Group section, select Group.Read.All.

   • From the User section, select User.Read.All.

4. Click Grant admin consent.. link for whatever permissions were assigned recently in the above steps (in example below, the directory is named “Default Directory”) as shown in the screenshot below.

   
5. Once granted, you will see status of each permission change from Not granted for your directory to Granted for your directory. The final list of permissions should match what is shown below.

   

Generate a secret for the BalkanID application to use

1. Navigate to Certificates & secrets. Select New client secret. For description, use “BalkanID Secret Key”. For expiration, select your preferred expiration. Please note that you will need to reissue and update the client secret once this secret expires.

   
2. Copy the Value of the newly created BalkanID Secret Key. You will need this value to configure Azure within BalkanID. CAUTION: Please note that the entire Value may not be visible. You should use the copy to clipboard action next to the Value field to copy the entire value.

   

Configure Azure integration within your BalkanID tenant

1. Login to the BalkanID application and switch to the tenant you would like to add your integration to.

2. Head to Integrations > Add Integration, select Azure.

   

   
3. Set up the Primary Application owner (mandatory) and the Description, if any. Set up Secondary Application Owner(s), if any.

   Select the Extraction Type. From here, you can configure your application using one of the following methods:

   1. Direct integration - Provide your Application (Client) ID, Client Secret and Azure Directory ID obtained above to set up a direct connection with BalkanID.

   2. SCIM integration - Provide SCIM server credentials to set up a SCIM connection with BalkanID.

   3. Manual file upload - Upload Entity and Entity Relations through a .CSV file upload. Contact the team for assistance with this.

   4. Automated upload using API - You can upload data using our Bulk APIs with the help of an API key which will be provided to you. Please refer to the entity and entity relation upload docs for specific instructions on uploading your data through the API.

   
4. Click on next to move onto Optional Configuration.

5. Fill Optional configuration, if required.

   
6. Once you filled in the information, click Save. Your integration is now configured and you will see the status of the integration displayed alongside other integrations on the Integrations page. When data is available, the integration Status will read Connected and the integration Message will read Data available.

Integration Scopes