Skip to main content

Azure

Azure Active Directory (Azure) is Microsoft's cloud-based identity and access management service. Azure AD helps your employees sign in and access resources such as Microsoft Office 365, the Azure portal, and thousands of other Software as a Service (SaaS) applications.

The following sections explain prerequisites, resources, and instructions for integrating with SaaS Management.

Stored Azure Information

The following table describes the available integration tasks and stored data within SaaS Management.

Available Integration TasksInformation Stored
HR RosterUnique ID, Email, Email Aliases, First Name, Last Name, Active Date, Department, Location
Application DiscoveryApplication ID, Application Name, App Instance ID, Additional Details (See the following Note.)
Note: Following are descriptions for the additional details that display in the Azure Discovered Applications tab:
Publisher—Specifies the publisher of the applications.
Open_Access—Specifies whether users can use Single Sign-On (SSO) without any role assignment for the applications.
SSO Integration—Specifies whether the publisher name of the app matches the name of the organization. A green check mark indicates a match; a red “x” indicates a mismatch.
OAuth2 Integration—Specifies the applications configured with OAuth protocol for SSO.
SSO Application RosterApplication ID, Application Name, App Instance ID, User ID, Email, First Name, Last Name, Active Date
SSO Application AccessUser ID, Last Login, Application ID, Application Name, Login Location
note

The information stored is subject to change as enhancements are made to the SaaS application.

Required Minimum Permissions for Azure

The minimum API required permissions are based on the Required Application Permissions for Azure and Required User Role for Azure.

Required Application Permissions for Azure

info

The Azure integration with SaaS Management will fail if consent is not given to both the AuditLog.Read.All and the Directory.Read.All permissions. For more information, see the Microsoft documentation topic, List signIns.

Application PermissionDescriptionIntegration Task Name
User.Read.AllEnables the application to read the full set of profile properties on behalf of the signed-in user.HR Roster
Application.Read.AllEnables the application to read applications and service principals on behalf of the signed-in user.Application Discovery
Organization.Read.AllEnables the application to read the organization and related resources, without a signed-in user. Related resources include things like subscribed SKUs and tenant branding information.Application Discovery
AuditLog.Read.All and Directory.Read.AllEnables the application to read and query your audit log activities, without a signed-in user.SSO Application Access
Application.Read.AllEnables the application to read applications and service principals on behalf of the signed-in user.SSO Application Roster
GroupMember.Read.AllEnables the app to read memberships and basic group properties for all groups without a signed-in user.SSO Application Roster
Offline_accessEnables you to generate the refresh token.

Required User Role for Azure

note

The following SaaS application user role is not applicable to Flexera One roles.

User RoleDescription
Application AdministratorTo grant and authorize the application permission, the user must have Application Administrator access. For more information, see Microsoft’s documentation topic, Application Administrator.
note

Consider the following:

  • After the Authorization is completed and the integration tasks are executed successfully, the user role can be reduced to the Report Reader role.

  • After Authorizing, changing the password, or revoking the user roles for the user used for authorizing will result in an integration task failure.

Azure Authentication Method

The required authentication method is OAuth 2.0 With Authorize Flow. For more information, see Microsoft’s documentation topic, Microsoft Identity Platform and OAuth 2.0 Authorization Code Flow.

Required Azure Credentials

The following credentials are required:

  • Username

  • Password.

Optional Azure Credentials

The following credentials are optional:

  • Include Guests

  • Domain Names—If you provide multiple values, they should be comma separated.

note

Username and password are required only for authorizing the application permissions. These values are not stored in SaaS Management.

Data Anonymization for Azure

Data anonymization is the processing technique that removes or modifies identifiable information. After the process is complete, data cannot be associated with a specific user. It helps protect private and sensitive data as well as private activities while maintaining its integrity.

info

Before Integrating Azure With SaaS Management, you must complete the following task to ensure that anonymized users are not imported from Azure into SaaS Management. You will need to access reports that provide information about your organization’s use of applications and services.

Ensure that data anonymization is disabled in your Microsoft account. Otherwise, all activity data will end up in Suspicious SaaS Activities. For more information, see Microsoft’s documentation topic, Showing Anonymous User Names. If anonymized user data has been imported after integrating Azure with SaaS Management, submit a Flexera Support Case.

To view reports with anonymized user data:

  1. Sign in to the Microsoft 365 Portal Admin Center.
  2. In the menu, go to Settings > Org settings and click the Services link at the top.
  3. Scroll down and click Reports.
  4. In the window that is displayed, clear the Display concealed user, group, and site names in all reportsbox.
  5. Proceed to Integrating Azure With SaaS Management.

Integrating Azure With SaaS Management

Complete the following steps to integrate Azure with SaaS Management.

  1. Complete the prerequisite steps in Data Anonymization for Azure.

  2. Add the Azure application in SaaS Management. For more information, see Adding an Application.

  3. To filter users based on domain, enter the appropriate domain name(s) in the Domain Names field of the Azure integration setup slideout. Domain names are not case sensitive. If you provide multiple domain values, they should be comma separated. If the Domain Names field is left empty, it will pull all the user domains.

    note

    If the User Principal Name (UPN) and mail values are not the same, the entered domain values will not display in the Email column of the Azure Users tab in SaaS Management.

  4. To filter the Azure user types that are pulled in from the HR Roster integration task, enter the appropriate value in the Include Guests field.

    Example 1: To retrieve Guest, Member, and null Azure user types, enter yes in the Include Guests field.

    Example 2: To retrieve only Member and null Azure user types, do not enter a value in the Include Guests field.

    The results for both examples display in the All SaaS Users (Organization > All SaaS Users) page.

  5. In SaaS Management, click the Authorize link provided during the integration setup, which will redirect you to the Microsoft/Azure portal.

  6. In the Microsoft/Azure portal, sign in with your Application Administrator username and password.

  7. Click Accept to authorize to provide access to the APIs for the Directory.Read.All permission in the account.

tip

After the Application Discovery integration task has been enabled after 24 hours, you can add the discovered SSO enabled applications to your list of Managed SaaS Applications. For more information, see Adding Discovered SSO Enabled Applications to Your List of Managed SaaS Applications.

The default number of your organization’s Azure users that are pulled into SaaS Management for discovered SSO enabled applications represents all the users listed in your Azure AD. To limit the scope of the Azure user count in SaaS Management to those users assigned to the Azure discovered SSO enabled applications, you need to set the App Role Assignment flag to Yes for each SSO enabled application. For more information on setting the app role assignment, see Microsoft’s documentation topic, Update the app to require user assignment. Within SaaS Management, Azure users with an inactive status represent those users who are unassigned from the SSO enabled application.

Azure API Endpoints

HR Roster

https://graph.microsoft.com/v1.0/users

Application Discovery

https://graph.microsoft.com/v1.0/servicePrincipals

https://graph.microsoft.com/v1.0/organization/

SSO Application Access

https://graph.microsoft.com/v1.0/auditLogs/signIns

SSO Application Roster

https://graph.microsoft.com/v1.0/servicePrincipals/<applicationId>/appRoleAssignedTo

https://graph.microsoft.com/v1.0/groups/<groupId>/members