Skip to main content

Privacera Documentation

Table of Contents

Azure Active Directory UserSync integration on Privacera Platform

This topic covers how you can synchronize users, groups, and service principals from your existing Azure Active Directory (AAD) domain.

Prerequisites

Ensure the following pre-requisites are met:

  • Create an Azure AD application.

  • Get the values for the following Azure properties: Application (client) ID, Client secrets

Procedure
  1. SSH to the instance as ${USER}.

  2. Run the following commands.

    cd ~/privacera/privacera-manager
    cp config/sample-vars/vars.usersync.azuread.yml config/custom-vars/
    vi config/custom-vars/vars.usersync.azuread.yml
    
  3. Edit the following properties. For property details and description, refer to the Configuration Properties below.

    USERSYNC_AZUREAD_TENANT_ID: "<PLEASE_CHANGE>"
    USERSYNC_AZUREAD_CLIENT_ID: "<PLEASE_CHANGE>"
    USERSYNC_AZUREAD_CLIENT_SECRET: "<PLEASE_CHANGE>"
    USERSYNC_AZUREAD_DOMAINS: "<PLEASE_CHANGE>"
    USERSYNC_AZUREAD_GROUPS: "<PLEASE_CHANGE>"
    USERSYNC_ENABLE: "true"
    USERSYNC_SOURCE: "azuread"
    USERSYNC_AZUREAD_USE_GROUP_LOOKUP_FIRST: "true"
    USERSYNC_SYNC_AZUREAD_USERNAME_RETRIVAL_FROM: "userPrincipalName"
    USERSYNC_SYNC_AZUREAD_EMAIL_RETRIVAL_FROM: "userPrincipalName"
    USERSYNC_SYNC_AZUREAD_GROUP_RETRIVAL_FROM: "displayName"
    SYNC_AZUREAD_USER_SERVICE_PRINCIPAL_ENABLED: "false"
    SYNC_AZUREAD_USER_SERVICE_PRINCIPAL_USERNAME_RETRIVAL_FROM: "appId"
    
  4. Run the following commands.

    cd ~/privacera/privacera-manager
    ./privacera-manager.sh update
    

AAD UserSync configuration properties

Property Name

Description

Example

USERSYNC_AZUREAD_TENANT_ID

To get the value for this property, Go to Azure portal > Azure Active Directory > Properties > Tenant ID

5a5cxxx-xxxx-xxxx-xxxx-c3172b33xxxx

USERSYNC_AZUREAD_CLIENT_ID

Get the value by following the Pre-requisites section above.

8a08xxxx-xxxx-xxxx-xxxx-6c0c95a0xxxx

USERSYNC_AZUREAD_CLIENT_SECRET

Get the value by following the Pre-requisites section above.

${CLIENT_SECRET}

USERSYNC_AZUREAD_DOMAINS

To get the value for this property, Go to Azure portal > Azure Active Directory > Domains

componydomain1.com,componydomain2.com

USERSYNC_AZUREAD_GROUPS

To get the value for this property, Go to Azure portal > Azure Active Directory > Groups

GROUP1,GROUP2",GROUP3

USERSYNC_ENABLE

Set to true to enable usersync.

true

USERSYNC_SOURCE

Source from which users/groups are synced.

Values: unix, ldap, azuread

azuread

USERSYNC_AZUREAD_USE_GROUP_LOOKUP_FIRST

Set to true if you want to first sync all groups and then all the users within those groups.

true

USERSYNC_SYNC_AZUREAD_USERNAME_RETRIVAL_FROM

Azure provides the user info in a JSON format.

Assign a JSON attribute that is unique. This would be the name of the user in Ranger.

userPrincipalName

USERSYNC_SYNC_AZUREAD_EMAIL_RETRIVAL_FROM

Azure provides the user info in a JSON format.

Set the email from the JSON attribute of the Azure user entity.

userPrincipalName

USERSYNC_SYNC_AZUREAD_GROUP_RETRIVAL_FROM

Azure provides the user info in a JSON format.

Use the JSON attribute to retrieve group information for the user.

displayName

SYNC_AZUREAD_USER_SERVICE_PRINCIPAL_ENABLED

Set to true to sync Azure service principal to the Ranger user entity

false

SYNC_AZUREAD_USER_SERVICE_PRINCIPAL_USERNAME_RETRIVAL_FROM

Azure provides the service principal info in a JSON format.

Assign a JSON attribute that is unique. This would be the name of the user in Ranger.

appId