Advanced Configuration for Entra ID (AAD) UserSync Connector¶
Entra ID (AAD) UserSync connector properties¶
AAD Connector Information¶
| Property | Description | Example |
|---|---|---|
AZURE_AD_CONNECTOR | Name of the connector. | AAD1 |
AZURE_AD_ENABLED | Enabled status of connector. (true/false) | true |
AZURE_AD_DATASOURCE_NAME | Name of the datasource. | |
AZURE_AD_ATTRIBUTE_ONLY | Attribute Only | |
AZURE_AD_SYNC_INTERVAL | Frequency of UserSync pulls and audit records in seconds. Default value is 3600, minimum value is 300. | 3600 |
Entra ID Info : (Get the following information from Azure Portal)¶
| Property | Description | Example |
|---|---|---|
AZURE_AD_TENANT_ID | Azure Active Directory Id (Tenant ID) | 1a2b3c4d-azyd-4755-9638-e12xa34p56le |
AZURE_AD_CLIENT_ID | Azure Active Directory application client ID which will be used for accessing Microsoft Graph API. | 11111111-1111-1111-1111-111111111111 |
AZURE_AD_CLIENT_SECRET | Azure Active Directory application client secret which will be used for accessing Microsoft Graph API. | 11111111-1111-1111-1111-111111111111 |
Manage/Ignore List of Users/Groups¶
| Property | Description | Example |
|---|---|---|
AZURE_AD_MANAGE_USER_LIST | List of users to manage from sync results. If this list is defined, all users not on this list will be ignored. | user1,user2,user5* |
AZURE_AD_IGNORE_USER_LIST | List of users to ignore from sync results. If this list is defined, all users on this list will be ignored. | user3,user4,user6* |
AZURE_AD_MANAGE_GROUP_LIST | List of groups to manage from sync results. If this list is defined, all groups not on this list will be ignored. | group1,group2,group5* |
AZURE_AD_IGNORE_GROUP_LIST | List of groups to ignore from sync results. If this list is defined, all groups on this list will be ignored. | group3,group4,group6* |
AZURE_AD_FILTER_USER_LIST | Server side filter to apply to users. Not compatible with incremental search. | eq;user1, sw;user |
AZURE_AD_FILTER_GROUP_LIST | Server side filter to apply to groups. Not compatible with incremental search. | wq;group1,group2, sw;group |
AZURE_AD_FILTER_SERVICEPRINCIPAL_LIST | Server side filter to apply to service principals. Not compatible with incremental search. | eq;serviceprincipal1, sw;serviceprincipal |
AZURE_AD_MANAGE_DOMAIN_LIST | Only users in manage domain list will be synced. | privacera.us |
AZURE_AD_IGNORE_DOMAIN_LIST | Users in ignore domain list will be ignored. | privacera.us |
AZURE_AD_DOMAIN_ATTRIBUTE | Specify the attribute from which you want to compare user domain, email or username are supported. Default is email. | username |
Entra ID (AAD) Search¶
| Property | Description | Example |
|---|---|---|
AZURE_AD_SEARCH_SCOPE | Graph API search scope | https://graph.microsoft.com/.default |
AZURE_AD_SEARCH_USER_GROUPONLY | Syncs users who are members of synced groups. | false |
AZURE_AD_SEARCH_INCREMENTAL_ENABLED | Enables incremental search. | false |
AZURE_AD_SEARCH_DETECT_DELETED_USERS_GROUPS | Detects deleted users and groups. | false |
AZURE_AD_SEARCH_DETECT_DELETED_USERS | Override setting for user deleted search. Default value is {{AZURE_AD_SEARCH_DETECT_DELETED_USERS_GROUPS}}. | false |
AZURE_AD_SEARCH_DETECT_DELETED_GROUPS | Override setting for group deleted search. Default value is {{AZURE_AD_SEARCH_DETECT_DELETED_USERS_GROUPS}}. | false |
AZURE_AD_SEARCH_CYCLES_BETWEEN_DELETED_DETECTION | Number of cycles between attempts to detect deleted groups. Only used when deleted users and groups detection is enabled in the AAD connector (see above properties). Default value is 6. | 10 |
Entra ID (AAD) Service Principal¶
Note: If Sync Service Principals as Users is enabled, AAD does not require that displayName of a Service Principal be a unique value. In this case a different attribute (such as appId) should be used as the Service Principal Username.
| Property | Description | Example |
|---|---|---|
AZURE_AD_SERVICE_PRINCIPAL_ENABLED | Enables sync of service principal as a user. | false |
AZURE_AD_SERVICEPRINCIPAL_USERNAME | Username attribute of the service principal. | displayName |
Entra ID (AAD) User/Group Attributes¶
| Property | Description | Example |
|---|---|---|
AZURE_AD_ATTRIBUTE_USERNAME | Username attribute of the user. | userPrincipalName |
AZURE_AD_ATTRIBUTE_FIRSTNAME | First name attribute of the user. | givenName |
AZURE_AD_ATTRIBUTE_LASTNAME | Last name attribute of the user. | surname |
AZURE_AD_ATTRIBUTE_EMAIL | Email attribute of the user. | userPrincipalName |
AZURE_AD_ATTRIBUTE_GROUPNAME | Group name attribute of the group. | displayName |
AZURE_AD_SERVICEPRINCIPAL_USERNAME | Username attribute of the service principal. | displayName |
Username/Group name Attribute Modification¶
| Property | Description | Example |
|---|---|---|
AZURE_AD_ATTRIBUTE_USERNAME_VALUE_EXTRACTFROMEMAIL | Extract username from an email address. (e.g. username@domain.com -> username) Default is false. | false |
AZURE_AD_ATTRIBUTE_USERNAME_VALUE_PREFIX | Prefix to add to the username. | prefix_ |
AZURE_AD_ATTRIBUTE_USERNAME_VALUE_POSTFIX | Postfix to add to the username. | _postfix |
AZURE_AD_ATTRIBUTE_USERNAME_VALUE_TOLOWER | Converts the username to lowercase. | false |
AZURE_AD_ATTRIBUTE_USERNAME_VALUE_TOUPPER | Converts the username to uppercase. | false |
AZURE_AD_ATTRIBUTE_USERNAME_VALUE_REGEX | Regular expression to apply to the username. | s/ch/AAA/g |
AZURE_AD_ATTRIBUTE_GROUPNAME_VALUE_PREFIX | Prefix to add to the group name. | prefix_ |
AZURE_AD_ATTRIBUTE_GROUPNAME_VALUE_POSTFIX | Postfix to add to the group name. | _postfix |
AZURE_AD_ATTRIBUTE_GROUPNAME_VALUE_TOLOWER | Converts the group name to lowercase. | false |
AZURE_AD_ATTRIBUTE_GROUPNAME_VALUE_TOUPPER | Converts the group name to uppercase. | false |
AZURE_AD_ATTRIBUTE_GROUPNAME_VALUE_REGEX | Regular expression to apply to the group name. | s/ch/AAA/g |
Custom Attribute Configuration¶
| Property | Description | Example |
|---|---|---|
AZURE_AD_ATTRIBUTE_LIST | List of user attributes to sync. | description,mail |
AZURE_AD_ATTRIBUTE_VALUE_PREFIX | Prefix to add to the user attribute value. | prefix_ |
AZURE_AD_ATTRIBUTE_KEY_PREFIX | Prefix to add to the user attribute key. | prefix_ |
AZURE_AD_GROUP_ATTRIBUTE_LIST | List of group attributes to sync. | description,mail |
AZURE_AD_GROUP_ATTRIBUTE_VALUE_PREFIX | Prefix to add to the group attribute value. | prefix_ |
AZURE_AD_GROUP_ATTRIBUTE_KEY_PREFIX | Prefix to add to the group attribute key. | prefix_ |
UserSync system properties on Privacera Self-Managed and Data Plane¶
| UserSync property | Description | Property | Default |
|---|---|---|---|
PRIVACERA_USERSYNC_RANGER_URL | Address of Ranger instance. | ranger.url | http://ranger:6080 |
PRIVACERA_USERSYNC_RANGER_USERNAME | Username of Ranger user. | ranger.username | admin |
PRIVACERA_USERSYNC_RANGER_PASSWORD | Password of Ranger user. | ranger.password | admin |
PRIVACERA_USERSYNC_CONTEXT_CLASS | Implementation class used for USContext. Storage of synced Users and Groups. | usersync.context.class | com.privacera.usersync.context.USContextRocksDBOptions: com.privacera.usersync.context.USContextRocksDB com.privacera.usersync.context.USContextMemory |
PRIVACERA_USERSYNC_CONTEXT_DATASOURCE_PRIORITY_LIST | Priority list of configured datasources. Sources nearest the beginning of the list will be used over sources later in the list. | usersync.context.datasource.priority.list | |
PRIVACERA_USERSYNC_DETECT_CACHE_DIFFERENCES_ENABLED | To enable the cache synchronization. While UserSync reads data from an IdP, for performance, the incoming user data is kept in cache and periodically compared to user data already synced to the Privacera portal. From cache, UserSync pushes user data from the IdP that has been reconciled with the Privacera portal to the connected applications. | usersync.detect.DifferencesBetweenCacheAndRangerForUserAndGroup.enabled | true |
PRIVACERA_USERSYNC_DETECT_CACHE_INTERVAL_SECONDS | Frequency of cache synchronization in seconds. | usersync.detect.DifferencesBetweenCacheAndRangerForUserAndGroup.intervalInSeconds | 43200 |
PRIVACERA_USERSYNC_LOADER_BULK_ENABLED | Load users to Portal in batches. | usersync.user.loader.bulk.enabled | true |
PRIVACERA_USERSYNC_LOADER_BULK_BATCHSIZE | Size of batches to load Users into Portal. | usersync.user.loader.bulk.batchsize | 100 |
PRIVACERA_USERSYNC_UPDATE_GROUP_MEMBERSHIPS_BATCH_ENABLE | Load group memberships to Portal in batches. | usersync.user.loader.update.group.memberships.batch.enable | false |
PRIVACERA_USERSYNC_UPDATE_GROUP_MEMBERSHIPS_BATCHSIZE | Size of batches to load Group memberships into Portal. | usersync.user.loader.update.group.memberships.batchsize | 1000 |
PRIVACERA_USERSYNC_STARTUP_PERFORM_OPERATIONS_ENABLED | Scan for and perform any pending operations in cache (User/Group objects) at service start-up. | usersync.startup.performoperations.enabled | true |
PRIVACERA_USERSYNC_LOADER_PROCESS_THREAD_MIN | Minimum threads for processing user/group updates (<=0 will use a cached thread pool). | usersync.user.loader.process.thread.min | 1 |
PRIVACERA_USERSYNC_LOADER_PROCESS_THREAD_MAX | Maximum threads for processing user/group updates (if min is <= 0, this has no effect). | usersync.user.loader.process.thread.max | 1 |
PRIVACERA_USERSYNC_LOADER_PROCESS_THREAD_KEEPALIVE_SECONDS | Keep alive time for threads processing user/group updates. | usersync.user.loader.process.thread.keepalive.seconds | 30 |
PRIVACERA_USERSYNC_SECRETS_FILE | JCEKS KeyStore File Paths | privacera.usersync.keystore.files | |
PRIVACERA_USERSYNC_SECRETS_KEYSTORE_PASSWORDS | JCEKS KeyStore Files Passwords | privacera.usersync.keystore.passwords | |
PRIVACERA_USERSYNC_SECRETS_KEYPREFIX | Secure keys alias prefix | privacera.usersync.secure.key.prefix | jceks |
PRIVACERA_USERSYNC_AUTH_SSL_TRUSTSTORE_FILE | SSL Truststore path | ssl.truststore | |
PRIVACERA_USERSYNC_AUTH_SSL_TRUSTSTORE_PASSWORD | SSL Truststore password | ssl.truststore.password | |
PRIVACERA_USERSYNC_RANGER_INIT_RETRY_INTERVAL_IN_MILLIS | Delay in milliseconds between retry attempts for initializing Ranger user loader. | usersync.user.loader.ranger.init.retryinterval.ms | 30000 |
PRIVACERA_USERSYNC_RANGER_INIT_RETRY_LIMIT | Maximum retry attempts for initializing Ranger user loader. (<0 indicates unlimited retries) | usersync.user.loader.ranger.init.retrylimit | -1 |
PRIVACERA_USERSYNC_RANGER_REQUEST_RETRY_INTERVAL_IN_MILLIS | Delay in milliseconds between retry attempts for requests to Ranger | ranger.request.retryinterval.ms | 10000 |
PRIVACERA_USERSYNC_RANGER_REQUEST_RETRY_LIMIT | Maximum retry attempts for requests to Ranger | ranger.request.retrylimit | 3 |
PRIVACERA_USERSYNC_UPDATE_GROUP_MEMBERSHIPS_BULK_ENABLED | Enable bulk update of group memberships to Ranger | usersync.user.loader.update.group.memberships.bulk.enabled | true |
PRIVACERA_USERSYNC_CONTEXT_OPEN_MAX_RETRY | Maximum retry attempts to open RocksDB cache | usersync.context.rocksdb.open.max.retry | 5 |
PRIVACERA_USERSYNC_CONTEXT_OPEN_DESTROY_ON_FAIL | Enable automatic destroy of RocksDB cache if unable to open (corrupted). Cache will be rebuilt. | usersync.context.rocksdb.open.destroyonfail | true |
PRIVACERA_USERSYNC_API_SECURITY_USER_NAME | If configured, Usersync REST APIs are available with basic auth. | usersync.api.security.user.name | |
PRIVACERA_USERSYNC_API_SECURITY_USER_PASSWORD | If configured, Usersync REST APIs are available with basic auth. | usersync.api.security.user.password | |
PRIVACERA_USERSYNC_LOADER_ASSIGN_ROLE_PRIORITY_LIST | Priority list of roles if a user has multiple roles mapped. Highest priority role will be applied to the user. | usersync.user.loader.assign.role.priority.list | ROLE_SYS_ADMIN,ROLE_ADMIN_AUDITOR |
PRIVACERA_USERSYNC_LOADER_ASSIGN_SYS_ADMIN_ROLE_GROUP_LIST | Provide a list of group names, whose members will be assigned the admin role. | usersync.user.loader.assign.role.ROLE_SYS_ADMIN.group.list | |
PRIVACERA_USERSYNC_LOADER_ASSIGN_SYS_ADMIN_ROLE_USER_LIST | Provide a list of user names, who will be assigned the admin role. | usersync.user.loader.assign.role.ROLE_SYS_ADMIN.user.list | |
PRIVACERA_USERSYNC_LOADER_ASSIGN_AUDITOR_ROLE_GROUP_LIST | Provide a list of group names, whose members will be assigned the auditor role. | usersync.user.loader.assign.role.ROLE_ADMIN_AUDITOR.group.list | |
PRIVACERA_USERSYNC_LOADER_ASSIGN_AUDITOR_ROLE_USER_LIST | Provide a list of user names, who will be assigned the auditor role. | usersync.user.loader.assign.role.ROLE_ADMIN_AUDITOR.user.list |
Entra ID (AAD) fields for UserSync on PrivaceraCloud¶
These are descriptions of fields for configuring PrivaceraCloud UserSync for Entra ID (AAD).
Add Connector¶
| Field name | Description |
|---|---|
| Enable Connector | Enable or disable this connector. |
| Service Type | AAD |
| Name | Identifying name of this connector. |
Configure Connector¶
| Field name | Description | Tab in application set-up |
|---|---|---|
| Tenant ID | Tenant ID | Basic |
| Client ID | Application Client ID | Basic |
| Client Secret | Application Client Secret | Basic |
| Group Only | Sync only users that are members of groups. Allowable values: true or false | Advanced |
| Attribute Only | Sync only users that have the specified attribute. | Advanced |
| Incremental | Enable incremental search. Syncing only changes since last search. Allowable values: true or false | Advanced |
| Service Principals as Users | Enable sync of service principals as a User. Allowable values: true or false Default: false | Advanced |
| Search Deleted User | Enable detection of deleted users. Allowable values: true or false | Advanced |
| Search Deleted Group | Enable detection of deleted groups. Allowable values: true or false | Advanced |
| Sync Interval | Interval in minutes between syncs. Default value is 60. | Advanced |
| Add Custom Properties | Custom properties to pass to the connector. | Advanced |
Configure Filters¶
| Field name | Description | Tab in application set-up |
|---|---|---|
| Include Users | List of users to include from sync results. If this list is defined, all users not on this list are ignored. | Basic |
| Include Groups | List of groups to include from sync results. If this list is defined, all groups not on this list are ignored. | Basic |
| Include Users by Domain | Include users by domain. If this list is defined, all users who are not a member of domains in this list are ignored. | Basic |
| Exclude Users | List of users to ignore from sync results. | Basic |
| Exclude Groups | List of groups to ignore from sync results. | Basic |
| Exclude Users by Domain | Exclude users by domain. If this list is defined, all users who are a member of domains in this list are ignored. | Basic |
Base Attributes¶
| Field name | Description | Tab in application set-up |
|---|---|---|
| Username | Attribute of a user’s username. Default: userPrincipalName. | Basic |
| First Name | Attribute of a user’s first name. Default: givenName. | Basic |
| Last Name | Attribute of a user’s last name. Default: surname. | Basic |
| Attribute of a user’s email. Default: userPrincipalName. | Basic | |
| Group Name | Attribute of a group’s name. Default: displayName. | Basic |
| Group Members | Attribute listing a group’s members. Default: . | Basic |
| Service Principal Username | Attribute of service principal name. Default: displayName | Basic |
| Extract From Email | Extract the attribute from an email address. Example: username@domain.com extracts username. Default: false | Advanced |
| Prefix | Prefix to prepend to the attribute value. No default. | Advanced |
| Postfix | Postfix to append to the attribute value. No default. | Advanced |
| To Lowercase | Convert the attribute value to lowercase. Default: false | Advanced |
| To Uppercase | Convert the attribute value to uppercase. Default: false | Advanced |
| Regex | Apply regex to attribute value. No default. | Advanced |
Custom User Attributes¶
| Field name | Description | Tab in application set-up |
|---|---|---|
| Attribute Name | Attribute key to sync with user. | Basic |
Custom Group Attributes¶
| Field name | Description | Tab in application set-up |
|---|---|---|
| Attribute Name | Attribute key to sync with group. | Basic |