Entra ID (AAD) Property List
AAD Connector Information¶
| Property | Description | Example |
|---|---|---|
AZURE_AD_CONNECTOR | Name of the connector. | AAD1 |
AZURE_AD_ENABLED | Enabled status of connector. (true/false) | true |
AZURE_AD_DATASOURCE_NAME | Name of the datasource. | |
AZURE_AD_ATTRIBUTE_ONLY | Attribute Only | |
AZURE_AD_SYNC_INTERVAL | Frequency of UserSync pulls and audit records in seconds. Default value is 3600, minimum value is 300. | 3600 |
Entra ID Info : (Get the following information from Azure Portal)¶
| Property | Description | Example |
|---|---|---|
AZURE_AD_TENANT_ID | Azure Active Directory Id (Tenant ID) | 1a2b3c4d-azyd-4755-9638-e12xa34p56le |
AZURE_AD_CLIENT_ID | Azure Active Directory application client ID which will be used for accessing Microsoft Graph API. | 11111111-1111-1111-1111-111111111111 |
AZURE_AD_CLIENT_SECRET | Azure Active Directory application client secret which will be used for accessing Microsoft Graph API. | 11111111-1111-1111-1111-111111111111 |
Manage/Ignore List of Users/Groups¶
| Property | Description | Example |
|---|---|---|
AZURE_AD_MANAGE_USER_LIST | List of users to manage from sync results. If this list is defined, all users not on this list will be ignored. | user1,user2,user5* |
AZURE_AD_IGNORE_USER_LIST | List of users to ignore from sync results. If this list is defined, all users on this list will be ignored. | user3,user4,user6* |
AZURE_AD_MANAGE_GROUP_LIST | List of groups to manage from sync results. If this list is defined, all groups not on this list will be ignored. | group1,group2,group5* |
AZURE_AD_IGNORE_GROUP_LIST | List of groups to ignore from sync results. If this list is defined, all groups on this list will be ignored. | group3,group4,group6* |
AZURE_AD_FILTER_USER_LIST | Server side filter to apply to users. Not compatible with incremental search. | eq;user1, sw;user |
AZURE_AD_FILTER_GROUP_LIST | Server side filter to apply to groups. Not compatible with incremental search. | wq;group1,group2, sw;group |
AZURE_AD_FILTER_SERVICEPRINCIPAL_LIST | Server side filter to apply to service principals. Not compatible with incremental search. | eq;serviceprincipal1, sw;serviceprincipal |
AZURE_AD_MANAGE_DOMAIN_LIST | Only users in manage domain list will be synced. | privacera.us |
AZURE_AD_IGNORE_DOMAIN_LIST | Users in ignore domain list will be ignored. | privacera.us |
AZURE_AD_DOMAIN_ATTRIBUTE | Specify the attribute from which you want to compare user domain, email or username are supported. Default is email. | username |
Entra ID (AAD) Search¶
| Property | Description | Example |
|---|---|---|
AZURE_AD_SEARCH_SCOPE | Graph API search scope | https://graph.microsoft.com/.default |
AZURE_AD_SEARCH_USER_GROUPONLY | Syncs users who are members of synced groups. | false |
AZURE_AD_SEARCH_INCREMENTAL_ENABLED | Enables incremental search. | false |
AZURE_AD_SEARCH_DETECT_DELETED_USERS_GROUPS | Detects deleted users and groups. | false |
AZURE_AD_SEARCH_DETECT_DELETED_USERS | Override setting for user deleted search. Default value is {{AZURE_AD_SEARCH_DETECT_DELETED_USERS_GROUPS}}. | false |
AZURE_AD_SEARCH_DETECT_DELETED_GROUPS | Override setting for group deleted search. Default value is {{AZURE_AD_SEARCH_DETECT_DELETED_USERS_GROUPS}}. | false |
AZURE_AD_SEARCH_CYCLES_BETWEEN_DELETED_DETECTION | Number of cycles between attempts to detect deleted groups. Only used when deleted users and groups detection is enabled in the AAD connector (see above properties). Default value is 6. | 10 |
Entra ID (AAD) Service Principal¶
Note: If Sync Service Principals as Users is enabled, AAD does not require that displayName of a Service Principal be a unique value. In this case a different attribute (such as appId) should be used as the Service Principal Username.
| Property | Description | Example |
|---|---|---|
AZURE_AD_SERVICE_PRINCIPAL_ENABLED | Enables sync of service principal as a user. | false |
AZURE_AD_SERVICEPRINCIPAL_USERNAME | Username attribute of the service principal. | displayName |
Entra ID (AAD) User/Group Attributes¶
| Property | Description | Example |
|---|---|---|
AZURE_AD_ATTRIBUTE_USERNAME | Username attribute of the user. | userPrincipalName |
AZURE_AD_ATTRIBUTE_FIRSTNAME | First name attribute of the user. | givenName |
AZURE_AD_ATTRIBUTE_LASTNAME | Last name attribute of the user. | surname |
AZURE_AD_ATTRIBUTE_EMAIL | Email attribute of the user. | userPrincipalName |
AZURE_AD_ATTRIBUTE_GROUPNAME | Group name attribute of the group. | displayName |
AZURE_AD_SERVICEPRINCIPAL_USERNAME | Username attribute of the service principal. | displayName |
Username/Group name Attribute Modification¶
| Property | Description | Example |
|---|---|---|
AZURE_AD_ATTRIBUTE_USERNAME_VALUE_EXTRACTFROMEMAIL | Extract username from an email address. (e.g. username@domain.com -> username) Default is false. | false |
AZURE_AD_ATTRIBUTE_USERNAME_VALUE_PREFIX | Prefix to add to the username. | prefix_ |
AZURE_AD_ATTRIBUTE_USERNAME_VALUE_POSTFIX | Postfix to add to the username. | _postfix |
AZURE_AD_ATTRIBUTE_USERNAME_VALUE_TOLOWER | Converts the username to lowercase. | false |
AZURE_AD_ATTRIBUTE_USERNAME_VALUE_TOUPPER | Converts the username to uppercase. | false |
AZURE_AD_ATTRIBUTE_USERNAME_VALUE_REGEX | Regular expression to apply to the username. | s/ch/AAA/g |
AZURE_AD_ATTRIBUTE_GROUPNAME_VALUE_PREFIX | Prefix to add to the group name. | prefix_ |
AZURE_AD_ATTRIBUTE_GROUPNAME_VALUE_POSTFIX | Postfix to add to the group name. | _postfix |
AZURE_AD_ATTRIBUTE_GROUPNAME_VALUE_TOLOWER | Converts the group name to lowercase. | false |
AZURE_AD_ATTRIBUTE_GROUPNAME_VALUE_TOUPPER | Converts the group name to uppercase. | false |
AZURE_AD_ATTRIBUTE_GROUPNAME_VALUE_REGEX | Regular expression to apply to the group name. | s/ch/AAA/g |
Custom Attribute Configuration¶
| Property | Description | Example |
|---|---|---|
AZURE_AD_ATTRIBUTE_LIST | List of user attributes to sync. | description,mail |
AZURE_AD_ATTRIBUTE_VALUE_PREFIX | Prefix to add to the user attribute value. | prefix_ |
AZURE_AD_ATTRIBUTE_KEY_PREFIX | Prefix to add to the user attribute key. | prefix_ |
AZURE_AD_GROUP_ATTRIBUTE_LIST | List of group attributes to sync. | description,mail |
AZURE_AD_GROUP_ATTRIBUTE_VALUE_PREFIX | Prefix to add to the group attribute value. | prefix_ |
AZURE_AD_GROUP_ATTRIBUTE_KEY_PREFIX | Prefix to add to the group attribute key. | prefix_ |
UserSync system properties on Privacera Self-Managed and Data Plane¶
| UserSync property | Description | Property | Default |
|---|---|---|---|
PRIVACERA_USERSYNC_RANGER_URL | Address of Ranger instance. | ranger.url | http://ranger:6080 |
PRIVACERA_USERSYNC_RANGER_USERNAME | Username of Ranger user. | ranger.username | admin |
PRIVACERA_USERSYNC_RANGER_PASSWORD | Password of Ranger user. | ranger.password | admin |
PRIVACERA_USERSYNC_CONTEXT_CLASS | Implementation class used for USContext. Storage of synced Users and Groups. | usersync.context.class | com.privacera.usersync.context.USContextRocksDBOptions: com.privacera.usersync.context.USContextRocksDB com.privacera.usersync.context.USContextMemory |
PRIVACERA_USERSYNC_CONTEXT_DATASOURCE_PRIORITY_LIST | Priority list of configured datasources. Sources nearest the beginning of the list will be used over sources later in the list. | usersync.context.datasource.priority.list | |
PRIVACERA_USERSYNC_DETECT_CACHE_DIFFERENCES_ENABLED | To enable the cache synchronization. While UserSync reads data from an IdP, for performance, the incoming user data is kept in cache and periodically compared to user data already synced to the Privacera portal. From cache, UserSync pushes user data from the IdP that has been reconciled with the Privacera portal to the connected applications. | usersync.detect.DifferencesBetweenCacheAndRangerForUserAndGroup.enabled | true |
PRIVACERA_USERSYNC_DETECT_CACHE_INTERVAL_SECONDS | Frequency of cache synchronization in seconds. | usersync.detect.DifferencesBetweenCacheAndRangerForUserAndGroup.intervalInSeconds | 43200 |
PRIVACERA_USERSYNC_LOADER_BULK_ENABLED | Load users to Portal in batches. | usersync.user.loader.bulk.enabled | true |
PRIVACERA_USERSYNC_LOADER_BULK_BATCHSIZE | Size of batches to load Users into Portal. | usersync.user.loader.bulk.batchsize | 100 |
PRIVACERA_USERSYNC_UPDATE_GROUP_MEMBERSHIPS_BATCH_ENABLE | Load group memberships to Portal in batches. | usersync.user.loader.update.group.memberships.batch.enable | false |
PRIVACERA_USERSYNC_UPDATE_GROUP_MEMBERSHIPS_BATCHSIZE | Size of batches to load Group memberships into Portal. | usersync.user.loader.update.group.memberships.batchsize | 1000 |
PRIVACERA_USERSYNC_STARTUP_PERFORM_OPERATIONS_ENABLED | Scan for and perform any pending operations in cache (User/Group objects) at service start-up. | usersync.startup.performoperations.enabled | true |
PRIVACERA_USERSYNC_LOADER_PROCESS_THREAD_MIN | Minimum threads for processing user/group updates (<=0 will use a cached thread pool). | usersync.user.loader.process.thread.min | 1 |
PRIVACERA_USERSYNC_LOADER_PROCESS_THREAD_MAX | Maximum threads for processing user/group updates (if min is <= 0, this has no effect). | usersync.user.loader.process.thread.max | 1 |
PRIVACERA_USERSYNC_LOADER_PROCESS_THREAD_KEEPALIVE_SECONDS | Keep alive time for threads processing user/group updates. | usersync.user.loader.process.thread.keepalive.seconds | 30 |
PRIVACERA_USERSYNC_SECRETS_FILE | JCEKS KeyStore File Paths | privacera.usersync.keystore.files | |
PRIVACERA_USERSYNC_SECRETS_KEYSTORE_PASSWORDS | JCEKS KeyStore Files Passwords | privacera.usersync.keystore.passwords | |
PRIVACERA_USERSYNC_SECRETS_KEYPREFIX | Secure keys alias prefix | privacera.usersync.secure.key.prefix | jceks |
PRIVACERA_USERSYNC_AUTH_SSL_TRUSTSTORE_FILE | SSL Truststore path | ssl.truststore | |
PRIVACERA_USERSYNC_AUTH_SSL_TRUSTSTORE_PASSWORD | SSL Truststore password | ssl.truststore.password | |
PRIVACERA_USERSYNC_RANGER_INIT_RETRY_INTERVAL_IN_MILLIS | Delay in milliseconds between retry attempts for initializing Ranger user loader. | usersync.user.loader.ranger.init.retryinterval.ms | 30000 |
PRIVACERA_USERSYNC_RANGER_INIT_RETRY_LIMIT | Maximum retry attempts for initializing Ranger user loader. (<0 indicates unlimited retries) | usersync.user.loader.ranger.init.retrylimit | -1 |
PRIVACERA_USERSYNC_RANGER_REQUEST_RETRY_INTERVAL_IN_MILLIS | Delay in milliseconds between retry attempts for requests to Ranger | ranger.request.retryinterval.ms | 10000 |
PRIVACERA_USERSYNC_RANGER_REQUEST_RETRY_LIMIT | Maximum retry attempts for requests to Ranger | ranger.request.retrylimit | 3 |
PRIVACERA_USERSYNC_UPDATE_GROUP_MEMBERSHIPS_BULK_ENABLED | Enable bulk update of group memberships to Ranger | usersync.user.loader.update.group.memberships.bulk.enabled | true |
PRIVACERA_USERSYNC_CONTEXT_OPEN_MAX_RETRY | Maximum retry attempts to open RocksDB cache | usersync.context.rocksdb.open.max.retry | 5 |
PRIVACERA_USERSYNC_CONTEXT_OPEN_DESTROY_ON_FAIL | Enable automatic destroy of RocksDB cache if unable to open (corrupted). Cache will be rebuilt. | usersync.context.rocksdb.open.destroyonfail | true |
PRIVACERA_USERSYNC_API_SECURITY_USER_NAME | If configured, Usersync REST APIs are available with basic auth. | usersync.api.security.user.name | |
PRIVACERA_USERSYNC_API_SECURITY_USER_PASSWORD | If configured, Usersync REST APIs are available with basic auth. | usersync.api.security.user.password | |
PRIVACERA_USERSYNC_LOADER_ASSIGN_ROLE_PRIORITY_LIST | Priority list of roles if a user has multiple roles mapped. Highest priority role will be applied to the user. | usersync.user.loader.assign.role.priority.list | ROLE_SYS_ADMIN,ROLE_ADMIN_AUDITOR |
PRIVACERA_USERSYNC_LOADER_ASSIGN_SYS_ADMIN_ROLE_GROUP_LIST | Provide a list of group names, whose members will be assigned the admin role. | usersync.user.loader.assign.role.ROLE_SYS_ADMIN.group.list | |
PRIVACERA_USERSYNC_LOADER_ASSIGN_SYS_ADMIN_ROLE_USER_LIST | Provide a list of user names, who will be assigned the admin role. | usersync.user.loader.assign.role.ROLE_SYS_ADMIN.user.list | |
PRIVACERA_USERSYNC_LOADER_ASSIGN_AUDITOR_ROLE_GROUP_LIST | Provide a list of group names, whose members will be assigned the auditor role. | usersync.user.loader.assign.role.ROLE_ADMIN_AUDITOR.group.list | |
PRIVACERA_USERSYNC_LOADER_ASSIGN_AUDITOR_ROLE_USER_LIST | Provide a list of user names, who will be assigned the auditor role. | usersync.user.loader.assign.role.ROLE_ADMIN_AUDITOR.user.list |
- Prev topic: Advanced Configuration