Skip to content

Configure Server-Side Filtering in Entra ID (AAD)

Privacera supports server-side filtering when syncing users and groups from Azure Active Directory (AAD). When using server-side filtering, UserSync can not use incremental sync and will perform a full search every sync cycle.

Setup

Go to the Privacera Manager host and navigate to the Privacera Manager installation directory:

Bash
1
2
cd ~/privacera/privacera-manager
vi config/custom-vars/vars.privacera-usersync.azuread.yml

Ensure that incremental search is disabled:

YAML
1
AZURE_AD_SEARCH_INCREMENTAL_ENABLED: "false"

Add or update the following variables based on desired configuration:

YAML
1
2
3
4
5
6
#eq,sw defult is eq if not configured eg:- eq;abc.def@privacera.com,ghi.jkl@privacera.com 
AZURE_AD_FILTER_USER_LIST : ""
#eq,sw defult is eq if not configured eg:- eq;abc-testapp,abc-usersync
AZURE_AD_FILTER_SERVICEPRINCIPAL_LIST : ""
#eq,sw defult is eq if not configured eg:- eq;PRIVACERA-AB-GROUP-00,RG_PRIVACERA_ADMIN
AZURE_AD_FILTER_GROUP_LIST : ""
The variables are used to filter users and groups based on Microsoft Graph API filters. The filters are applied to the user and group objects returned by the Microsoft Graph API.

Values are formatted as operator;filter,filter,filter. The operator can be eq (equals) or sw (starts with). The filter is the value to filter on. Multiple filters can be specified by separating them with a comma.

Restart Privacera Services

Bash
1
2
3
cd ~/privacera/privacera-manager
./privacera-manager.sh setup
./pm_with_helm.sh upgrade

Comments