Skip to content

Setup for Entra ID (AAD) UserSync connector

You can use UserSync to provision users from Entra ID (AAD) for the purpose of serving as data access users.

Add Entra ID (AAD) UserSync connector

  • Enable Privacera UserSync:

    cd ~/privacera/privacera-manager  
cp config/sample-vars/vars.privacera-usersync.yml config/custom-vars/

  • Enable the AAD connector:

    cd ~/privacera/privacera-manager  
cp config/sample-vars/vars.privacera-usersync.azuread.yml config/custom-vars/  
vi config/custom-vars/vars.privacera-usersync.azuread.yml

  • Edit the following properties:

    • AZURE_AD_TENANT_ID: Entra ID tenant ID.
    • AZURE_AD_CLIENT_ID: Entra ID client id of the application with permission to access Graph API.
    • AZURE_AD_CLIENT_SECRET: Entra ID client secret of the application with permission to access Graph API.
    • AZURE_AD_MANAGE_GROUP_LIST: List of groups to sync. If empty, all groups are synced. Supports wildcard matches, such as Group*.
    • AZURE_AD_SEARCH_USER_GROUPONLY: Syncs only the users who are members of groups synced by the service (true/false).
    • AZURE_AD_ATTRIBUTE_USERNAME_VALUE_EXTRACTFROMEMAIL: Extracts the username from the email address (true/false). By default, username is mapped to "userPrincipalName" which contains an email address.
    • AZURE_AD_SERVICEPRINCIPAL_ENABLED: Enables the sync of service principals as a user (true/false).

  • Post configuration, deploy the changes Using Privacera Manager.

To add an Entra ID (AAD) UserSync connector on Cloud, follow these steps:

  1. From the navigation menu, select Settings > UserSync Configuration.

  2. Choose a data source, click the dots icon, and select Add Application.

  3. From the Application List section, select USERSYNC.

  4. From the Service Type dropdown, select AAD.

  5. In the Connector Name field, enter a name for the connector.

  6. In the BASIC tab, enter the values in the respective fields.

  7. Complete each step and advance through the pages of the configuration wizard.

  8. Complete all BASIC values, then review and update ADVANCED values as required.

    Username Attribute Modification

    Some services provide username in the format of an email address. If username format should be the first part of email address then visit the Advanced tab of the Base User Attributes section and update the Username Attribute field to Extract from email.

  9. Complete each step and advance through the pages of the configuration wizard.

For additional details, see Advanced Configuration

Comments