Skip to content

Azure Active Directory - Data Access User Synchronization

This topic covers how you can synchronize users,  groups, and service principals from your existing Azure Active Directory (AAD) domain.

Pre-requisites

Ensure the following pre-requisites are met:​

  • Create an Azure AD application.

  • Get the values for the following Azure properties: Application (client) ID,  Client secrets

CLI Configuration

  1. SSH to the instance as ${USER}.

  2. Run the following commands.

    cd ~/privacera/privacera-manager
    cp config/sample-vars/vars.usersync.azuread.yml config/custom-vars/
    vi config/custom-vars/vars.usersync.azuread.yml
    
  3. Edit the following properties. For property details and description, refer to the Configuration Properties below.

    USERSYNC_AZUREAD_TENANT_ID: "<PLEASE_CHANGE>"
    USERSYNC_AZUREAD_CLIENT_ID: "<PLEASE_CHANGE>"
    USERSYNC_AZUREAD_CLIENT_SECRET: "<PLEASE_CHANGE>"
    USERSYNC_AZUREAD_DOMAINS: "<PLEASE_CHANGE>"
    USERSYNC_AZUREAD_GROUPS: "<PLEASE_CHANGE>"
    USERSYNC_ENABLE: "true"
    USERSYNC_SOURCE: "azuread"
    USERSYNC_AZUREAD_USE_GROUP_LOOKUP_FIRST: "true"
    USERSYNC_SYNC_AZUREAD_USERNAME_RETRIVAL_FROM: "userPrincipalName"
    USERSYNC_SYNC_AZUREAD_EMAIL_RETRIVAL_FROM: "userPrincipalName"
    USERSYNC_SYNC_AZUREAD_GROUP_RETRIVAL_FROM: "displayName"
    SYNC_AZUREAD_USER_SERVICE_PRINCIPAL_ENABLED: "false"
    SYNC_AZUREAD_USER_SERVICE_PRINCIPAL_USERNAME_RETRIVAL_FROM: "appId"
    
  4. Run the following commands.

    cd ~/privacera/privacera-manager
    ./privacera-manager.sh update
    

Configuration Properties

Property Name Description Example
USERSYNC_AZUREAD_TENANT_ID  To get the value for this property, Go to Azure portal > Azure Active Directory > Properties > Tenant ID  5a5cxxx-xxxx-xxxx-xxxx-c3172b33xxxx
USERSYNC_AZUREAD_CLIENT_ID  Get the value by following the Pre-requisites section above. 8a08xxxx-xxxx-xxxx-xxxx-6c0c95a0xxxx
USERSYNC_AZUREAD_CLIENT_SECRET  Get the value by following the Pre-requisites section above.  ${CLIENT_SECRET}
USERSYNC_AZUREAD_DOMAINS  To get the value for this property, Go to Azure portal > Azure Active Directory > Domains  componydomain1.com,componydomain2.com
USERSYNC_AZUREAD_GROUPS  To get the value for this property, Go to Azure portal > Azure Active Directory > Groups  GROUP1,GROUP2",GROUP3
USERSYNC_ENABLE Set to true to enable usersync. true
USERSYNC_SOURCE

Source from which users/groups are synced. 

Values: unix, ldap, azuread 

azuread
USERSYNC_AZUREAD_USE_GROUP_LOOKUP_FIRST Set to true if you want to first sync all groups and then all the users within those groups. true
USERSYNC_SYNC_AZUREAD_USERNAME_RETRIVAL_FROM

Azure provides the user info in a JSON format.

Assign a JSON attribute that is unique. This would be the name of the user in Ranger.

userPrincipalName
USERSYNC_SYNC_AZUREAD_EMAIL_RETRIVAL_FROM

Azure provides the user info in a JSON format.

Set the email from the JSON attribute of the Azure user entity.

userPrincipalName
USERSYNC_SYNC_AZUREAD_GROUP_RETRIVAL_FROM

Azure provides the user info in a JSON format.

Use the JSON attribute to retrieve group information for the user.

displayName
SYNC_AZUREAD_USER_SERVICE_PRINCIPAL_ENABLED Set to true to sync Azure service principal to the Ranger user entity false
SYNC_AZUREAD_USER_SERVICE_PRINCIPAL_USERNAME_RETRIVAL_FROM

Azure provides the service principal info in a JSON format.

Assign a JSON attribute that is unique. This would be the name of the user in Ranger.

appId