Privacera Platform master publication

Azure Active Directory (AAD)
:
Azure Active Directory - Data Access User Synchronization

This topic covers how you can synchronize users, groups, and service principals from your existing Azure Active Directory (AAD) domain.

Pre-requisites

Ensure the following pre-requisites are met:

  • Create an Azure AD application.

  • Get the values for the following Azure properties: Application (client) ID, Client secrets

CLI Configuration
  1. SSH to the instance as ${USER}.

  2. Run the following commands.

    cd ~/privacera/privacera-manager
    cp config/sample-vars/vars.usersync.azuread.yml config/custom-vars/
    vi config/custom-vars/vars.usersync.azuread.yml
    
  3. Edit the following properties. For property details and description, refer to the Configuration Properties below.

    USERSYNC_AZUREAD_TENANT_ID: "<PLEASE_CHANGE>"
    USERSYNC_AZUREAD_CLIENT_ID: "<PLEASE_CHANGE>"
    USERSYNC_AZUREAD_CLIENT_SECRET: "<PLEASE_CHANGE>"
    USERSYNC_AZUREAD_DOMAINS: "<PLEASE_CHANGE>"
    USERSYNC_AZUREAD_GROUPS: "<PLEASE_CHANGE>"
    USERSYNC_ENABLE: "true"
    USERSYNC_SOURCE: "azuread"
    USERSYNC_AZUREAD_USE_GROUP_LOOKUP_FIRST: "true"
    USERSYNC_SYNC_AZUREAD_USERNAME_RETRIVAL_FROM: "userPrincipalName"
    USERSYNC_SYNC_AZUREAD_EMAIL_RETRIVAL_FROM: "userPrincipalName"
    USERSYNC_SYNC_AZUREAD_GROUP_RETRIVAL_FROM: "displayName"
    SYNC_AZUREAD_USER_SERVICE_PRINCIPAL_ENABLED: "false"
    SYNC_AZUREAD_USER_SERVICE_PRINCIPAL_USERNAME_RETRIVAL_FROM: "appId"
    
  4. Run the following commands.

    cd ~/privacera/privacera-manager
    ./privacera-manager.sh update
    
Configuration Properties

Property Name

Description

Example

USERSYNC_AZUREAD_TENANT_ID

To get the value for this property, Go to Azure portal > Azure Active Directory > Properties > Tenant ID

5a5cxxx-xxxx-xxxx-xxxx-c3172b33xxxx

USERSYNC_AZUREAD_CLIENT_ID

Get the value by following the Pre-requisites section above.

8a08xxxx-xxxx-xxxx-xxxx-6c0c95a0xxxx

USERSYNC_AZUREAD_CLIENT_SECRET

Get the value by following the Pre-requisites section above.

${CLIENT_SECRET}

USERSYNC_AZUREAD_DOMAINS

To get the value for this property, Go to Azure portal > Azure Active Directory > Domains

componydomain1.com,componydomain2.com

USERSYNC_AZUREAD_GROUPS

To get the value for this property, Go to Azure portal > Azure Active Directory > Groups

GROUP1,GROUP2",GROUP3

USERSYNC_ENABLE

Set to true to enable usersync.

true

USERSYNC_SOURCE

Source from which users/groups are synced.

Values: unix, ldap, azuread

azuread

USERSYNC_AZUREAD_USE_GROUP_LOOKUP_FIRST

Set to true if you want to first sync all groups and then all the users within those groups.

true

USERSYNC_SYNC_AZUREAD_USERNAME_RETRIVAL_FROM

Azure provides the user info in a JSON format.

Assign a JSON attribute that is unique. This would be the name of the user in Ranger.

userPrincipalName

USERSYNC_SYNC_AZUREAD_EMAIL_RETRIVAL_FROM

Azure provides the user info in a JSON format.

Set the email from the JSON attribute of the Azure user entity.

userPrincipalName

USERSYNC_SYNC_AZUREAD_GROUP_RETRIVAL_FROM

Azure provides the user info in a JSON format.

Use the JSON attribute to retrieve group information for the user.

displayName

SYNC_AZUREAD_USER_SERVICE_PRINCIPAL_ENABLED

Set to true to sync Azure service principal to the Ranger user entity

false

SYNC_AZUREAD_USER_SERVICE_PRINCIPAL_USERNAME_RETRIVAL_FROM

Azure provides the service principal info in a JSON format.

Assign a JSON attribute that is unique. This would be the name of the user in Ranger.

appId