Using Microsoft Entra ID with IBM App Connect Enterprise
Microsoft Entra ID is a multi-tenant cloud-based directory and identity management service from Microsoft. Microsoft Entra ID extends on-premises Active Directory into the Cloud. IBM® App Connect Enterprise provides Microsoft Entra ID Input and Microsoft Entra ID Request nodes, which you can use to interact with Microsoft Entra ID.
About this task
IBM App Connect Enterprise communicates synchronously with Microsoft Entra ID through the Microsoft Entra ID Input and Microsoft Entra ID Request nodes, which are available on Windows, AIX, and Linux® systems.
Use the Microsoft Entra ID Input node in a message flow to accept input from Microsoft Entra ID. For more information about using the Microsoft Entra ID Input node, see Microsoft Entra ID Input node.
- Devices
- Create, retrieve, update, or delete devices
- Groups
- Create, retrieve, update, or delete groups
- Users
- Create, retrieve, update, or delete users
For additional information about configuring the Microsoft Entra ID Request node, see Microsoft Entra ID Request node.
Procedure
The following steps show you how to connect to a Microsoft Entra ID account and configure a Microsoft Entra ID Request node by using connector discovery. You can follow a similar procedure to configure a Microsoft Entra ID Input node to monitor Microsoft Entra ID for new or updated objects, by creating a flow containing a Microsoft Entra ID Input node and configuring it through connector discovery.
- In the IBM App Connect Enterprise Toolkit, create a flow containing a Microsoft Entra ID Request node.
- Select the Microsoft Entra ID Request node in the flow to show the node properties in the editor.
- On the Basic tab, click Launch Connector
Discovery. A panel is displayed in which you specify the name of the policy project and vault details to be used during connector discovery.
- Specify the details of the policy project and vault to be
used during connector discovery:
- In the Policy Project field, specify the policy project that is
used to store the policies that are created during connector discovery. Alternatively, you can create a new policy project by clicking New and then specifying the name of the new policy project. Then click Finish.
- Specify the vault to be used during connector discovery. By default, credentials that
are used during connector discovery are stored in an external directory vault, which is
an App Connect Enterprise vault that can be used by any integration server.
Alternatively, you can store the credentials in an integration server vault, which is created in the
integration server's work directory and can be used only by that specific integration server. To specify the vault to be used for storing the credentials, complete the steps in the Using the Connector Discovery wizard section of one of the following topics:
- In the Vault key field, enter the vault key that is used to access the credentials stored in the vault. The vault key must be at least 8 characters in length.
- Optional: By default, the specified vault location and vault key are saved as preferences in the Toolkit so that the values are preset when you launch Connector Discovery. If you do not want the preferences to be saved, deselect Save in vault preferences.
- In the Policy Project field, specify the policy project that is
used to store the policies that are created during connector discovery.
- Click Launch Discovery to start the Connector Discovery wizard for
the Microsoft Entra ID
connector. The Connector Discovery window is displayed. If existing Microsoft Entra ID connections (accounts) are available, a list of those connections is displayed. If there are no existing connections, the status of the Microsoft Entra ID connector is shown as
Not connected
.- If one or more Microsoft Entra ID
connections (accounts) are available, complete the following steps:
- Select the connection (account) that you want to use, by clicking on it.
- Click the required object type and then select the action that you want to perform on the object. For example, to retrieve users from Microsoft Entra ID, click Users and then Retrieve users.
- If there are no existing connections (accounts), complete the following steps:
- Click the required object type and then select the action that you want to perform on that object. For example, to retrieve users from Microsoft Entra ID, click Users and then Retrieve users.
- Click Connect to display a menu from which you must select one of the
following authorization methods:
- Provide a username, password, and client credentials (OAUTH 2.0 PASSWORD)
- Provide credentials for App Connect to use (BASIC OAUTH)
- Select an authorization method and click Continue. A window is displayed in which you enter the details of your account.
- If you selected Provide a username, password and client credentials (OAUTH 2.0
PASSWORD) as the authorization method, enter the following details:
- In the Client ID field, enter the unique identifier that is generated after the Microsoft Azure app registration gets mapped to the specific project requests.
- In the Client Secret field, enter the application client secret for the project-specific client ID.
- In the Username field, enter the username to log in to your Microsoft Entra ID account.
- In the Password field, enter the password for the specified username.
- If you selected Provide credentials for App Connect to use (BASIC OAUTH) as
the authorization method, enter the following details:
- In the Client ID field, enter the unique identifier that is generated after the Microsoft Azure app registration gets mapped to the specific project requests.
- In the Client Secret field, enter the application client secret for the project-specific client ID.
- In the Access token field, enter the access token that is generated from the application client ID and the application client secret.
- In the Refresh token field, enter the refresh token that is generated from the application client ID and application client secret.
For more information about identifying these connection details, see How to use IBM App Connect with Microsoft Entra ID in the IBM App Connect Enterprise as a Service documentation.
- Click Connect.
- If one or more Microsoft Entra ID
connections (accounts) are available, complete the following steps:
- Set the required connector properties in the wizard.
You can add conditions for the retrieval of the objects, such as specifying users from a particular Department by entering the name of the department in the equals field. You can also set properties that specify the maximum number of objects to retrieve and the action to be taken if that limit is exceeded.
- When you have finished specifying the properties in the Connector Discovery wizard, click
Save. The values of the properties that you set in the wizard are returned to the Microsoft Entra ID Request node in the IBM App Connect Enterprise Toolkit.
- When you have finished discovery and saved the property values, exit the Connector Discovery wizard by clicking the X in the upper-right corner of the window.
- Return to editing the Microsoft Entra ID Request node in the IBM App Connect
Enterprise Toolkit. The connector properties that were set in the Connector Discovery wizard (in step 6) are now visible on the Microsoft Entra ID Request node. The Basic tab shows the values of the Action and Object properties that you set in the wizard. For example, if you selected Users > Retrieve users in the wizard, the following properties will be visible on the Basic tab of the node:
- Action -
RETRIEVEALL
- Object -
Users
The values of the Action and Object properties are displayed in read-only format. If you want to change these values, you can do so by clicking Launch Connector Discovery again and setting new values in the Connector Discovery wizard. You can modify other properties (if any) by clicking Edit next to the property.
The Schema base name property specifies the base name of the schema files that describe the format of the request and response messages that are sent and received from the Microsoft Entra ID connector. The schema base name is set automatically the first time you run discovery for the node, and it is based on the current flow name and node name. If you set this property manually before running discovery for the first time, the value that you set will be used. If you rename the schemas after discovery, you must edit this property so that it matches the schema base name that is used by the renamed schemas in the project. If you change this property after discovery, you must either rename the schema names to match or run discovery again.
Depending on the action that was selected during discovery, the Connector Discovery wizard generates either a request schema and a response schema, or a response schema only. A request schema is generated only if the selected action and object require a request message. The generated request schema is used for validation of the request message. If the action was
RETRIEVE
orDELETE
, only the response schema is returned by the connector.The generated schema files are added to the project and can be used by a Mapping node for transforming input or output data. The full filename of the schema is derived from the schema base name (such as
gen/MyMessageFlow/Microsoft_Entra_ID_Request
) suffixed with either response.schema.json or request.schema.json. You can open the schema by clicking Open request schema or Open response schema. - Action -
- Check that the property settings on the Microsoft Entra ID Request node are correct and then save the message flow.
- On the Connection tab of the Microsoft Entra ID Request node, select the policy that
contains the details of the security identity to be used for the connection. The policy has a type
of
Microsoft Entra ID
.For more information, see Microsoft Entra ID policy. - Optional: Set the Timeout property on the Connection tab to specify the time (in seconds) that the node waits for Microsoft Entra ID to process the operation.
- The Filter tab of the Microsoft Entra ID Request node contains properties
that control the way in which the message flow selects data. The initial values of these properties
are taken from the property values that were set for the Microsoft Entra ID connector in the Connector
Discovery wizard (as described in step 6). If you subsequently return to the Connector Discovery wizard and change the values of any
properties (by adding new conditions, for example) those updates are reflected in the properties set
on the node.
The Filter Options properties control which objects are to be operated upon when the Microsoft Entra ID Request node executes. The Filter Limit properties control the maximum number of items to be retrieved and the action to be taken if the limit is exceeded.
You can modify the values of these properties on the Filter tab of the node by clicking Edit next to the value that you want to modify in the Filter Options section, and by changing the property values that have been set in the Filter Limit section.
The property values can be either text values or ESQL or XPATH expressions that are resolved from the contents of the message that is passed to the Microsoft Entra ID Request node as it executes.
- On the Request tab, set the Data location property to specify the location in the incoming message tree that contains the object data to be created in Microsoft Entra ID. This data forms the request that is sent from the Microsoft Entra ID Request node to the Microsoft Entra ID system.
- On the Result tab, set the Output data location property to specify the location in the output message tree that will contain the data of the record that is created in Microsoft Entra ID.
- By default, request messages are validated against the request schema that was generated during connector discovery. You can turn off request validation or change the validation settings by using the Validation properties of the Microsoft Entra ID Request node.
- Save the message flow.