How to use IBM App Connect with Microsoft Azure Active Directory

Azure Active Directory (Azure AD) is a multi-tenant cloud-based directory and identity management service from Microsoft. Microsoft Azure Active Directory extends on-premises Active Directory into the Cloud.

Availability:
  • A connector in IBM App Connect Enterprise as a ServiceApp Connect Enterprise as a Service connector
  • A local connector in a Designer instance of IBM App Connect in containers (Continuous Delivery release)Local connector in containers (Continuous Delivery release) 12.0.3.0-r2 or later
  • A local connector in a Designer instance of IBM App Connect in containers (Long Term Support)Local connector in containers (Long Term Support release)

Connecting to Microsoft Azure Active Directory

To connect App Connect to a Microsoft Azure Active Directory account, select your preferred authorization method. For more details, see the table below.
Table 1. Connection fields for your chosen authorization methods. Descriptions of the fields are given after this table.
Provide credentials for App Connect to use (OAUTH 2.0 PASSWORD) (For App Connect in containers and App Connect Enterprise as a Service) Provide credentials for App Connect to use (BASIC OAUTH) (For App Connect in containers) Use the application's website to sign in (OAUTH 2.0 AUTH CODE) (For App Connect Enterprise as a Service)
Client ID Client ID
Tip: Authorize connection to Microsoft Azure Active Directory by signing in to your account.
Client secret Client secret  
Username Access token  
Password Refresh token  

Once you have selected your preferred authorization method, to connect App Connect to a Microsoft Azure Active Directory account, you need to provide the following connection details. The instructions about how to create these values are provided after the following table.

Table 2. Microsoft Azure Active Directory credentials
Field Description
Client ID

The application (client) ID value that is generated when you register an application (to use with App Connect) in the Microsoft Azure Active Directory application registration portal. Displayed on the Overview page for the registered application.
Client secret

The client secret for the Microsoft Azure Active Directory registered application. Generated under 'Certificates & secrets' for the registered application.
Username

The username to log in to your Microsoft Azure Active Directory account.

Password

The password for the specified username.

Access token

For BASIC OAUTH connections only. The access token generated from the application client ID and secret.

An access token that is generated by sending a POST request to the Microsoft identity platform endpoint. This token will be attached to requests that App Connect sends to Microsoft Azure Active Directory. Typically generated by using the client ID, client secret, scope, grant type, user name, and password values for the registered application.
Refresh token

For BASIC OAUTH connections only. The refresh token generated from the application client ID and secret.

A refresh token that was returned for the POST request to the Microsoft identity platform endpoint. This token can be used to obtain a new access token.

To generate these values and connect to Microsoft Azure Active Directory, you'll need to register an application with the required permissions in Microsoft Azure, which will enable App Connect to integrate with Microsoft Azure Active Directory by using APIs and protocols.

To connect by using either OAUTH2_PASSWORD or BASIC_OAUTH authorization, you'll need to obtain a client ID and a client secret for your registered app, and then configure permissions. If using BASIC_OAUTH authorization, you must also obtain an access token and a refresh token.
Note: These instructions assume that you are registering an application in Microsoft Azure for the first time.
  1. To register an application with Microsoft Azure, for use with App Connect:
    1. Log in to the Microsoft Azure portal, and then locate and click App registrations. (Direct link for the Azure app registration portal: https://go.microsoft.com/fwlink/?linkid=2083908)
    2. If you have access to more than one tenant, switch to the tenant where you want to register the app by using the Directories + subscriptions filter in the banner and then click the Close icon (X) to return to the previous page.
    3. In the App registrations page, click New registration.
    4. In the Register an application page, specify a unique name for your app, select Accounts in any organizational directory (Any Azure AD directory - Multitenant) as the account type, and accept the default values for the remaining fields.
      Figure 1. Microsoft Azure registering an application window
    5. Click Register. The Overview page for the application is displayed.
      Overview page for the registered application
    6. Make a note of the Application (client) ID value because you'll need to specify it as a connection value when creating the account (by using either OAUTH2_PASSWORD or BASIC_OAUTH authorization) in App Connect.

  2. To generate a client secret for your registered application:
    1. Next to Client credentials on the Overview page, click Add a certificate or secret. This displays the Certificates & secrets page.
    2. Click New client secret
    3. In the Add a client secret panel, specify a description for the secret (for example, App Connect secret) and then select an expiry period.
    4. Click Add. The generated client secret is displayed on the Certificates & secrets page.
      Generated client secret for the registered app
    5. In the Add a client secret panel, specify a description for the secret, then select an Expiry periodand click Add
    6. Copy and store the client secret value because you'll need to specify it as a connection value when creating the account (by using either OAUTH2_PASSWORD or BASIC_OAUTH authorization) in App Connect. If you are using BASIC_OAUTH authorization, you'll also need to specify the client secret value while generating access and refresh tokens.
      Note: The client secret value won't be shown again in full after you leave this page.
  3. Configure the permissions that App Connect needs.
    1. In the left pane, click API permissions and then click Add a permission > Microsoft Graph > Delegated permissions to add each of the following permissions in turn. You can search for and select a permission, and then click Add permissions.
      Permissions Description
      Directory.ReadWrite.All Read and write directory data.

      (Allows App Connect to read and write data in your organization's directory, such as users, and groups.)

      offline_access Maintain access to data you have given it access to.

      (Allows App Connect to see and update the data you gave it access to, even when users are not currently using App Connect.)
      Note: Directory.ReadWrite.All requires admin consent.
    2. If the status of any permission is shown as Not granted for myDomain, click Grant admin consent for myDomain, where myDomain is your domain name. Then click Yes to confirm. (This will update the status of all permissions to Granted for myDomain.)
    Required permissions for the registered app
  4. If you want to connect by using BASIC_OAUTH authorization, use an application such as IBM API Connect Test and Monitor or Postman to submit a POST request to generate an access token and a refresh token that will be used to interact with Microsoft Azure Active Directory on your behalf. Specify the following parameters:
    • Request URL: 
      https://login.microsoftonline.com/organizations/oauth2/v2.0/token
    • Content-Type: application/x-www-form-urlencoded
    • Request parameters:
      Key Value
      client_id Set this to the Application (client) ID value that was generated for your registered app.
      scope Directory.ReadWrite.All offline_access
      grant_type password
      client_secret Set this to the client secret value that was generated under Certificates & secrets for your registered app.
      userName Set this to the username that was used to log in to the Azure portal.
      password Set this to the associated password for the username

  • Postman Version 7.29.1 was used in these instructions, so there might be a slight variation in the fields that you see if your version is different.

    1. Start a new POST request and specify the request URL.
    2. Click the Body tab and select x-www-form-urlencoded. This option automatically adds the Content-Type: application/x-www-form-urlencoded setting in the request header.
    3. Specify the request parameters.
    Configuring the request parameters in Postman

    When you click Send, an access token and refresh token are returned in the response. Make a note of these values because you'll need to specify them as connection values when creating the account.

    Generated tokens in the response returned for the POST call in Postman

Note: The generated access token is valid for 1hour, and the refresh token will expire after 90 days of inactivity. So it is expected that you'll need to generate new tokens only if the refresh token has been revoked or has not been used in 90 days.

Accessing advanced query capabilities

App Connect provides you with a number of additional properties for the Device, Group and User retrieve objects. When you need to retrieve more information about these objects, for instance more information than what is provided by default, you can access additional properties, known as advanced query capabilities in Microsoft Azure Active Directory by using the following two filter conditions:
Expand references
The expand references field requires the selection of a boolean (true/false) value. To access additional properties, set this field to true.
Note: By default, the value of the Expand references field is set to false.
Navigation properties to expand
Use this field to specify the additional Microsoft Azure Active Directory properties that you want to access. You can choose a maximum of 5 values using a comma-separated list.
Screen capture to show the 2 filter conditions used to access additional properties
The following navigation properties are available for you to select for the Device, Group and User retrieve objects:
Device
  • memberOf
  • transitiveMemberOf
  • registeredUsers
  • registeredOwners
Group
  • transitiveMembers
  • memberOf
  • transitiveMemberOf
  • owners
  • appRoleAssignments
User
  • memberOf
  • transitiveMemberOf
  • ownedObjects
  • registeredDevices
  • ownedDevices
  • transitiveManagers
  • directReports
  • transitiveReports
  • appRoleAssignments
  • oAuth2PermissionGrant

For more information about Microsoft Azure Active Directory advanced query capabilities see, Advanced query capabilities on Azure AD directory objects.

General considerations

Before you use App Connect Designer with Microsoft Azure Active Directory, take note of the following considerations:

  • (General consideration) If you are using multiple accounts for an application, the set of fields that is displayed when you select an action for that application can vary for different accounts. In the flow editor, some applications always provide a curated set of static fields for an action. Other applications use dynamic discovery to retrieve the set of fields that are configured on the instance that you are connected to. For example, if you have two accounts for two instances of an application, the first account might use settings that are ready for immediate use. However, the second account might be configured with extra custom fields.

Events and actions

Microsoft Azure Active Directory events

These events are for changes in this application that trigger a flow to start performing the actions in the flow.

Show configurable events... Events shown by default are pre-configured using optimized connectivity. More items are available when you have configured more events that can trigger a flow by polling Microsoft Azure Active Directory for new or updated objects. For more information about configurable events, see Configuring polled events to trigger flows.

Microsoft Azure Active Directory actions

These are actions on this application that you want a flow to complete.

Devices
Create device
Retrieve devices
Update device
Delete device
Update or create device
Groups
Create group
Retrieve groups
Delete group
Update group
Update or create group
Users
Create user
Retrieve users
Delete user
Update user
Update or create user

More items are available when you have connected App Connect to Microsoft Azure Active Directory.

Examples

Screenshot of the dashboard tile for a template that uses Microsoft Azure AD

Use templates to quickly create flows for Microsoft Azure Active Directory

Learn how to use App Connect templates to quickly create flows that perform actions on Microsoft Azure Active Directory; for example, open the Templates gallery then search for Microsoft Azure Active Directory.

Learn more

Sreenshot of a Microsoft AD example

Use IBM App Connect to build flows that integrate with Microsoft Azure Active Directory.

Read the blog in the IBM Community to learn how to sync devices between Microsoft Active Directory and Microsoft Azure Active Directory using a batch process node. Click Learn more to read the blog.

Learn more