How to use IBM App Connect with Microsoft Entra ID

Microsoft Entra ID, previously known as Microsoft Azure Active Directory (Azure AD), is a multi-tenant cloud-based directory and identity management service from Microsoft. Microsoft Entra ID extends on-premises Active Directory into the cloud.

Supported product and API versions

To find out which product and API versions this connector supports, see Detailed System Requirements on the IBM Support page.

Connecting to Microsoft Entra ID

To connect App Connect to a Microsoft Entra ID account, select your preferred authorization method. For more details, see the following table.
Table 1. Connection fields for your chosen authorization methods. Descriptions of the fields are given after this table.
Provide a username, password, d client credentials (OAUTH 2.0 PASSWORD) (For App Connect in containers and App Connect Enterprise as a Service) Provide credentials for App Connect to use (BASIC OAUTH) (For App Connect in containers and App Connect Enterprise as a Service) Use the application's website to sign in (OAUTH 2.0 AUTH CODE) (For App Connect Enterprise as a Service)
Client ID Client ID
Tip: Authorize connection to Microsoft Entra ID by signing in to your account.
Client secret Client secret  
Username Access token  
Password Refresh token  

Once you have selected your preferred authorization method, to connect App Connect to a Microsoft Entra ID account, you need to provide the following connection details. The instructions about how to create these values are provided after the following table.

Table 2. Microsoft Entra ID credentials
Field Description
Client ID

The application (client) ID value that is generated when you register an application (to use with App Connect) in the Microsoft Entra ID application registration portal. Displayed on the Overview page for the registered application.
Client secret

The client secret for the Microsoft Entra ID registered application. This secret is generated under Certificates & secrets for the registered application.
Username

The username to log in to your Microsoft Entra ID account.

Password

The password for the specified username.

Access token

For BASIC OAUTH connections only. The access token generated from the application client ID and secret.

An access token that is generated by sending a POST request to the Microsoft identity platform endpoint. This token will be attached to requests that App Connect sends to Microsoft Entra ID. Typically generated by using the client ID, client secret, scope, grant type, user name, and password values for the registered application.
Refresh token

For BASIC OAUTH connections only. The refresh token generated from the application client ID and secret.

A refresh token that was returned for the POST request to the Microsoft identity platform endpoint. This token can be used to obtain a new access token.

To obtain the connection values for Microsoft Entra ID, see Obtaining connection values for Microsoft Entra ID.

To connect to a Microsoft Entra ID endpoint from the App Connect Designer Connect > Applications and APIs page (previously the Catalog page) for the first time, expand Microsoft Entra ID, then click Connect. For more information, see Managing accounts.

Tip:

Before you use the account that is created in App Connect in a flow, rename the account to something meaningful that helps you to identify it. To rename the account on the Applications and APIs page, select the account, open its options menu (⋮), then click Rename Account.

Accessing advanced query capabilities

App Connect provides you with a number of additional properties for the Device, Group and User retrieve objects. When you need to retrieve more information about these objects, for instance more information than what is provided by default, you can access additional properties, known as advanced query capabilities in Microsoft Entra ID by using the following two filter conditions:
Expand references
The expand references field requires the selection of a boolean (true/false) value. To access additional properties, set this field to true.
Note: By default, the value of the Expand references field is set to false.
Navigation properties to expand
Use this field to specify the additional Microsoft Entra ID properties that you want to access. You can choose a maximum of 5 values using a comma-separated list.
Screenshot that shows the Navigation properties to expand field is set to memberOf,transitiveMemberOf.
The following navigation properties are available for you to select for the Device, Group and User retrieve objects:
Device
  • memberOf
  • transitiveMemberOf
  • registeredUsers
  • registeredOwners
Group
  • transitiveMembers
  • memberOf
  • transitiveMemberOf
  • owners
  • appRoleAssignments
User
  • memberOf
  • transitiveMemberOf
  • ownedObjects
  • registeredDevices
  • ownedDevices
  • transitiveManagers
  • directReports
  • transitiveReports
  • appRoleAssignments
  • oAuth2PermissionGrant

For more information about Microsoft Entra ID advanced query capabilities see, Advanced query capabilities on Azure AD directory objects.

General considerations

Before you use App Connect Designer with Microsoft Entra ID, take note of the following considerations:

  • (General consideration) If you are using multiple accounts for an application, the set of fields that is displayed when you select an action for that application can vary for different accounts. In the flow editor, some applications always provide a curated set of static fields for an action. Other applications use dynamic discovery to retrieve the set of fields that are configured on the instance that you are connected to. For example, if you have two accounts for two instances of an application, the first account might use settings that are ready for immediate use. However, the second account might be configured with extra custom fields.

Events and actions

Microsoft Entra ID events

These events are for changes in this application that trigger a flow to start completing the actions in the flow.

Show more configurable events: Events that are shown by default are pre-configured by using optimized connectivity. More items are available after you configure events that can trigger a flow by polling this application for new or updated objects.

Microsoft Entra ID actions

Your flow completes these actions on this application.

Devices
Create device
Retrieve devices
Update device
Delete device
Update or create device
Groups
Create group
Retrieve groups
Delete group
Update group
Update or create group
Users
Create user
Retrieve users
Delete user
Update user
Update or create user

More items are available when you have connected App Connect to Microsoft Entra ID.

Examples

Dashboard tile for a template that uses Microsoft Entra ID
Dashboard tile for a template that uses Microsoft Entra ID
Dashboard tile for a template that uses Microsoft Entra ID

Use templates to quickly create flows for Microsoft Entra ID

Learn how to use App Connect templates to quickly create flows that perform actions on Microsoft Entra ID. For example, open the Templates gallery, and then search for Microsoft Entra ID.

Learn more

Dashboard tile for a template that uses Microsoft Entra ID
Microsoft Entra ID flow in detailed view

Use IBM® App Connect to build flows that integrate with Microsoft Entra ID.

Read the blog in the IBM Community to learn how to sync devices between Microsoft Active Directory and Microsoft Entra ID using a batch process node. Click Read the blog to go to the blog.

Read the blog