Microsoft Entra ID Data Provider
Overview
The Microsoft Entra ID Data Provider is designed for establishing the integration between Digital Workspace Platform and Microsoft Entra ID server.
On this page, you may find data filtering conditions and advanced settings of the Microsoft Entra ID Data Provider.
Go to the Administration application → Integration → Data Providers → Microsoft Entra ID / Microsoft 365 → click Edit → open Settings view.
Settings and Filters
This section contains a number of settings grouped as follows:
Domain
Use the single selection button to select the domain for which the integration should be established.
Import Users
Indicates whether users will be imported.
User Filter
If User Filter is active you can specify a collection of conditions based on a list of supported properties for filtering to retrieve just a subset of a collection.
Supported properties |
Description |
---|---|
Account Enabled |
true if the account is enabled; otherwise, false. This property is required when a user is created. |
City |
The city in which the user is located. |
Country |
The country/region in which the user is located; for example, “US” or “UK”. |
Department |
The name of the department where the user works. |
State |
The state or province in the user's address. |
Country Code |
A two-letter country code (ISO standard 3166). Required for users that will be assigned licenses due to legal requirements to check for availability of services in countries. Examples include: "US", "JP", and "GB". |
Display Name |
The name displayed in the address book for the user. Usually, this is a combination of the user's first name, middle name, and last name. This property is required when a user is created and it cannot be cleared during updates. |
Employee ID |
The employee identifier assigned to the user by the organization. |
First Name |
The given name (first name) of the user. |
Last Name |
The user's surname (family name or last name).
When the Last Name is not defined, the user's Display Name is used for filling Last Name (all parts after the first name are split with whitespace and added as the last name). |
Job Title |
The user’s job title. |
|
The SMTP address for the user, for example, "jeff@contoso.onmicrosoft.com". |
Mail Nickname |
The mail alias for the user. This property must be specified when a user is created. |
On-Premises Immutable ID |
This property is used to associate an on-premises Active Directory user account to their Microsoft Entra ID user object. This property must be specified when creating a new user account in the Graph if you are using a federated domain for the user’s userPrincipalName (UPN) property. The $ and _ characters cannot be used when specifying this property. |
Other Mails |
A list of additional email addresses for the user; for example: ["bob@contoso.com", "Robert@fabrikam.com"] |
Proxy Addresses |
For example: |
User Principal Name (UPN) |
The User Principal Name (UPN) of the user. The UPN is an Internet-style login name for the user based on the Internet Standard RFC 822. By convention, this should map to the user's email name. |
User Type |
A string value that can be used to classify user types in your directory, such as “Member” and “Guest”. |
Import Groups
Indicates whether groups will be imported.
Group Filter
If Group Filter is active you can specify a collection of conditions based on a list of supported properties for filtering to retrieve just a subset of a collection.
Supported properties |
Description |
---|---|
Display Name |
The display name for the group. This property is required when a group is created and cannot be cleared during updates. |
Group Types |
Specifies the group type and its membership. Available since DWP v.12.0.2. Since the group types are defined by Microsoft, the only available operator is 'equals' with the following values:
The groupType values are stored in Microsoft Entra ID Custom Filter Data Definition. |
|
The SMTP address for the group. |
Mail Nickname |
The mail alias for the group, unique in the organization. This property must be specified when a group is created. |
On-Premises Last Sync DateTime |
Indicates the last time at which the group was synced with the on-premises directory. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 would look like this: '2014-01-01T00:00:00Z' |
On-Premises Sync Enabled |
|
Proxy Addresses |
Email addresses for the group that lead to the same group mailbox. For example: ["SMTP: bob@contoso.com", "smtp: bob@sales.contoso.com"] . |
Security Enabled |
Specifies whether the group is a security group. |
To customize the filtering properties of Users and Groups, a new Data Definition called Entra ID Filter Property was introduced. To extend the existing properties list with a new property, you can add a new property that is not currently in the list and will be used for filtering. The list of all available properties, that could be added, you can check here.
Go to the Administration application → Schema → Data Definitions → Pickups → Entra ID Filter Property → click Edit → open Data tab
In Data tab the list of existing properties for filtering data will be displayed. Click to add new properties to list.
Is Nullable column - indicates that the property is nullable and filterable using null. Two new operators, Is Set and Is Not Set, will become available in the operators list if the Is Nullable checkbox is checked.
Display String column - Internally used filter properties name.
Supported Conditions Operators column - Operators that will be available for the current attribute:
- 1 - Equals
- 2 - Not Equals
- 4 - Lower Than Or Equals
- 6 - Greater Than Or Equals
- 8 - Starts With
- 9 - Ends With
- 10 - In
- 11 - Not In
Object Type column - define two types of objects available for filtering:
- 2 - Users
- 3 - Groups
Filter conditions
To add a filter condition, follow these steps:
- Click Add Condition.
- Select the property you'd like to filter.
- Select an operator.
The following operators are supported by Microsoft Graph API:
- Equals
- Not Equals
- Starts With
- Ends With
- Lower Than or Equals
- Grater Than or Equals
- In
- Not In
- Is Set
- Not Set
The filter conditions can be combined by using the following logical operators:
- AND
- OR
Creating groups of conditions is supported as well.
Only one kind of logical operator can be defined on each level
Known limitations
If "OR" operator is used at least once within the filter then the conditions count should not exceed 15. The validation message will be displayed in the UI.
Do not process deleted objects
This checkbox has the following options:
- not selected (default): deleted objects are processed and synchronized;
- selected: in this case already imported objects from Microsoft Entra ID to the ESM will not be marked as deleted. Also, no "new" deleted objects will be imported to Microsoft Entra ID and will not be updated.
Starting from DWP v.11.0.2 the "Skip Import Deleted Objects" property has been renamed to "Do not process deleted objects".
Pay attention that processing of deleted object is applied to 30 days old entries max, and in case you may want to delete entries in DWP that were deleted in Microsoft Entra ID later than 30 days ago - you will need to do that manually.
Additional Import Attributes
Users and Groups Import
Additional attributes can be specified for Users and Groups Import starting from DWP 10.0 Update 3.
Additional Import Attributes
Additional Import Attributes section is available when at least one type of import is enabled: Import Users or Import Groups.
To configure the additional attributes you want to import, in the Settings section of the Data Provider configuration, fill out the following fields:
- Extension Application (client) ID:
- Same Application ID: by default, the configuration uses the same Application (client) ID that is specified in the General section.
- Other Application ID: if the additional attributes are available in the other tenant, clear the Extension Application ID is the same as the Application (client) ID checkbox and specify the Extension Application (client) ID in the corresponding field;
- User Attribute Names (Separated by Commas): enumerate necessary attributes. Please note that attribute names are case-sensitive;
- Group Attribute Names (Separated by Commas): enumerate necessary attributes. Please note that attribute names are case-sensitive;
Update the import definition for User import accordingly, in order to correctly save the values from extended attributes in the database
For cases when both Microsoft Entra ID and on-premises Active Directory are used as import sources, Additional Import Attributes must be configured the same way in both configurations of these connectors:
- Configure Additional Import Attributes in Microsoft Entra ID connector configuration;
- Configure Additional Import Attributes in on-premises Active Directory connector configuration;
- Update the import definition accordingly, in order to correctly save the custom values in the database;
- Run import from both sources: Microsoft Entra ID and on-premises Active Directory.
Otherwise, if the Additional Import Attributes are configured only for Microsoft Entra ID, the on-premises Active Directory import fails.
Added attributes are also available for filtering:
See also: Microsoft Entra Connect Sync Directory extensions.
On-Premise Extension Attributes
Starting from DWP v.11.0.1 it is possible to import an additional type of extension attributes. Before configuring DWP, Microsoft Entra ID must have configured synchronization to retrieve these attributes, and the attributes are retrieved by import only if they are available on Microsoft Entra ID.
On-premises extension attributes are available only for Import Users only:
This property returns an array of fifteen on-premises extension attribute properties that have reserved names, for instance: onPremisesExtensionAttribute1, onPremisesExtensionAttribute2, etc.
Individual extension attribute can not be retrieved, as all 15 attributes are stored as a single object and are retrieved all together.
When enabled, on-premises extension attributes are also available for filtering:
After import, the Account.xml will display the on-premises extension attributes as follows:
<onPremises_extensionAttribute1>value1</onPremises_extensionAttribute1> <onPremises_extensionAttribute2>value2</onPremises_extensionAttribute2> <onPremises_extensionAttribute3>value3</onPremises_extensionAttribute3> <onPremises_extensionAttribute4>value4</onPremises_extensionAttribute4> <onPremises_extensionAttribute5>value5</onPremises_extensionAttribute5> <onPremises_extensionAttribute6>value6</onPremises_extensionAttribute6> <onPremises_extensionAttribute7>value7</onPremises_extensionAttribute7> <onPremises_extensionAttribute8>value8</onPremises_extensionAttribute8> <onPremises_extensionAttribute9>value9</onPremises_extensionAttribute9> <onPremises_extensionAttribute10>value10</onPremises_extensionAttribute10> <onPremises_extensionAttribute11>value11</onPremises_extensionAttribute11> <onPremises_extensionAttribute12>value12</onPremises_extensionAttribute12> <onPremises_extensionAttribute13>value13</onPremises_extensionAttribute13> <onPremises_extensionAttribute14>value14</onPremises_extensionAttribute14> <onPremises_extensionAttribute15>value15</onPremises_extensionAttribute15>
See also: Microsoft Entra ID onPremisesExtensionAttributes resource type.
Limitations
It is not possible to import navigation properties and related objects (e.g. manager field) even as custom attributes as currently it is not supported by Microsoft. For more details see Microsoft documentation.
Microsoft Entra ID Data Provider flow
As a rule, Digital Workspace Platform cannot access corporate networks and collect their data. Therefore, the Data Gateway service is installed within the corporate network that is managed by an Microsoft Entra ID server. The gateway collects the data on the Microsoft Entra ID server and sends it to Digital Workspace Platform.
1 - Activating the Microsoft Entra ID Data Provider
The Microsoft Entra ID import can be triggered in several ways in Digital Workspace Platform:
- Manually run Microsoft Entra ID connector data import with the Activate action available in Administration application → Integration → Data Providers → Active Directory. It retrieves all data available at the configured remote Microsoft Entra ID server(s).
- Scheduled: configured AD Connector engine activation runs the import and triggers the Active Directory Data Provider according to the specified import schedule.
2 - Launching the Directory Domain Services Server Workflow
The Microsoft Entra ID Data Provider launches the Directory Domain Services workflow. It is a server workflow that is run in Matrix42 Digital Workspace Platform.
3 - Launching the Microsoft Entra ID Collect Data Command
The Directory Domain Services workflow creates jobs according to the specified configurations of the Data Provider. The Data Provider configurations contain the information on the target domain and stipulate the conditions of import. When the Data Gateway finds the jobs, it starts the Microsoft Entra ID Collect Data command.
4 - Retrieving Microsoft Entra ID Objects
The Microsoft Entra ID Collect Data command is run on the Data Gateway server and therefore it can access the network data. Based on settings in the Data Provider configuration, the command activity collects data on Microsoft Entra ID objects and saves it as a package of XML files. A separate XML file is created for each imported object and for each type of deleted objects. If the import is configured for accounts, or groups, the command activity generates the following list of files:
- Account.xml contains all Microsoft Entra ID users that are currently active.
- Group.xml contains all Microsoft Entra ID groups that are currently active.
- DeletedAccount.xml is relevant for partial import and contains users that have been deleted on an Microsoft Entra ID server since the last import.
- DeletedGroups.xml is relevant for partial import and contains groups that have been deleted on an Microsoft Entra ID server since the last import.
- Membership.xml contains the relations between Microsoft Entra ID groups and their members.
5 - Passing Microsoft Entra ID Objects to Digital Workspace Platform
The Data Gateway passes XML files to the Directory Domain Services workflow in Digital Workspace Platform.
6 - Creating and Updating Objects Based on Imported Data
The Directory Domain Services workflow executes import definitions for each imported object. It uses the XML files as the data source to either update Digital Workspace Platform objects with new values from Microsoft Entra ID objects or create new objects in Digital Workspace Platform.
The following import definitions are executed:
- AD: Import Accounts
The import definition updates the existing accounts and creates new ones based on active users on an Microsoft Entra ID server. It uses the Account.xml file as a data source. - AD: Import Groups
The import definition updates existing groups and creates new ones based on active groups on an Microsoft Entra ID server. It uses the Group.xml file as a data source. - AD: Import Persons
The import definition updates existing persons and creates new ones based on active users on an Microsoft Entra ID server. It uses the Person.xml file as a data source. - AD: Membership
The import definition updates group membership for accounts, groups based on data from an Microsoft Entra ID server. It uses the Members.xml file as a data source. - AD: Update Deleted Accounts
If some Microsoft Entra ID users have been deleted since the last import, this import definition changes the Status field value to Deleted for corresponding accounts in Matrix42 Digital Workspace Platform. It uses the DeletedAccount.xmlfile as a data source. - AD: Update Deleted Persons
If some Microsoft Entra ID users have been deleted since the last import, this import definition changes the Status field value to Deleted for corresponding persons in Matrix42 Digital Workspace Platform. It uses the DeletedAccount.xml file as a data source. - AD: Update Deleted Groups
If some Microsoft Entra ID groups have been deleted since the last import, this import definition changes the Status field value to Deleted for corresponding groups in Matrix42 Digital Workspace Platform. It uses the DeletedGroups.xml file as a data source.
Microsoft Entra ID Data Provider Attribute Mapping
In this section, you may find all the necessary information for the advanced settings of the Microsoft Entra ID Data Provider, in particular import mapping rules and available attributes.
Users
Rules
- Account attributes including state are imported from Microsoft Entra ID
- The corresponding Person is created for every Account that is imported from Microsoft Entra ID (except the case when AD and Microsoft Entra ID are connected with Microsoft Entra Connect)
- If the Account is already associated with an existing Person, the Person is not updated
- Person attributes are set only in case when new Person is created during import from Microsoft Entra ID
- Person attributes are never updated during Import if the Person already exists
- Person attributes are not synchronized back to the Microsoft Entra ID
Account
Mapping
SPSAccountClassAD.Sid = sid
or
(SPSAccountClassBase.NBAccountName = sAMAccountName AND Domain)
where Domain:
SPSAccountClassAD.Domain = @DomainId
Attributes
Name | Microsoft Entra ID | Data Definition | Attribute | Note |
---|---|---|---|---|
State | 512 NORMAL_ACCOUNT | SPSCommonClassBase | State | |
Locked | CASE WHEN accountEnabled = 'true' THEN 0 ELSE 1 END | SPSAccountClassAD | Locked | |
Domain | - | SPSAccountClassAD | Domain | taken from Relation, @DomainID |
Account Name |
CASE WHEN userPrincipal |
SPSAccountClassBase | AccountName | |
NETBIOS Name | onPremisesSamAccountName | SPSAccountClassBase | NBAccountName | |
Person | - | SPSAccountClassBase | Owner | taken from Relation |
Federal State | state | SPSAccountClassBase | FederalState | |
Address | streetAddress | SPSAddressClassBase | Street | |
Country | country | SPSAddressClassBase | Country | |
Fax | faxNumber | SPSAddressClassBase | Facsimile | |
P.O. | postalCode | SPSAddressClassBase | ZIP | |
City | city | SPSAddressClassBase | City | |
SPSAddressClassBase | ||||
Sid | id | SPSAccountClassAD | Sid | |
Distinguished Name | onPremisesDistinguishedName | SPSAccountClassAD | ADCN | |
First Name | givenName | SPSAccountClassADUser | FirstName | |
Last Name | surname | SPSAccountClassADUser | LastName | |
Position | jobTitle | SPSAccountClassADUser | Position | |
Cell Phone | mobilePhone | SPSAccountClassADUser | MobilePhone | |
Office | officeLocation | SPSAccountClassADUser | Office | |
Department | department | SPSAccountClassADUser | Department | |
Company | companyName | SPSAccountClassADUser | Company |
Person
Mapping
SPSUserClassLdap.Sid = sid
Attributes
Name | Microsoft Entra ID | Data Definition | Attribute | Note |
---|---|---|---|---|
Display Name | displayName | SPSUserClassBase | DisplayName | |
Federal State | state | SPSAddressClassBase | State | |
Address | streetAddress | SPSAddressClassBase | Street | |
Country | country | SPSAddressClassBase | Country | |
Fax | faxNumber | SPSUserClassBase | Fax | |
P.O. | postalCode | SPSAddressClassBase | POBoxZIP | |
City | city | SPSAddressClassBase | City | |
SPSAddressClassBase | ||||
Accounts | id | SPSUserClassBase | Accounts | Relation |
Distinguished Name | onPremisesDistinguishedName | SPSUserClassLdap | DistinguishedName | |
First Name | givenName | SPSUserClassBase | FirstName | |
Last Name | surname | SPSUserClassBase | LastName | |
Position | jobTitle | SPSUserClassBase | Position | |
Cell Phone | mobilePhone | SPSUserClassBase | MobilePhone | |
Business Phone | businessPhone | SPSUserClassBase | BusinessPhone | |
Office | officeLocation | SPSUserClassBase | Office | |
Department | department | SPSUserClassBase | Department | |
Company | companyName | SPSUserClassBase | Company |
Groups
Rules
- All specified attributes including state are imported from Microsoft Entra ID
Mapping
(SPSSecurityGroupClassAD.Sid = sid AND Domain)
or
(SPSSecurityGroupClassAD.NT4Name = sAMAccountName AND Domain)
or
(SPSSecurityGroupClassAD.Name = name AND Domain)
Where Domain:
SPSSecurityGroupClassAD.Domain =@DomainId
Attributes
Name | Microsoft Entra ID | Data Definition | Attribute | Note |
---|---|---|---|---|
State | 2080 | SPSCommonClassBase | State | |
Domain | - | SPSSecurityGroupClassAD | Domain | Relation, @DomainID |
Name | displayName | SPSSecurityGroupClassAD | Name | |
NETBIOS Name | displayName | SPSSecurityGroupClassAD | NT4Name | |
Group Type | groupTypes.Contains("Unified") ? 16 : 48 | SPSSecurityGroupClassAD | GroupType | |
Security Group | CASE WHEN groupType & 32 = 32 THEN 1 ELSE 0 END | SPSSecurityGroupClassAD | IsSecurityGroup | |
Sid | id | SPSSecurityGroupClassAD | Sid | |
Description | description | SPSSecurityGroupClassAD | Description |
Common Microsoft Entra ID Attributes
Name |
Microsoft Entra ID |
AD |
Data Definition |
Attribute |
Note |
---|---|---|---|---|---|
Last Sync Date | - | - | SPSCommonClassLdap | LastSyncDate | Current date |
Object GUID | id | objectGuid | SPSCommonClassLdap | ObjectGuid | |
Deleted | - | - | SPSCommonClassLdap | Deleted | 0 (False) |
Synchronizable | - | - | SPSCommonClassLdap | Synchronizable | @Synchronizable |