Skip to main content
Matrix42 Self-Service Help Center

AAD Data Provider Settings

  1. Last updated
  2. Save as PDF

Overview

The Azure Active Directory Data Provider is designed for establishing the integration between Digital Workspace Platform and Azure AD server.

On this page, you may find data filtering conditions and advanced settings of the Azure Active Directory Data Provider.

Go to the Administration application → Integration → Data Providers → Azure Active Directory → click Edit → open Settings view.

Settings and Filters

This section contains a number of settings grouped as follows:

010 Connector Configuration-Settings-New condition.png

Domain

Use the single selection button to select the domain for which the integration should be established.

Import Users

Indicates whether users will be imported.

User Filter

If User Filter is active you can specify a collection of conditions based on a list of supported properties for filtering to retrieve just a subset of a collection.

Supported properties

Description

Account Enabled

 true if the account is enabled; otherwise, false. This property is required when a user is created.

City

 The city in which the user is located.

Country

 The country/region in which the user is located; for example, “US” or “UK”.

Department

 The name of the department where the user works.

State

 The state or province in the user's address. 

Country Code

A two-letter country code (ISO standard 3166). Required for users that will be assigned licenses due to legal requirements

to check for availability of services in countries. Examples include: "US", "JP", and "GB".

Display Name

The name displayed in the address book for the user.

This is usually the combination of the user's first name, middle name, and last name.

This property is required when a user is created and it cannot be cleared during updates.

Employee ID

 The employee identifier assigned to the user by the organization.

First Name

 The given name (first name) of the user.

Last Name

 The user's surname (family name or last name).

When the Last Name is not defined, the user's Display Name is used for filling Last Name (all parts after the first name are split with whitespace and added as the last name).

Job Title

 The user’s job title.

Mail

 The SMTP address for the user, for example, "jeff@contoso.onmicrosoft.com".

Mail Nickname

 The mail alias for the user. This property must be specified when a user is created.

On-Premises Immutable ID

This property is used to associate an on-premises Active Directory user account to their Azure AD user object.

This property must be specified when creating a new user account in the Graph if you are using a federated domain for the user’s userPrincipalName (UPN) property.

The $ and _ characters cannot be used when specifying this property.

Other Mails

 A list of additional email addresses for the user; for example: ["bob@contoso.com", "Robert@fabrikam.com"] 

Proxy Addresses

For example: ["SMTP: bob@contoso.com", "smtp: bob@sales.contoso.com"]

User Principal Name (UPN)

The User Principal Name (UPN) of the user.

The UPN is an Internet-style login name for the user based on the Internet Standard RFC 822.

By convention, this should map to the user's email name. 

User Type

 A string value that can be used to classify user types in your directory, such as “Member” and “Guest”.

Import Groups

Indicates whether groups will be imported.

Group Filter

If Group Filter is active you can specify a collection of conditions based on a list of supported properties for filtering to retrieve just a subset of a collection.

Supported properties

Description

Display Name

 The display name for the group. This property is required when a group is created and cannot be cleared during updates.

Group Types

 Specifies the group type and its membership. 

If the collection contains Unified then the group is an Office 365 group; otherwise, it's a security group. 

Mail

 The SMTP address for the group.

Mail Nickname

 The mail alias for the group, unique in the organization. This property must be specified when a group is created.

On-Premises Last Sync DateTime

 Indicates the last time at which the group was synced with the on-premises directory. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 would look like this: '2014-01-01T00:00:00Z'

On-Premises Sync Enabled
  • true if this group is synced from an on-premises directory; 
  • false if this group was originally synced from an on-premises directory but is no longer synced; 
  • null if this object has never been synced from an on-premises directory (default).

Proxy Addresses

 Email addresses for the group that direct to the same group mailbox. For example: ["SMTP: bob@contoso.com", "smtp: bob@sales.contoso.com"]

Security Enabled

 Specifies whether the group is a security group.

Filter conditions

To add a filter condition, follow these steps:

  • Click Add Condition.
  • Select the property you'd like to filter.
  • Select an operator.

    The following operators are supported by Azure Active Directory Graph API:

    • Equals
    • Starts With.

    The filter conditions can be combined by using the following logical operators:

    • AND
    • OR

    Creating groups of conditions is supported as well.

    Only one kind of logical operator can be defined on each level

Known limitations

If "OR" operator is used at least once within filter then conditions count should not exceed 15. Validation message will be displayed in UI.

Additional Import Attributes

Users and Groups Import

Additional attributes can be specified for Users and Groups Import starting from DWP 10.0 Update 3.

Additional Import Attributes section is available when at least one type of import is enabled: Import Users or Import Groups.

additional_import_settings.png

To configure the additional attributes you want to import, in the Settings section of the Data Provider configuration, fill out the following fields:

  • Extension Application (client) ID:
    • Same Application ID: by default, the configuration uses the same Application (client) ID that is specified in the General section.
    • Other Application ID: if the additional attributes are available in the other tenant, clear the Extension Application ID is the same as Application (client) ID checkbox and specify the Extension Application (client) ID in the corresponding field;
  • User Attribute Names (Separated by Commas): enumerate necessary attributes. Please note that attribute names are case sensitive;
  • Group Attribute Names (Separated by Commas): enumerate necessary attributes. Please note that attribute names are case sensitive;

Update the import definition for User import accordingly, in order to correctly save the values from extended attributes in the database

For cases when both Azure Active Directory and on-premises Active Directory are used as import sources, Additional Import Attributes must be configured the same way in both configurations of these connectors:

  1. Configure Additional Import Attributes in Azure Active Directory connector configuration;
  2. Configure Additional Import Attributes in on-premises Active Directory connector configuration;
  3. Update the import definition accordingly, in order to correctly save the custom values in the database;
  4. Run import from both sources: Azure Active Directory and on-premises Active Directory.

Otherwise, if the Additional Import Attributes are configured only for Azure Active Directory, the on-premises Active Directory import fails.

Added attributes are also available for filtering:

aad_user_filter.png

See also: Microsoft Azure AD Directory extensions.

Limitations 

It is not possible to import navigation properties and related objects (e.g. manager field) even as custom attributes as currently it is not supported by Microsoft. For more details see Microsoft documentation.