Deploy or Migrate to Client Credential Flow for Azure AD
Table of Contents
Deploy or Migrate to Client Credential Flow for Azure AD
The Client Credential Flow option for Azure Active Directory (AD) in the Cloud Identity Engine
allows you to use a service account to log in to your Azure AD in the Cloud Identity
Engine. Using a service account is strongly recommended, as this is a more secure
method for directory access and does not require the account to be associated with a
specific user.
If this is the first
time you have created a Cloud Identity Engine tenant, the Cloud
Identity Engine app is not available in the Azure app gallery, so
you must create a custom app.
If you already have an existing
Azure AD configuration in the Cloud Identity Engine, you can easily migrate
the existing configuration to use the client credential flow option
by reconnecting your Azure AD to the Cloud Identity Engine, selecting
the Client Credential Flow option, and testing the connection to
verify the configuration.
- If you have not already done so, activate your Cloud Identity Engine tenant.
- Grant the required read-only permissions in the Azure Portal.
- In the Azure Portal, select .
- ClickNew registration.
- Enter aNamethen clickRegister.
- SelectAPI permissionsthen clickAdd a permission.
- ClickMicrosoft Graphthen selectApplication permissions.
- Select the following permissions then clickAdd permissions:
- Directory.Read.All
- Organization.Read.All
- If you want to use user risk information in attribute-based Cloud Dynamic User Groups, you must grant additional permissions. For more information, refer to the documentation on how to Create a Cloud Dynamic User Group.
- ClickGrant admin consent for(whereDirectoryNameDirectoryNamerepresents the name of your Azure AD).
- ClickYesto confirm.
- Collect the necessary configuration information from the Azure Portal.
- In the Azure dashboard, select your Azure AD, then selectApp Registrationsand select the app you created.
- SelectCertificates & secretsthen clickNew client secret.
- Enter aDescriptionandAddthe secret.When you add the secret, make sure to keep track of when the secretExpires. When the secret expires, you must configure the new secret in the Azure Portal and update the configuration in the Cloud Identity Engine app to replace the expired secret. Keep this in mind when selecting the expiry value for the secret. If you prioritize ease of configuration, select a longer expiration for the secret (the maximum value is 2 years). If security is of greater concern, select a shorter value for the secret’s expiration (the default is 6 months).
- Copy theValueof the secret and store it in a secure location.
- ClickOverviewthen copy theApplication (client) IDand store it in a secure location.
- Copy theDirectory (tenant) IDand store it in a secure location.
- Add your Azure AD directory in the Cloud Identity Engine.(Required for migration)If you are migrating an existing Azure AD configuration, select on theDirectoriespage for the Azure AD you want to migrate, then continue to step 4.3. The Cloud Identity Engine automatically populates the necessary information for step 4.4, so you can continue to step 8 (testing the connection).
- In the Cloud Identity Engine app, selectDirectoriesthen clickAdd New Directory.
- Set UpanAzuredirectory.
- SelectClient Credential Flowas the method you want to use toConnect to Azure AD.
- Select whether you want toCollect user risk information from Azure AD Identity Protectionto use in attribute-based Cloud Dynamic User Groups.If you select this option, you must grant additional permissions for the Cloud Identity Engine in the Azure AD Portal. For more information, refer to the documentation for Cloud Dynamic User Groups.
- Select whether you want toCollect enterprise applicationsdata so that it displays when you View Directory Data. If you don't want to collect the application data or you don't use application data in your security policy, deselect the checkbox to decrease the sync time.For beta users of this feature, the Cloud Identity Engine continues collecting enterprise application data for any directories configured in your tenant during the beta and no further configuration is required. If you configure a new directory, you must select whether you want to collect enterprise application data from the new directory.
- During migration of an existing Azure AD configuration to the client credential flow, the Cloud Identity Engine automatically populates the Directory ID, the Client ID, and the Client Secret.Copy from Azure PortalEnter in Cloud Identity EngineDirectory (tenant) IDDirectory IDApplication (client) IDClient IDValueClient Secret
- (Required)Confirm the Cloud Identity Engine app can successfully communicate with your directory.
- In the Cloud Identity Engine, clickTest Connectionto confirm that the Cloud Identity Engine can successfully connect to your Azure AD.
- (Optional) Enter a new name toCustomize Directory Namein the Cloud Identity Engine.
- In the Cloud Identity Engine app,Submityour changes and verify your directory information when theDirectoriespage displays.You can now use your Azure AD to enforce group-based policy with the Cloud Identity Engine.