: Set Up Azure Directory
Focus
Focus

Set Up Azure Directory

Table of Contents

Set Up Azure Directory

Learn how to set up an Azure directory in the Cloud Identity Engine.
Configure an Azure Active Directory (Azure AD) in the Cloud Identity Engine to allow the Cloud Identity Engine to collect data from your Azure AD for policy rule enforcement and user visibility.
To configure an Azure AD in the Cloud Identity Engine, you must have at least the following role privileges in Azure AD:
  • Application Administrator
  • Cloud Application Administrator
For more information about roles in Azure AD, refer to the following link.
If you Configure Azure Using the CIE Enterprise App, the account you use must have the Global Administrator Role to set up Azure. However, the app itself uses the Cloud Application Administrator Role, not the Global Administrator Role.
As an alternative, you can also Configure SCIM Connector for the Cloud Identity Engine to select the attribute data you want to collect with the Cloud Identity Engine.
To further reduce sync time and minimize the amount of data collected by the Cloud Identity Engine, you can configure the Cloud Identity Engine to sync only specific groups from your directory by filtering the groups. Because SCIM is most suitable for small and frequent data requests, directory update intervals are restricted by Microsoft to once every 40 minutes. If you choose to filter the groups instead, directory updates can be as often as every 5 minutes. Choose the best option for your deployment based on your organizational and regulatory requirements.
For an Azure Active Directory (AD), the Cloud Identity Engine retrieves updates from the directory using the following schedule:
  • Users, Groups, and Devices—When the Cloud Identity Engine syncs changes.
  • Apps—Every x hours (where x is either a maximum of 3 hours or the duration necessary to complete the previous apps sync).
  • Role Assignments—Every x hours (where x is either a maximum of 24 hours or the duration necessary to complete the previous role assignment sync).
When you configure an Azure AD for the Cloud Identity Engine, log in, and grant the necessary permissions, Microsoft automatically onboards the Cloud Identity Engine Enterprise App into your Azure AD.