: Begin Using Azure Active Directory Groups
Focus
Focus

Begin Using Azure Active Directory Groups

Table of Contents

Begin Using Azure Active Directory Groups

Configure an app registration on Azure Active Directory to enable SaaS Security to retrieve users and groups.
SaaS Security integrates with an Azure Active Directory (AD) to manage a cloud-based identity and access management service. After Azure Active Directory connects to SaaS Security, the service retrieves your user group and membership information.
With an Active Directory integration, you can use the group-based visibility capabilities that
Data Security
offers, including:
To begin scanning your Azure Active Directory users and groups, you need to:
  • Configure an application registration on Azure Active Directory, using either Microsoft’s new and improved method or the legacy method.
  • Connect Azure Active Directory to SaaS Security.
  • Select the Active Directory groups you want to scan.

Configure an Application Registration on Azure Active Directory (New)

As you configure an application registration on Azure Active Directory to assign SaaS Security the necessary permissions to establish a connection with Azure Active Directory and retrieve users and groups, record the
Directory ID
,
Application ID
, and
Application Key
because you will need this information later to connect Azure Active Directory to SaaS Security.
  1. Log in to Microsoft Azure and select
    Azure Active Directory
    App registrations
    New registration
    .
  2. Enter a
    Name
    , select
    Accounts in this organizational directory only
    , and click
    Register
    .
  3. Copy the
    Application (client) ID
    .
  4. Copy the
    Directory (tenant) ID
    .
  5. Click
    API permissions
    Add a permission
    Microsoft Graph
    Application permissions
    .
  6. Select
    Directory
    Directory.Read.All
    .
    Enable permissions to read directory data to allow SaaS Security to connect to the Azure Active Directory application to read users, groups, and apps in the organization’s directory.
  7. Select
    Group
    Group.Read.All
    and
    Add permissions
    .
    Enable permissions to read all groups to allow Azure Active Directory to list groups, read their properties and membership, and enable SaaS Security to populate a list of groups to scan.
  8. Click
    Grant consent
    and click
    Yes
    to confirm permission change.
  9. Select
    Certificates & secrets
    New client secret
    , enter a
    Description
    , select an expiration, and click
    Add
    .
  10. Copy the unique
    Client secret
    (aka Application Key).

Configure an Application Registration on Azure AD (Legacy)

As you configure an application registration on Azure Active Directory to assign SaaS Security the necessary permissions to establish a connection with Azure Active Directory and retrieve users and groups, record the
Directory ID
,
Application ID
, and
Application Key
because you will need this information later to connect Azure Active Directory to SaaS Security.
  1. Log in to Microsoft Azure, select
    Azure Active Directory
    Properties
    and copy the
    Directory ID
    .
  2. Select
    App registrations
    New application registration
    and enter in
    Name
    and
    Sign-on URL
    .
  3. Click
    Create
    .
  4. Copy the
    Application ID
    .
  5. Select
    Settings
    Required Permissions
    Add
    Select an API
    Microsoft Graph
    .
  6. Add permissions to
    Read all groups
    and
    Read directory data
    .
    • Read all groups
      —allows Azure Active Directory to list groups, read their properties, and group memberships.
    • Read directory data
      —allows Azure Active Directory to read users, groups, and apps in the organization’s directory.
  7. Click
    Select
    to open the
    Enable Access
    list, and choose
    Read all groups
    and
    Read directory data
    .
  8. Click
    Select
    to enable access and
    Done
    to add permissions.
  9. Select
    Keys
    , enter a
    Description
    , select a
    Duration
    , and paste the
    Application ID
    .
  10. Click
    Save
    and copy the Application Key.

Connect Azure Active Directory to SaaS Security

You need to connect Azure Active Directory to SaaS Security so that SaaS Security can retrieve all your Active Directory users and groups.
After you connect Azure Active Directory to SaaS Security, you might need to wait up to 24 hours for all your Active Directory groups to display in the SaaS Security web interface.
  1. Verify that you have an Azure Active Directory account with administrator privileges.
  2. Log in to SaaS Security.
    If you are using this console
    Select
    Cloud Management Console
    Settings
    Directory & External Services
    Connect New
    .
    SaaS Security Console
    Settings
    Directory Services
    Connect New
    .
  3. Select
    Azure Active Directory
    , then enter Active Directory information.
    • Directory ID
    • Application ID
    • Authentication Key
  4. Save
    to authenticate Azure Active Directory.
    You can give your Azure Active Directory instance a descriptive name other than the default name, which is Azure Active Directory n, to differentiate it from other instances.

Select Active Directory Groups

Select the groups you need for group-based visibility: Policy enforcement, incident management, and selective scanning.
  1. Log in to SaaS Security.
    If you are using this console
    Select
    Cloud Management Console
    Settings
    Directory & External Services
    .
    SaaS Security Console
    Settings
    Directory Services
    .
  2. Select the Azure Active Directory instance.
  3. Enter the first few letters or name of the group.
    • >>
      —Adds all groups.
    • >
      —Adds a single group.
    You can add up to 100 groups in total, including nested groups.
  4. Select
    Save
    .

Recommended For You