Begin Using Azure Active Directory Groups

Configure an app registration on Azure Active Directory to enable SaaS Security to retrieve users and groups.
SaaS Security integrates with an Azure Active Directory (AD) to manage cloud-based identity and access management service. After Azure AD connects to SaaS Security, the service retrieves your user group and membership information.
With an AD integration, you can use the group-based visibility capabilities that SaaS Security API offers, including:
To begin scanning your Azure AD users and groups, you need to:
  • Configure an application registration on Azure AD, using either Microsoft’s new and improved method or the legacy method.
  • Connect Azure AD to SaaS Security.
  • Select the AD groups you want to scan.

Configure an Application Registration on Azure AD (New)

As you configure an application registration on Azure AD to assign SaaS Security the necessary permissions to establish a connection with Azure AD and retrieve users and groups, record the
Directory ID
,
Application ID
, and
Application Key
because you will need this information later to connect Azure AD to SaaS Security.
  1. Log in to Microsoft Azure and select
    Azure Active Directory
    App registrations
    New registration
    .
  2. Enter a
    Name
    , select
    Accounts in this organizational directory only
    , and click
    Register
    .
  3. Copy the
    Application (client) ID
    .
  4. Copy the
    Directory (tenant) ID
    .
  5. Click
    API permissions
    Add a permission
    Microsoft Graph
    Application permissions
  6. Select
    Directory
    Directory.Read.All
    .
    Enable permissions to read directory data to allow SaaS Security to connect to the Azure AD application to read users, groups, and apps in the organization’s directory.
  7. Select
    Group
    Group.Read.All
    and
    Add permissions
    .
    Enable permissions to read all groups to allow Azure Active Directory to list groups, read their properties and membership, and enable SaaS Security to populate a list of groups to scan.
  8. Click
    Grant consent
    and click
    Yes
    to confirm permission change.
  9. Select
    Certificates & secrets
    New client secret
    , enter a
    Description
    , select an expiration, and click
    Add
    .
  10. Copy the unique
    Client secret
    (aka Application Key).

Configure an Application Registration on Azure AD (Legacy)

As you configure an application registration on Azure AD to assign SaaS Security the necessary permissions to establish a connection with Azure AD and retrieve users and groups, record the
Directory ID
,
Application ID
, and
Application Key
because you will need this information later to connect Azure AD to SaaS Security.
  1. Log in to Microsoft Azure, select
    Azure Active Directory
    Properties
    and copy the
    Directory ID
    .
  2. Select
    App registrations
    New application registration
    and enter in
    Name
    and
    Sign-on URL
    .
  3. Click
    Create
    .
  4. Copy the
    Application ID
    .
  5. Select
    Settings
    Required Permissions
    Add
    Select an API
    Microsoft Graph
    .
  6. Add permissions to
    Read all groups
    and
    Read directory data
    .
    • Read all groups
      —allows Azure Active Directory to list groups, read their properties, and group memberships.
    • Read directory data
      —allows Azure Active Directory to read users, groups, and apps in the organization’s directory.
  7. Click
    Select
    to open the
    Enable Access
    list, and choose
    Read all groups
    and
    Read directory data
    .
  8. Click
    Select
    to enable access and
    Done
    to add permissions.
  9. Select
    Keys
    , enter a
    Description
    , select a
    Duration
    , and paste the
    Application ID
    .
  10. Click
    Save
    and copy the Application Key.

Connect Azure Active Directory to SaaS Security

You need to connect Azure AD to SaaS Security so that SaaS Security can retrieve all your AD users and groups.
After you connect Azure AD to SaaS Security, you might need to wait up to 24 hours for all your AD groups to display in the SaaS Security web interface.
  1. Verify that you have an Azure AD account with administrator privileges.
  2. Log in to SaaS Security.
  3. Select
    Settings
    Directory Services
    Connect New
    .
  4. Select
    Azure Active Directory
    , then enter AD information.
    • Directory ID
    • Application ID
    • Authentication Key
  5. Save
    to authenticate Azure Active Directory.
    You can give your Azure AD instance a descriptive name other than the default name, which is Azure Active Directory n, to differentiate it from other instances.

Select Active Directory Groups

Select the groups you need for group-based visibility: policy enforcement, incident management, and selective scanning.
  1. From
    Settings
    Directory Services
    , select the Azure AD instance.
  2. Enter the first few letters or name of the group.
    • >>
      —Adds all groups.
    • >
      —Adds a single group.
    You can add up to 100 groups in total, including nested groups.
  3. Select
    Save
    .

Recommended For You