Integrate with Azure Active Directory

Configure an app registration on Azure Active Directory to enable SaaS Security to retrieve users and groups
If you performed an Azure Active Directory integration for SaaS Security API, SaaS Security Inline uses that same integration framework, and you do not need to repeat this integration.
SaaS Security integrates with Azure Active Directory (AD) to manage cloud-based identity and access management service. After Azure AD connects to SaaS Security, the service retrieves your groups, which you can specify in your SaaS policy rule recommendations. Creating policy rule recommendations based on user group membership rather than individual users simplifies administration because you don’t need to update the recommendation whenever group membership changes.
To integrate Azure AD, you need to:
  • Configure an application registration on Azure AD.
  • Connect Azure AD to SaaS Security.
  • Select the AD groups you want to scan.

Configure an Application Registration on Azure AD

As you create an application on Azure AD to assign SaaS Security the necessary permissions to establish a connection with Azure AD and retrieve groups, record the
Directory ID
,
Application ID
, and
Application Key
because you will need this information later to connect Azure AD to SaaS Security.
  1. Log in to Microsoft Azure and select
    Azure Active Directory
    App registrations
    New registration
    .
  2. Enter a
    Name
    , select
    Accounts in this organizational directory only
    , and click
    Register
    .
  3. Copy the
    Application (client) ID
    .
  4. Copy the
    Directory (tenant) ID
    .
  5. Click
    API permissions
    Add a permission
    Microsoft Graph
    Application permissions
  6. Select
    Directory
    Directory.Read.All
    .
    Enable permissions to read directory data to allow SaaS Security to connect to the Azure AD application to read users, groups, and apps in the organization’s directory.
  7. Select
    Group
    Group.Read.All
    and
    Add permissions
    .
    Enable permissions to read all groups to allow Azure Active Directory to list groups, read their properties and membership, and enable SaaS Security to populate a list of groups to scan.
  8. Click
    Grant consent
    and click
    Yes
    to confirm permission change.
  9. Select
    Certificates & secrets
    New client secret
    , enter a
    Description
    , select an expiration, and click
    Add
    .
  10. Copy the unique
    Client secret
    (Application Key).

Connect Azure Active Directory to SaaS Security

You need to connect Azure AD to SaaS Security so that SaaS Security Inline and SaaS Security API can retrieve all your AD groups.
After you connect Azure AD to SaaS Security Inline, you might need to wait up to 24 hours for all your AD groups to display in the SaaS Security Inline web interface.
  1. Verify that you have an Azure AD account with administrator privileges.
  2. Log in to SaaS Security.
  3. Select
    Settings
    Directory Services
    Connect New
    .
  4. Select
    Azure Active Directory
    , then enter AD information.
    • Directory ID
    • Application ID
    • Authentication Key
  5. Save
    to authenticate Azure Active Directory.
    You can give your Azure AD instance a descriptive name other than the default name, which is Azure Active Directory n, to differentiate it from other instances.

Recommended For You