Appearance
Microsoft O365 user sync
This plugin is used to automatically sync users from your Microsoft O365 directories into Enclave. This plugin runs once an hour and will sync all users that have been added, modified, or removed since the last sync.
Configuration
To configure the plugin, you will need to create a new enterprise application in Azure for your O365 tenant.
- Go to the Azure Portal and login with your O365 credentials.
- Click on
Azure Active Directory
in the left navigation. - Click on
App Registrations
in the left navigation. - Click on
New Registration
. - Enter a name for your application (Enclave) and click
Register
. - Click on
API Permissions
in the left navigation. - Click on
Add a permission
. - Click on
Microsoft Graph
. - Click on
Application permissions
. - Select the following permissions:
Group.Read.All
GroupMember.Read.All
User.ReadBasic.All
- Now click on
Grant admin consent for <your tenant name>
. - Click on
Certificates & secrets
in the left navigation. - Click on
New client secret
. - Enter a description and select an expiration date. Click
Add
. - Copy the client secret value and save it somewhere safe. You will need this value to configure the plugin.
Using the information from these steps. Navigate to Enclave and provide the relevant information to the plugin.
INFO
All sensitive information, like your client secret, is encrypted with our KMS in addition to being encrypted at rest.
Syncing users
Enclave syncs users based on the enclaveGroupId
which is a group that you define in Microsoft O365. This group will be used to determine which users are to be synced with Enclave. The group name is case sensitive.
Any other groups that that have names which match a label in Enclave will be assigned as labels to their respective users. This is useful for adding users to enclaves based on their group membership.
INFO
Enclave uses the primary email address as the unique key for a user. If the primary email address is changed, the user will be removed from Enclave and re-added. Email addresses are always lowercased before being synced.
Syncing labels
Optionally you can choose to sync labels from Microsoft O365. This maps group names to Enclave labels. This is useful for keeping your labels used for users synced with your IAM platform.
WARNING
If labels are removed from Microsoft O365 but still associated with enclaves/alerts in Enclave, they will not be removed from Enclave. This is to prevent accidental removal.