Overview Entra ID Connector
The IDHub Entra connector manages accounts, groups, and roles across all available domains within Entra for Business, Education, or other environments, provided the service account configured in the application has sufficient access to those domains.
The Entra connector also:
- Leverages Azure's Change Stream to monitor changes.
- Syncs data with IDHub every 5 minutes to ensure up-to-date information.
- Entra ID connection leverages the most recent Microsoft graph API.
- Entra ID connector provides Out Of the Box functionality that aids in differentiating between Office 365 groups and security groups.
Entra manages accounts, groups, and roles within the Azure organization infrastructure.
Entra is the new name for Azure Active Directory (Azure AD). This guide refers to the connector as 'Entra' except where 'Azure AD' is still utilized, such as in some user interface configurations.
For more information about the Connector Health and it's status, Click here
Architecture
The connector's architecture is constructed in accordance with the diagram below. The connector architecture primarily consists of a connector application and a target system component. The native communication with the target system is handled by the target system by leveraging the SPI implementation of the Entra ID Specific connection. This architecture is implemented because it allows for rapid and straightforward connector deployment as well as precise versioning capabilities. Microsoft Graph API is used for provisioning and reconciliation from Microsoft Entra ID.
Features
- Account Management for Users (B2B)
- Account - Group Management
- Microsoft Teams
- Microsoft Entra ID Role Management
- License Plan Management
- Authentication Features
- OAuth 2.0 Authentications
- Multi-factor Authentication(MFA) Management
- Single Sign On (SSO) Management
- Change Stream
Below are the features in details.
Account Management for Users(B2B)
This section describes the supported features of Entra ID Connector for Users management:
| Operation | Supported |
|---|---|
| Create user | Yes |
| Update user | Yes |
| Enable/Disable user | Yes |
| Set Password | Yes |
| Fetch Account | Yes |
| Account Reconciliation | Yes |
| Add/Remove Entitlements for User --> Add/Remove Individual License Plans, Add/Remove Roles, Add/Remove Group Memberships | Yes |
Federated Users are synchronized with On-Prem Active Directory
Account - Group Management
Our connector pulls all Entra Groups and keep them in IDHub as Entitlement type ‘Group’. We supports many group types and keep them as separate group objects. Each of them has a distinct purpose in Entra ID. They are as follows:
- Microsoft 365 groups (formerly Office 365 groups) - For segregation of internal and external users.
- Distribution Lists (Distribution groups) - For email notifications to specific group.
- Security groups - For Sharepoint site access.
- Mail-enabled security groups - For resource and notification accesses.
Microsoft Teams
Teams are upper layer of Microsoft 365 groups. It provides access to workspace chat, video meetings, file storage and application integrations. These are represented as Entitlement Type - ‘Group’ in IDHub because our connector deals with directory objects.
Following features are supported for Microsoft 365 group.
| Operation | Supported |
|---|---|
| Add/Remove Owner | Yes |
| Add/Remove Member | Yes |
Entra ID Admin Role Management
Microsoft Entra ID roles grants granular permissions to administrators, abiding by the principle of least privilege. The roles in Entra ID controls access to users, groups, and applications. There are 2 type of roles in Entra ID
- Built-in roles - Built-in roles are out of box roles by Entra which provides a fixed set of permissions. This role definition cannot be modified.
- Custom roles - This is for any custom requirements
Following features are supported for Microsoft Entra ID Roles.
| Operation | Supported |
|---|---|
| Provision Member Access to Roles | Yes |
| Remove Member Access to Roles | Yes |
| Reconcile Roles | Yes |
| Reconcile Member Access to Roles | Yes |
License Plan Management
For Azure Cloud, Subscriptions are managed by IDHub as well as it pulls Azure Management Objects as well.
- Management Groups
- Subscriptions
- Resource Groups
Thus License Plan (Service Plan) is managed in Entra ID connector as well with Entitlement type as ‘License’.
| Operation | Supported |
|---|---|
| Provision Member to License Plan | Yes |
| Remove Member from License Plan | Yes |
| Reconcile License Plans | Yes |
| Reconcile Members in License Plan | Yes |
Authentication Features
IDHub uses Keycloak to use its Authentication features. SAML based Single Sign-On and MFA Setup can be done with your Entra ID instance outside of Connector features.
Change Stream
Connector has a robust reconciliation feature along with change stream function of Entra ID. Some of the reconciliation features are as follows:
Account Reconciliation: This can be performed to bring all existing user data from the target system to IDHub. If the target system has an attribute that stores the timestamp at which an item is created or modified, IDHub performs incremental reconciliation once the first reconciliation operation has been completed to get account information to IDHub more efficiently.
Entitlement Reconciliation: Entitlements like Microsoft Groups, Roles, License Plans can be reconciled on demand as well. It will update all associated user accounts for each entitlement as well as entitlement metadata when reconciled (synced)
IDHub uses change stream to pull all account and entitlement related information every 5 minutes to update the IDHub. Make sure to avail stale data function of IDHub to remove user accounts from IDHub is they are no longer present in your Entra ID.
Connector Server is one of the features provided by IDHub. By using one or more connector servers, the connector architecture permits your application to communicate with externally deployed bundles. Therefore if you do not want to execute IDHub java connector bundle in the same VM as the application, in that case you have the ability to run the connector on a different host for better performance.