Azure Active Directory
The Microsoft Azure Active Directory (AD) Target Connector integrates Microsoft Azure AD with your source systems through the HelloID Identity and Access Management (IAM) solution from Tools4ever. The integration simplifies the management of access rights and user accounts within your organization, ensures consistency, and reduces the risk of errors. This article provides more information about this integration and its capabilities.
What is Microsoft Azure AD
Microsoft Azure AD, now available under the name Microsoft Entra ID, is an identity and access management solution from Microsoft. It helps organizations keep identities secure and manageable across hybrid and multicloud environments. Microsoft Azure AD is fully cloud-based and provides employees with access to various external resources, including Microsoft 365, the Azure Portal, and a broad range of SaaS applications.
Why is a Microsoft Azure AD Integration Useful?
Optimizing productivity within your organization requires that users have access to the right services, systems, and resources, which in turn requires user accounts and authorizations. Through Microsoft Azure AD, permissions are managed using Microsoft 365 groups, among other mechanisms. This controls access to most Microsoft cloud services, including Microsoft Teams, SharePoint, Yammer, and Power BI. By integrating your source systems with Microsoft Azure AD, you automate this process entirely. The Microsoft Azure AD connector supports integration with various popular source systems, including:
- AFAS
- TOPdesk
Further details about the integration with these target systems can be found later in this article.
HelloID for Microsoft Azure AD Helps You With
Error-free account management: The integration between your source systems and Microsoft Azure AD ensures consistent, error-free operations. The integration ensures that users never have more authorizations than strictly necessary and always have the accounts and authorizations they need. At the same time, you are confident that accounts are deactivated in a timely manner after an employee's departure to prevent unauthorized access.
Faster account provisioning: The Microsoft Azure AD connector automates user provisioning, delivering significant time savings. When a new user is created in a source system, HelloID detects this change and, if configured, creates an account in Azure AD without requiring manual intervention. This allows users to become productive more quickly.
Improved service levels: The integration between your source systems and Microsoft Azure AD prevents errors and ensures consistency, elevating your service level. Users always have the accounts and authorizations they need, while avoidable errors such as premature revocation of authorizations or assignment of incorrect authorizations are prevented.
Successful audit completion: All actions and changes performed by HelloID are recorded in a complete audit trail. This allows you to demonstrate at any time that you are in control and keeps you fully prepared for audits.
Hybrid environment support: The integration supports a hybrid setup, for example when you have migrated your mailboxes to the cloud but still operate an on-premises Active Directory. HelloID ensures seamless operation in this hybrid environment. You can provision users to your on-premises Active Directory environment while assigning cloud service permissions to users.
Strengthening security for Microsoft Azure AD accounts: Multi-factor authentication (MFA) elevates the security of Microsoft Azure AD accounts. When MFA is enabled, users log in not only with a username and password but also verify their identity via a code received on a mobile phone number or email address.
How HelloID Integrates with Microsoft Azure AD
HelloID enables you to connect Microsoft Azure AD as a target system to your source systems using a connector. HelloID acts as an intermediary, translating between source systems and Microsoft Azure AD, which is necessary because systems typically do not communicate with each other natively. The integration automates the account lifecycle and permission management in Microsoft Azure AD.
| Change in source system | Procedure in Microsoft Azure AD |
|---|---|
| New employee | HelloID creates the required accounts in Microsoft Azure AD for new employees based on information from your source systems. The IAM solution can manage all attributes of an Azure AD account and uses the Microsoft Graph API for this purpose. New accounts are inactive by default. If configured, HelloID can automatically activate the account when employment begins. |
| Employee data change | When employee data in your source systems changes, HelloID updates their Microsoft Azure AD accounts accordingly, for example by changing a display name or login name. The IAM solution manages accounts at the attribute level. |
| Role change | When an employee's role changes, this may require different authorizations. HelloID automatically adjusts permissions in Microsoft Azure AD based on role changes in your source systems, for example by adding a user to a cloud group to grant permissions or by revoking permissions when the user no longer meets the applicable conditions. |
| Employee offboarding | When an employee leaves the organization, you want to deactivate their Azure AD account promptly. HelloID automates this process and prevents errors. If configured, HelloID will also automatically delete the account after a defined period. |
Using dynamic permissions saves significant time. Dynamic permissions in HelloID work entirely on the basis of source data. For example, you can configure all department groups based on a single business rule. HelloID maps correlations between source data and the corresponding groups. A key advantage over standard non-dynamic permissions is that dynamic permissions automatically adapt to the changing structure of your organization. If you create a new department in your HR system, HelloID detects this and automatically assigns the correct memberships to relevant users through dynamic permissions. Another significant advantage is the availability of a complete audit trail for this process in HelloID.
HelloID uses the Microsoft Graph API to exchange data between your source systems and Microsoft Azure AD. The Microsoft Graph API is a RESTful web API that provides access to Microsoft Cloud service resources. To use this API, it must be configured within Azure AD and linked to the appropriate permissions.
Custom Data Exchange
The configuration of your target connector determines in large part how HelloID exchanges data between your source systems and Microsoft Azure AD. You can tailor this behavior to your organization, with your specific needs at the center. Within Azure AD, permissions determine exactly what HelloID is and is not allowed to do.
For the connector configuration, Tools4ever always conducts an intake and design session. An intake document records how you want to create Azure AD accounts and specifies at the attribute level what HelloID is allowed to update. You remain in control and can always modify this configuration through the IAM solution's dashboard.
HelloID uses a set of structured business rules to give you control over an employee's authorizations. Business rules are chosen deliberately over a static authorization matrix: they are more flexible, more versatile, and can be managed directly through a user-friendly interface within HelloID.
Connecting Microsoft Azure AD to Source Systems via HelloID
HelloID can connect various source systems to your Microsoft Azure AD environment, enabling fully automated changes in Microsoft Azure AD based on information from your source systems. This saves significant time and elevates the management of users and authorizations. Examples of common integrations include:
AFAS to Microsoft Azure AD integration: This integration automates numerous manual tasks. It ensures that business email addresses are automatically written back to the source system after a Microsoft Azure AD account has been provisioned. HelloID can also manage users in AFAS on request, such as activating a user in AFAS or blocking an account in a timely manner so it does not count against AFAS licenses. Another example is registering the userPrincipalName (UPN) field for single sign-on (SSO).
TOPdesk to Microsoft Azure AD integration: This integration ensures that TOPdesk and Microsoft Azure AD are always fully in sync for SSO purposes. This is important because SSO streamlines the user experience and strengthens security by enabling secure login. The integration also simplifies the management of user accounts and authorizations.
HelloID offers 200 connectors, enabling you to connect the IAM solution to a broad range of source and target systems. These extensive integration capabilities allow you to connect Azure AD to all popular target systems.
