Microsoft Graph User Import Object
In the last step, a “Microsoft Graph User Import” object has to be created. This object enables the synchronization of the AD users and can be created inside in every room. In order to be able to create this object, the user has to have a “Fabasoft Approve (Full access)” license. In the "Settings" menu page of the properties of this object, the necessary settings can be defined. Additionally, the settings can be made when creating the object during the registration of an application in the AD.
The following list explains the fields from the illustration above.
- Attribute 1 – Name
The name of the “Microsoft Graph User Import” object is entered here, which has no influence on the functionality of the user synchronization.
- Attribute 2 - Tenant ID
The Tenant ID is used to specify which users can log in to the application. In this case the “Directory (tenant) ID” must be entered, which can be viewed under the “Overview” menu item in the AD.
- Attribute 3 - Client ID
The “Application (client) ID” shown in “Overview” has to be entered here. This is the unique identifier of the previously generated application and is needed to authenticate for the user synchronization.
- Attribute 4 - Client Secret
This is the secret application key and can be created during the registration of application in AD. It is a secret string used by the application to request an OAuth-token. It is often also referred as “application password”. The value (not the ID) of the Client Secret has to be entered in this input field.
- Attribute 5 - Checkbox “Do Not Request Permission to Read All Groups”
By default (if the checkbox is not checked), the “group.read.all” and “offline_access” privileges are requested from Microsoft Azure Active Directory to list all groups, to read their properties and all group memberships on behalf of the signed-in user.
In certain scenarios, Microsoft Azure Active Directory may prefer to restrict the privileges requested by the application. Therefore, if this checkbox is checked, only the “openid” and “offline_access” privileges are requested from AD. In this case, Microsoft Azure Active Directory administrators have to take appropriate measures for the application to be allowed to retrieve group membership information and user properties.
- Attribute 6 - Synchronization Interval
In this field the time interval for the automated synchronization can be set. The following intervals are available:
- 5 Minutes
- 15 Minutes
- 30 Minutes
- 1 Hour
- 12 Hours
- 1 Day
- Attribute 7 - Last Synchronization on/at
This field displays the timestamp of the last manually or automatically started synchronization of users.
- Attribute 8 - Log of Last Synchronization
In this log the number of created and updated users as well as the number of updated teams of the last synchronization is displayed.
This button allows to initiate the synchronization of users manually as shown in the following illustration:
The button “(Re-)Authenticate” is only visible when the Client ID and the Client Secret of the in the “Microsoft Graph User Import” object is set. When clicking this button, the authentication process is started. As a result of this action a new user consent is received. Before the first synchronization, this button needs to be clicked and the user has to grant the application the permission to access the user information in the access directory.