How to Connect Azure AD to Zluri Using a Custom Admin Role

If you wish to delegate Zluri’s Azure AD integration to a non-admin user or group, you can assign them a custom admin role. This method requires more manual configuration but gives greater control over the Zluri features you wish to use.


Prerequisites

  • An account with Owner or User access administrator privileges (for creating a custom admin)
  • Microsoft Entra ID P1 or Entra ID P2 subscription

Integration steps

Create a custom admin role

  1. In the Azure Portal, open either Management Group, Subscription, or Resource Group (depending on your user case) to which you want to assign the custom role, then open Access Control (IAM).


  2. Click the Roles tab to see a list of all the built-in and custom roles.

  3. Search for a role you want to clone. Click the 3-dot menu towards the right of the row and click Clone. This will open the custom roles editor.


  4. In the Basics tab, write a name and description. Set Baseline permissions to Clone a role.


    Add the required permissions

    The new role needs the following permissions in Azure to function:

    • Application.Read.All
    • AuditLog.Read.All
    • Directory.Read.All
    • Group.Read.All
    • GroupMember.Read.All
    • IdentityRiskEvent.Read.All
    • IdentityRiskyUser.Read.All
    • Reports.Read.All
    • Sites.Read.All
    • TeamsAppInstallation.ReadForTeam
    • User.Read.All
    • UserAuthenticationMethod.Read.All

  5. To do this, click the Permissions tab, then click ➕ Add permissions.

  6. Search for the permission mentioned above using the search bar. Then, click a resource provider card that has the permissions you want to add to your custom role, such as Microsoft Billing.


  7. This will display a list of the management permissions for that resource provider. Click Add to append the permission to the role.



  8. Repeat this for every permission mentioned above.

  9. Go to the Review + Create tab, review the permissions, and then click Create.



    Unhide user details in Azure AD

    By default, user details are hidden for all Microsoft reports. You need to unhide them manually in the admin dashboard so that Zluri can access them. Here’s how:

  10. Visit Admin Center, and navigate to Settings → Org SettingsServices. Select Reports.



  11. Check the Display concealed user, group, and site names in all reports checkbox, then save your changes.

    Connect the Azure AD instance in Zluri

  12. Open the Integrations Catalog, search for “Azure”, and click ➕ Connect on the Azure AD entry.


  13. Choose the scopes for the integration, and click Connect. You can click the down-arrow button towards the right of the scope to learn what it does.

    If you don’t have the required permissions, click the Send to a Co-worker button to invite someone who does.


  14. You will now see a popup window asking you to authorize the request on Azure AD’s end. Accept the request.

  15. Give the connection a name and description, and you’re ready to go!



Got questions? Feel free to submit a ticket or contact us directly at support@zluri.com.




Can’t find what you are looking for? Let us help you!

How to Connect Azure AD to Zluri Using a Custom Admin Role

Modified on Fri, 07 Jun 2024 at 01:29 PM

If you wish to delegate Zluri’s Azure AD integration to a non-admin user or group, you can assign them a custom admin role. This method requires more manual configuration but gives greater control over the Zluri features you wish to use.


Prerequisites

  • An account with Owner or User access administrator privileges (for creating a custom admin)
  • Microsoft Entra ID P1 or Entra ID P2 subscription

Integration steps

Create a custom admin role

  1. In the Azure Portal, open either Management Group, Subscription, or Resource Group (depending on your user case) to which you want to assign the custom role, then open Access Control (IAM).


  2. Click the Roles tab to see a list of all the built-in and custom roles.

  3. Search for a role you want to clone. Click the 3-dot menu towards the right of the row and click Clone. This will open the custom roles editor.


  4. In the Basics tab, write a name and description. Set Baseline permissions to Clone a role.


    Add the required permissions

    The new role needs the following permissions in Azure to function:

    • Application.Read.All
    • AuditLog.Read.All
    • Directory.Read.All
    • Group.Read.All
    • GroupMember.Read.All
    • IdentityRiskEvent.Read.All
    • IdentityRiskyUser.Read.All
    • Reports.Read.All
    • Sites.Read.All
    • TeamsAppInstallation.ReadForTeam
    • User.Read.All
    • UserAuthenticationMethod.Read.All

  5. To do this, click the Permissions tab, then click ➕ Add permissions.

  6. Search for the permission mentioned above using the search bar. Then, click a resource provider card that has the permissions you want to add to your custom role, such as Microsoft Billing.


  7. This will display a list of the management permissions for that resource provider. Click Add to append the permission to the role.



  8. Repeat this for every permission mentioned above.

  9. Go to the Review + Create tab, review the permissions, and then click Create.



    Unhide user details in Azure AD

    By default, user details are hidden for all Microsoft reports. You need to unhide them manually in the admin dashboard so that Zluri can access them. Here’s how:

  10. Visit Admin Center, and navigate to Settings → Org SettingsServices. Select Reports.



  11. Check the Display concealed user, group, and site names in all reports checkbox, then save your changes.

    Connect the Azure AD instance in Zluri

  12. Open the Integrations Catalog, search for “Azure”, and click ➕ Connect on the Azure AD entry.


  13. Choose the scopes for the integration, and click Connect. You can click the down-arrow button towards the right of the scope to learn what it does.

    If you don’t have the required permissions, click the Send to a Co-worker button to invite someone who does.


  14. You will now see a popup window asking you to authorize the request on Azure AD’s end. Accept the request.

  15. Give the connection a name and description, and you’re ready to go!



Got questions? Feel free to submit a ticket or contact us directly at support@zluri.com.




Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select atleast one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article