Azure Active Directory (Azure AD) is Microsoft’s cloud-based identity and access management service, which helps your employees sign in and access resources in:
- External resources, such as Microsoft 365, the Azure portal, and thousands of other SaaS applications.
- Internal resources, such as apps on your corporate network and intranet, along with any cloud apps developed by your own organization.
Azure AD is a valuable source for discovery as it provides not only the ability to discover services and users but also can be leveraged to discover employee and department data.
- Single Sign-on & CASB System
Azure AD resource
Service discovery is the process of automatically identifying services and applications. All discovered services are added to SMP automatically.
Users represent all discovered people who use a specific SaaS.
Employees are discovered to get a complete overview of all employees of an organization and enrich the data for each discovered user.
Departments represent the organisational structure of an organization relate to employees. This data is used to identify where in the organization which SaaS is used.
- Sign in to the Azure portal (https://portal.azure.com/) with an Azure administrator account that is also a member of the Global Administrator directory role in your Azure AD tenant.
- On the left navigation pane, click Azure Active Directory.
- On the Azure Active Directory page, click App registrations.
- On the App registrations page, in the toolbar on the top, click New registration.
- On the Register an application page, perform the following steps:
- In the Name textbox, type
LeanIX SMP(it is just a label so it can be anything that will make you identify it relates to LeanIX SMP integration).
- Under Supported account types select
Accounts in this organizational directory only (Default Directory only - Single tenant)
- Under the Redirect URI choose
- Click Register at the bottom of the screen.
- In the Name textbox, type
- Next, we will configure the API permissions for the application.
- Click on API permissions to define a list of permissions for the application.
- On the API permissions page click Add a permission button.
- New configuration pane Request API permissions will display on the right, and select the Microsoft Graph API.
In the next step, you will have to define which type of permissions the LeanIX SMP requires.
Next, select the Application permissions option, search for directory, and in the Directory section check permission Directory.Read.All.
Repeat the same for AuditLog.Read.All.
- Click on the Add permissions button at the bottom to assign permission to the LeanIX SMP application.
- Click on the Grant admin consent for Default Directory button to enable configured permissions for the application.
- Next, click Yes to grant consent for the requested permissions.
- The permission status indicator in the API permissions page will change to approved.
Return back to the application overview section (App Registrations -> click on created app) from where you will need to grab the following identifiers:
- Directory (tenant) ID
You need these values when granting LeanIX access to your Microsoft Azure:
Next, navigate to Certificates & secrets to generate a client secret, also referred to as the application password. Click on New client secret button to create a new password.
Please select the expiration length of the password. Once the expiration date of the created client secret will be reached, you will have to create a new one and reconnect the service in LeanIX SMP.
The description field is optional.
Important note: Please make a note of the client secret value as soon as it is revealed. It will be masked when you navigate away from the Certificates & secrets panel.
This value needs to be added to SMP under Client Secret.
- Log in to LeanIX SMP. Navigate to Settings > Discover Integrations > Azure AD - click Add and enter settings.
- Enter Directory ID, Application ID, and Client Secret and click on Connect.
Updated about 2 months ago