HelloID-Conn-Prov-Target-Azure-MFASettings-Email
| ℹ️ Information |
|---|
| This repository contains the connector and configuration code only. The implementer is responsible to acquire the connection details such as username, password, certificate, etc. You might even need to sign a contract or agreement with the supplier before implementing this connector. Please contact the client's application manager to coordinate the connector requirements. |
Versioning
| Version | Description | Date |
|---|---|---|
| 1.1.0 | Updated to support deleted users and improved logging | 2022/08/05 |
| 1.0.0 | Initial release | 2021/05/14 |
Table of Contents
Introduction
The interface to communicate with Microsoft Azure AD is through the Microsoft Graph API.
With this connector we can create the set the MFA Phone methods, optionally we can enable the SMS Sign In as well.
Note that this makes use of beta endpoints of the Microsoft Graph API.
The HelloID connector consists of the template scripts shown in the following table.
| Action | Action(s) Performed | Comment |
|---|---|---|
| create.ps1 | Correlate to and add/update MFA email method of AzureAD user | |
| update.ps1 | Update MFA email method of AzureAD user | |
| delete.ps1 | Delete MFA email method of AzureAD user | Be careful when implementing this! There is no way to restore deleted the data. |
Getting the Azure AD graph API access
By using this connector you will have the ability to manage the Phone Authentication Method for an Azure AD User.
Application Registration
The first step to connect to Graph API and make requests, is to register a new Azure Active Directory Application. The application is used to connect to the API and to manage permissions.
- Navigate to App Registrations in Azure, and select “New Registration” (Azure Portal > Azure Active Directory > App Registration > New Application Registration).
- Next, give the application a name. In this example we are using “HelloID PowerShell” as application name.
- Specify who can use this application (Accounts in this organizational directory only).
- Specify the Redirect URI. You can enter any url as a redirect URI value. In this example we used http://localhost because it doesn't have to resolve.
- Click the “Register” button to finally create your new application.
Some key items regarding the application are the Application ID (which is the Client ID), the Directory ID (which is the Tenant ID) and Client Secret.
Configuring App Permissions
The Microsoft Graph documentation provides details on which permission are required for each permission type.
To assign your application the right permissions, navigate to Azure Portal > Azure Active Directory >App Registrations. Select the application we created before, and select “API Permissions” or “View API Permissions”. To assign a new permission to your application, click the “Add a permission” button. From the “Request API Permissions” screen click “Microsoft Graph”. For this connector the following permissions are used as Application permissions:
- Read and Write aall user’s authentication methods by using UserAuthenticationMethod.ReadWrite.All
These permissions are based on the Microsoft docs articles:
- https://docs.microsoft.com/nl-nl/graph/api/authentication-list-phonemethods?view=graph-rest-beta&tabs=http
- https://docs.microsoft.com/nl-nl/graph/api/authentication-post-phonemethods?view=graph-rest-beta&tabs=http
- https://docs.microsoft.com/nl-nl/graph/api/phoneauthenticationmethod-update?view=graph-rest-beta&tabs=http
- https://docs.microsoft.com/nl-nl/graph/api/phoneauthenticationmethod-delete?view=graph-rest-beta&tabs=http
Some high-privilege permissions can be set to admin-restricted and require an administrators consent to be granted.
To grant admin consent to our application press the “Grant admin consent for TENANT” button.
Authentication and Authorization
There are multiple ways to authenticate to the Graph API with each has its own pros and cons, in this example we are using the Authorization Code grant type.
- First we need to get the Client ID, go to the Azure Portal > Azure Active Directory > App Registrations.
- Select your application and copy the Application (client) ID value.
- After we have the Client ID we also have to create a Client Secret.
- From the Azure Portal, go to Azure Active Directory > App Registrations.
- Select the application we have created before, and select "Certificates and Secrets".
- Under “Client Secrets” click on the “New Client Secret” button to create a new secret.
- Provide a logical name for your secret in the Description field, and select the expiration date for your secret.
- It's IMPORTANT to copy the newly generated client secret, because you cannot see the value anymore after you close the page.
- At least we need to get is the Tenant ID. This can be found in the Azure Portal by going to Azure Active Directory > Custom Domain Names, and then finding the .onmicrosoft.com domain.
Prerequisites
- Azure AD environment
- Registered App Registration in AzureAD with permission to Microsoft Graph API UserAuthenticationMethod.ReadWrite.All. The following values are needed to connect
- Tenant ID
- Applciation ID
- Application Secret
Remarks
- We make use of beta endpoints of the Microsoft Graph API. We cannot guarantuee their functionality.
Getting help
For more information on how to configure a HelloID PowerShell connector, please refer to our documentation pages
If you need help, feel free to ask questions on our forum
HelloID docs
The official HelloID documentation can be found at: https://docs.helloid.com/
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent