User Provisioning to Azure AD from WSO2 Identity Server

In the world of identity management, user provisioning is a common term we often come across. Simply put into words user provisioning is the process of creating, updating, disabling and deleting user accounts in relation to access permissions for resources in one or more systems.

In this blog post I’ll be showing how to provision users to Azure Active Directory from WSO2 Identity Server.

Pre-requisites:

• Configure SAML2 authentication for Office365 with WSO2 Identity Server. For detailed instructions on how to do this check here.

Step 01: Register app

Register a new application using the Microsoft App Registration Portal. For detailed information on this check here.

The below provided screenshot shows the newly registered application.

The following mandatory configurations need to be done when registering the application.

1. Enable implicit flow and configure the redirect and logout URLs.

These configuration settings are available under the Authentication section of the registered app.

2. Adding permissions.

The steps to be followed to add the permissions are shown in the screenshot.

As shown in the below screenshot, under Microsoft Graph Permissions section there will be 2 types of permissions:

i - Delegated permissions

ii - Application permissions

Configure the following permissions:

Delegated permissions:

• User.Read
• User.ReadBasic.All
• User.ReadWrite
• User.Invite.All (Admin Only)
• User.Read.All (Admin Only)
• User.ReadWrite.All (Admin Only)

Application permissions:

• Directory.Read.All (Admin Only)
• Domain.ReadWrite.All (Admin Only)
• User.Read.All (Admin Only)
• User.ReadWrite.All (Admin Only)

On successfully setting the permissions, you will obtain a similar view at API permissions.

2. In order to make the above set permissions consented by the administrator, construct and access the following URL on a browser window.

Request URL:

https://login.microsoftonline.com/{tenant}/adminconsent?client_id={application-is}&state=12345&redirect_uri={application-redirect-url}

A sample URL is given below:

https://login.microsoftonline.com/dewni.onmicrosoft.com/adminconsent?client_id=0e29e14e-fc7p-4e0d-923f-eb3a70649675&state=12345&redirect_uri=https://www.office.com

As shown in the below screenshot, you will get the list of permissions requiring admin consent. Click on Accept.

Step 02: Install the connector

• Download Office365 Provisioning Connector from WSO2 connector store.
• Copy org.wso2.carbon.identity.outbound.provisioning.connector.office365–x.x.x.jar to <IS_HOME>/repository/components/dropins folder.
• Restart the server.

Step 03: Configure the identity provider

An identity provider needs to be configured to accept the provisioning request from WSO2 Identity Server.

• On the main menu, click Add under Identity Providers.
• Let’s give the identity provider name as ‘Office365Idp’.
• In Outbound Provisioning Connectors sections, expand Office365 Provisioning Configuration. Perform the configurations as shown in the below screenshot.

• Expand Role Configuration section and add “office365Role” as an Identity Provider OutBound Provisioning Role.

• To save changes, click on Register.

Step 04: Configure resident service provider

In this scenario WSO2 Identity Server will be acting as the provisioning entity. In order to provision users to Azure AD, the above configured outbound provisioning identity provider should be configured against the resident service provider.

• On Main menu, click Resident under Service Providers.
  Expand Outbound Provisioning Configuration section.
  Select the created identity provider and click [+] to add it as a service provider.

• To save changes, click on Update.

Step 05: Enable claims

• On Main menu, click List under Claims.
• Choose http://wso2.org/claims claim dialect.
• Select Display Name claim and click on Edit.
• Enable the claim by ticking Supported by Default.

Similarly enable claims for User ID and Username claims.

Step 06: Do this step if you’re using the default H2 database provided in WSO2 Identity Server.

• On Main tab, click List under Claims.
• Choose http://wso2.org/claims dialect.
• Select ObjectGuid and click on Edit. Provide the Mapped Attribute as “scimid”.

• Click on Update.
• Similarly for UserPrincipalName claim, provide “mail” as the mapped attribute.

Step 07: Create User

The next task is to provision a user. Let’s create a new user.

• On Main tab, click Add under Users and Roles.
• Click Add New User and create a new user named ‘bob’.

• Click Finish.
• To edit Bob’s user profile information, click on User Profile. Provide values for the above configured mandatory attributes Username, User ID and Display Name.

• To save the changes click on Update.

Step 08: Create a user group in Azure AD

• Create a group in Azure AD. For information regarding this, check here.
• Select Dynamic User as Membership type when creating the group. Note that an Azure AD Premium P1/ P2 license is required to add dynamic membership rules.
• Add a dynamic membership rule as shown in the screenshot. Let’s create a user group called ‘Lecturer’. All users assigned with a role ‘Lecturer’ will be provisioned to this user group.

Step 09: Assign the role

• On Main tab, click Add under Users and Roles. Then click on Create New Role.
• Created two roles as “office365Role” and “Lecturer”. For both roles assign login permissions.
• Assign the user ‘bob’ to these 2 roles.

• By assigning the roles, “bob” will be provisioned to Azure AD. Note that this process may take a few seconds to complete.

Also you can see “bob” as a member of “Lecturer” group.

Now you have successfully provisioned a user to Azure AD from WSO2 IS :)

I hope you enjoyed this article.

Thanks!