Azure AD (Microsoft Entra ID)

Configuring the Azure integration for Veza Lifecycle Management

Overview

The Veza integration for Azure AD (Microsoft Entra ID) enables automated user provisioning, access management, and de-provisioning capabilities as a target system. This integration allows you to provision users from authoritative sources, manage group memberships, assign licenses, and automate the user lifecycle based on changes in external identity sources.

Action Type

Description

Supported

SYNC_IDENTITIES

Synchronizes identity attributes between systems, with options to create new identities and update existing ones

✅

MANAGE_RELATIONSHIPS

Controls entitlements such as group memberships, role assignments, and license assignments

✅

CREATE_GUEST_USER

Creates guest user accounts by sending invitations

✅

CREATE_ENTITLEMENT

Creates new entitlements in Azure AD, including groups and distribution lists

✅

CREATE_EMAIL

Creates or enables email functionality for users

✅

DEPROVISION_IDENTITY

Safely removes or disables access for identities, includes user logout support

✅

DISABLE_GUEST_ACCOUNT

Specifically handles deprovisioning of guest user accounts

✅

RESET_PASSWORD

Allows password reset operations for Azure AD users

✅

This document includes steps to enable the Azure integration for use in Lifecycle Management, along with supported actions and notes. See Supported Actions for more details.

Enabling Lifecycle Management for Azure

Prerequisites

You will need administrative access in Veza to configure the integration.
Ensure you have an existing Azure integration in Veza or add a new one for use with Lifecycle Management.
Verify your Azure integration has completed at least one successful extraction.
The Azure integration will need the following additional Microsoft Graph API permissions:
- Directory.ReadWrite.All - Required for creating, updating, and managing directory objects
- Group.ReadWrite.All - Required for creating and managing groups
- GroupMember.ReadWrite.All - Required for managing group memberships
- User.EnableDisableAccount.All - Required for enabling/disabling user accounts

Configuration Steps

To enable the integration:

In Veza, go to the Integrations overview
Search for or create an Azure integration
Check the box to Enable usage for Lifecycle Management
For complete Azure integration setup instructions, including how to create an App Registration and grant permissions, please refer to the Azure Integration Guide

To verify the health of the Lifecycle Management data source:

Use the main Veza navigation menu to open the Lifecycle Management > Integrations page or the Veza Integrations overview
Search for the integration and click the name to view details
In the Properties panel, click the magnifying glass icon under Lifecycle Management Enabled

Supported Actions

Azure AD serves as a target for identity management actions in Lifecycle Management Policies, based on changes in another external source of truth (such as Workday, Okta, or Oracle HCM) or as part of a workflow.

Note: Azure AD is not currently supported as a source of identity for Lifecycle Management. It can only be used as a target system for provisioning, deprovisioning, and access management actions.

The integration supports the following lifecycle management Actions:

Sync Identities

Primary action for user management (creating or updating users):

Entity Types: Azure AD User, Exchange Online Mailbox
Create Allowed (Azure AD User): Yes (new user identities can be created if not found)
Create Allowed (Exchange Online Mailbox): No (update only)

The following attributes can be synchronized:

Azure AD User Attributes

Property

Required

Type

Description

Notes

principal_name

Yes

String

User Principal Name

Unique identifier

mail_nickname

Yes

String

Mail nickname

display_name

Yes

String

Display name

account_enabled

Boolean

Enable/disable account

city

String

User's city

company_name

String

Company name

country_or_region

String

User's country or region

department

String

User's department

employee_hire_date

DateTime

Employee hire date

employee_id

String

Employee identifier

Can be unique identifier

employee_type

String

Employee type

first_name (given_name)

String

User's first name

job_title

String

Job title or position

manager_principal_name

String

Manager's principal name

nickname

String

User's nickname

office

String

Office location

other_mails

String List

Additional email addresses

password_policies

String

Password policy settings

password_profile_force_change_password_next_sign_in

Boolean

Force password change on next sign-in

password_profile_force_change_password_next_sign_in_with_mfa

Boolean

Force MFA on next password change

password_profile_password

String

Initial password setting

postal_code

String

Postal code

state

String

State or province

street_address

String

Street address

last_name (surname)

String

User's last name

usage_location

String

Usage location for licensing

user_type

String

Type of user

Exchange Online Mailbox Attributes

Use Sync Identities with the Exchange Online Mailbox entity type to update mailbox settings for existing mailboxes. To create new mailboxes, use the Create Email action instead.

Property

Required

Type

Description

Notes

identity

Yes

String

Mailbox identity

For example: [email protected]

mailbox_settings

String

Mailbox settings to sync

Space-separated key=value pairs (see examples below)

cas_mailbox_settings

String

Client Access Settings (CAS) to sync

Space-separated key=value pairs (see examples below)

Commonly Used Mailbox Settings:

The mailbox_settings attribute accepts parameters for the Exchange Online Set-Mailbox cmdlet. Common settings include:

Setting

Type

Description

Example Value

AuditEnabled

Boolean

Enable mailbox auditing

true

AuditLogAgeLimit

TimeSpan

Audit log retention period

180.00:00:00

RecipientLimits

Integer

Maximum recipients per message

250

MaxSendSize

Size

Maximum outgoing message size

25 MB (26,214,400 bytes)

MaxReceiveSize

Size

Maximum incoming message size

25 MB (26,214,400 bytes)

ProhibitSendQuota

Size

Mailbox size limit for sending

49 GB (52,613,349,376 bytes)

IssueWarningQuota

Size

Mailbox size warning threshold

45 GB (48,318,382,080 bytes)

Example:

AuditEnabled=true AuditLogAgeLimit="180.00:00:00" RecipientLimits=250 MaxSendSize="25 MB (26,214,400 bytes)"

Commonly Used CAS Mailbox Settings:

The cas_mailbox_settings attribute accepts parameters for the Exchange Online Set-CASMailbox cmdlet. Common settings include:

Setting

Type

Description

Example Value

OWAEnabled

Boolean

Enable Outlook on the Web access

true or false

ActiveSyncEnabled

Boolean

Enable Exchange ActiveSync

true or false

EwsEnabled

Boolean

Enable Exchange Web Services

true or false

MAPIEnabled

Boolean

Enable MAPI (Outlook desktop)

true or false

PopEnabled

Boolean

Enable POP3 access

true or false

ImapEnabled

Boolean

Enable IMAP4 access

true or false

Example:

OWAEnabled=false ActiveSyncEnabled=false EwsEnabled=false MAPIEnabled=true PopEnabled=false ImapEnabled=true

Exact Value Matching Required: During the verification phase, Veza compares the requested values to the values returned by Exchange Online for exact matching. Use the same format that Exchange Online returns.

For example, when setting AuditLogAgeLimit, use the format 180.00:00:00 (days.hours:minutes:seconds), not just 180.

Create Guest User Accounts

Creates guest user accounts in Azure AD by sending invitations:

Required Attributes:
- invited_user_email_address - Email address of the person to invite
- invite_redirect_url - URL where the user is redirected after accepting the invitation
Optional Attributes:
- principal_name - User principal name (if not provided, generated from email)
- display_name - Display name (if not provided, generated from email)
- mail_nickname - Mail nickname (if not provided, generated from email)
- Other standard user attributes as needed

Manage Relationships

Controls relationships between users and Azure AD entities:

Supported Relationship Types:
- Groups: Add or remove users from Azure AD groups
- Roles: Assign or remove Azure AD roles
- Licenses: Assign or remove license assignments
- Distribution Lists: Manage Exchange Online distribution list memberships
Assignee Types: Azure AD Users
Supports Removing Relationships: Yes

Distribution Lists: When managing distribution list memberships, use the Exchange Online Distribution Group entity type. The Microsoft Graph API cannot modify distribution lists or mail-enabled security groups.

Create Email

Creates or enables email functionality for users in Azure AD:

Implementation: Assigns Exchange Online license to the user
Requirements: Available Exchange Online license in your tenant
Results: Email-enabled user account with Exchange Online capabilities

Create Entitlement

Creates new entitlements in Azure AD, including groups and distribution lists:

Azure AD Group Creation:
- Required Attributes: name
- Optional Attributes:
  - mail_enabled - Whether the group is mail-enabled
  - is_security_group - Whether it's a security group
  - visibility - Privacy setting (Public, Private, HiddenMembership)
  - description - Group description
Distribution Group Creation:
- Required Attributes: name
- Optional Attributes:
  - identity - Unique identifier
  - alias - Email alias
  - primary_smtp_address - Primary email address
  - group_type - Type of distribution group

Deprovision Identity

When a user is deprovisioned:

Entity Type: Azure AD Users
Remove All Relationships: Yes (Removes group memberships, role assignments, and license assignments)
De-provisioning Method: Disabled (Users are marked as disabled rather than deleted)
Additional Options:
- User Logout - Force user to log out from all active sessions
- Remove All Licenses - Remove all license assignments
- Remove All Personal Devices - Remove device registrations

Disable Guest Accounts

Specifically handles deprovisioning of guest user accounts:

Required Attributes:
- invited_user_email_address - Email address of the guest user
Optional Attributes:
- display_name - Display name of the guest user

Custom Properties

Azure AD integration supports custom properties defined in your tenant. These can be configured in the integration settings and used in attribute transformers for Lifecycle Management actions.

Reset Password

Allows password reset operations for Azure AD users:

Entity Type: Azure AD Users
Unique Identifiers: Can use principal_name, mail_nickname, or invited_user_email_address. At least one unique identifier is required to identify the user
Non-idempotent Action: Each execution creates a new password reset event
Complex Password Support: Supports complex password requirements per Azure AD policy

Password Profile Attributes:

Attributes for Reset Password

Property

Required

Type

Description

Notes

principal_name

No*

String

User Principal Name

Can be used as unique identifier

mail_nickname

No*

String

Mail nickname

Can be used as unique identifier

invited_user_email_address

No*

String

Email address for guest users

Can be used as unique identifier for guest accounts

password_profile_force_change_password_next_sign_in

Boolean

Require user to change password at next login

password_profile_force_change_password_next_sign_in_with_mfa

Boolean

Require MFA when changing password at next login

password_profile_password

String

New password value

Must meet Azure AD complexity requirements; autogenerated if not provided

Notes:

If no password is provided, a secure password will be generated automatically
Password must meet your Azure AD password policy requirements
Available options include forcing password change on next sign-in and requiring MFA
Uses Microsoft Graph API user update endpoint for password changes

PreviousAtlassian Cloud NextCoupa Contingent Workforce

Last updated 4 days ago

Was this helpful?