Azure AD (Microsoft Entra ID)
Configuring the Azure integration for Veza Lifecycle Management
Overview
The Veza integration for Azure AD (Microsoft Entra ID) enables automated user provisioning, access management, and de-provisioning capabilities as a target system. This integration allows you to provision users from authoritative sources, manage group memberships, assign licenses, and automate the user lifecycle based on changes in external identity sources.
SYNC_IDENTITIES
Synchronizes identity attributes between systems, with options to create new identities and update existing ones
โ
MANAGE_RELATIONSHIPS
Controls entitlements such as group memberships, role assignments, and license assignments
โ
CREATE_GUEST_USER
Creates guest user accounts by sending invitations
โ
CREATE_ENTITLEMENT
Creates new entitlements in Azure AD, including groups and distribution lists
โ
CREATE_EMAIL
Creates or enables email functionality for users
โ
DEPROVISION_IDENTITY
Safely removes or disables access for identities, includes user logout support
โ
DISABLE_GUEST_ACCOUNT
Specifically handles deprovisioning of guest user accounts
โ
RESET_PASSWORD
Allows password reset operations for Azure AD users
โ
This document includes steps to enable the Azure integration for use in Lifecycle Management, along with supported actions and notes. See Supported Actions for more details.
Enabling Lifecycle Management for Azure
Prerequisites
You will need administrative access in Veza to configure the integration.
Ensure you have an existing Azure integration in Veza or add a new one for use with Lifecycle Management.
Verify your Azure integration has completed at least one successful extraction.
The Azure integration will need the following additional Microsoft Graph API permissions:
Directory.ReadWrite.All - Required for creating, updating, and managing directory objects
Group.ReadWrite.All - Required for creating and managing groups
GroupMember.ReadWrite.All - Required for managing group memberships
User.EnableDisableAccount.All - Required for enabling/disabling user accounts
Configuration Steps
To enable the integration:
In Veza, go to the Integrations overview
Search for or create an Azure integration
Check the box to Enable usage for Lifecycle Management
For complete Azure integration setup instructions, including how to create an App Registration and grant permissions, please refer to the Azure Integration Guide
To verify the health of the Lifecycle Management data source:
Use the main Veza navigation menu to open the Lifecycle Management > Integrations page or the Veza Integrations overview
Search for the integration and click the name to view details
In the Properties panel, click the magnifying glass icon under Lifecycle Management Enabled
Supported Actions
Azure AD serves as a target for identity management actions in Lifecycle Management Policies, based on changes in another external source of truth (such as Workday, Okta, or Oracle HCM) or as part of a workflow.
Note: Azure AD is not currently supported as a source of identity for Lifecycle Management. It can only be used as a target system for provisioning, deprovisioning, and access management actions.
The integration supports the following lifecycle management Actions:
Sync Identities
Primary action for user management (creating or updating users):
Entity Types: Azure AD User, Exchange Online Mailbox
Create Allowed (Azure AD User): Yes (new user identities can be created if not found)
Create Allowed (Exchange Online Mailbox): No (update only)
The following attributes can be synchronized:
Azure AD User Attributes
principal_name
Yes
String
User Principal Name
Unique identifier
mail_nickname
Yes
String
Mail nickname
display_name
Yes
String
Display name
account_enabled
No
Boolean
Enable/disable account
city
No
String
User's city
company_name
No
String
Company name
country_or_region
No
String
User's country or region
department
No
String
User's department
employee_hire_date
No
DateTime
Employee hire date
employee_id
No
String
Employee identifier
Can be unique identifier
employee_type
No
String
Employee type
first_name (given_name)
No
String
User's first name
job_title
No
String
Job title or position
manager_principal_name
No
String
Manager's principal name
nickname
No
String
User's nickname
office
No
String
Office location
other_mails
No
String List
Additional email addresses
password_policies
No
String
Password policy settings
password_profile_force_change_password_next_sign_in
No
Boolean
Force password change on next sign-in
password_profile_force_change_password_next_sign_in_with_mfa
No
Boolean
Force MFA on next password change
password_profile_password
No
String
Initial password setting
postal_code
No
String
Postal code
state
No
String
State or province
street_address
No
String
Street address
last_name (surname)
No
String
User's last name
usage_location
No
String
Usage location for licensing
user_type
No
String
Type of user
Exchange Online Mailbox Attributes
Use Sync Identities with the Exchange Online Mailbox entity type to update mailbox settings for existing mailboxes. To create new mailboxes, use the Create Email action instead.
mailbox_settings
No
String
Mailbox settings to sync
Space-separated key=value pairs (see examples below)
cas_mailbox_settings
No
String
Client Access Settings (CAS) to sync
Space-separated key=value pairs (see examples below)
Commonly Used Mailbox Settings:
The mailbox_settings attribute accepts parameters for the Exchange Online Set-Mailbox cmdlet. Common settings include:
AuditEnabled
Boolean
Enable mailbox auditing
true
AuditLogAgeLimit
TimeSpan
Audit log retention period
180.00:00:00
RecipientLimits
Integer
Maximum recipients per message
250
MaxSendSize
Size
Maximum outgoing message size
25 MB (26,214,400 bytes)
MaxReceiveSize
Size
Maximum incoming message size
25 MB (26,214,400 bytes)
ProhibitSendQuota
Size
Mailbox size limit for sending
49 GB (52,613,349,376 bytes)
IssueWarningQuota
Size
Mailbox size warning threshold
45 GB (48,318,382,080 bytes)
Example:
Commonly Used CAS Mailbox Settings:
The cas_mailbox_settings attribute accepts parameters for the Exchange Online Set-CASMailbox cmdlet. Common settings include:
OWAEnabled
Boolean
Enable Outlook on the Web access
true or false
ActiveSyncEnabled
Boolean
Enable Exchange ActiveSync
true or false
EwsEnabled
Boolean
Enable Exchange Web Services
true or false
MAPIEnabled
Boolean
Enable MAPI (Outlook desktop)
true or false
PopEnabled
Boolean
Enable POP3 access
true or false
ImapEnabled
Boolean
Enable IMAP4 access
true or false
Example:
Exact Value Matching Required: During the verification phase, Veza compares the requested values to the values returned by Exchange Online for exact matching. Use the same format that Exchange Online returns.
For example, when setting AuditLogAgeLimit, use the format 180.00:00:00 (days.hours:minutes:seconds), not just 180.
Create Guest User Accounts
Creates guest user accounts in Azure AD by sending invitations:
Required Attributes:
invited_user_email_address - Email address of the person to invite
invite_redirect_url - URL where the user is redirected after accepting the invitation
Optional Attributes:
principal_name - User principal name (if not provided, generated from email)
display_name - Display name (if not provided, generated from email)
mail_nickname - Mail nickname (if not provided, generated from email)
Other standard user attributes as needed
Manage Relationships
Controls relationships between users and Azure AD entities:
Supported Relationship Types:
Groups: Add or remove users from Azure AD groups
Roles: Assign or remove Azure AD roles
Licenses: Assign or remove license assignments
Distribution Lists: Manage Exchange Online distribution list memberships
Assignee Types: Azure AD Users
Supports Removing Relationships: Yes
Distribution Lists: When managing distribution list memberships, use the Exchange Online Distribution Group entity type. The Microsoft Graph API cannot modify distribution lists or mail-enabled security groups.
Create Email
Creates or enables email functionality for users in Azure AD:
Implementation: Assigns Exchange Online license to the user
Requirements: Available Exchange Online license in your tenant
Results: Email-enabled user account with Exchange Online capabilities
Create Entitlement
Creates new entitlements in Azure AD, including groups and distribution lists:
Azure AD Group Creation:
Required Attributes: name
Optional Attributes:
mail_enabled - Whether the group is mail-enabled
is_security_group - Whether it's a security group
visibility - Privacy setting (Public, Private, HiddenMembership)
description - Group description
Distribution Group Creation:
Required Attributes: name
Optional Attributes:
identity - Unique identifier
alias - Email alias
primary_smtp_address - Primary email address
group_type - Type of distribution group
Deprovision Identity
When a user is deprovisioned:
Entity Type: Azure AD Users
Remove All Relationships: Yes (Removes group memberships, role assignments, and license assignments)
De-provisioning Method: Disabled (Users are marked as disabled rather than deleted)
Additional Options:
User Logout - Force user to log out from all active sessions
Remove All Licenses - Remove all license assignments
Remove All Personal Devices - Remove device registrations
Disable Guest Accounts
Specifically handles deprovisioning of guest user accounts:
Required Attributes:
invited_user_email_address - Email address of the guest user
Optional Attributes:
display_name - Display name of the guest user
Custom Properties
Azure AD integration supports custom properties defined in your tenant. These can be configured in the integration settings and used in attribute transformers for Lifecycle Management actions.
Reset Password
Allows password reset operations for Azure AD users:
Entity Type: Azure AD Users
Unique Identifiers: Can use
principal_name,mail_nickname, orinvited_user_email_address. At least one unique identifier is required to identify the userNon-idempotent Action: Each execution creates a new password reset event
Complex Password Support: Supports complex password requirements per Azure AD policy
Password Profile Attributes:
Attributes for Reset Password
principal_name
No*
String
User Principal Name
Can be used as unique identifier
mail_nickname
No*
String
Mail nickname
Can be used as unique identifier
invited_user_email_address
No*
String
Email address for guest users
Can be used as unique identifier for guest accounts
password_profile_force_change_password_next_sign_in
No
Boolean
Require user to change password at next login
password_profile_force_change_password_next_sign_in_with_mfa
No
Boolean
Require MFA when changing password at next login
password_profile_password
No
String
New password value
Must meet Azure AD complexity requirements; autogenerated if not provided
Notes:
If no password is provided, a secure password will be generated automatically
Password must meet your Azure AD password policy requirements
Available options include forcing password change on next sign-in and requiring MFA
Uses Microsoft Graph API user update endpoint for password changes
Last updated
Was this helpful?