Release Notes

Azure AD (Microsoft Entra ID)

Configuring the Azure integration for Veza Lifecycle Management

Overview

The Veza integration for Azure AD (Microsoft Entra ID) enables automated user provisioning, access management, and de-provisioning capabilities as a target system. This integration allows you to provision users from authoritative sources, manage group memberships, assign licenses, and automate the user lifecycle based on changes in external identity sources.

Action Type
Description
Supported

SYNC_IDENTITIES

Synchronizes identity attributes between systems, with options to create new identities and update existing ones

MANAGE_RELATIONSHIPS

Controls entitlements such as group memberships, role assignments, and license assignments

CREATE_GUEST_USER

Creates guest user accounts by sending invitations

CREATE_ENTITLEMENT

Creates new entitlements in Azure AD, including groups and distribution lists

CREATE_EMAIL

Creates or enables email functionality for users

DEPROVISION_IDENTITY

Safely removes or disables access for identities, includes user logout support

DISABLE_GUEST_ACCOUNT

Specifically handles deprovisioning of guest user accounts

RESET_PASSWORD

Allows password reset operations for Azure AD users

This document includes steps to enable the Azure integration for use in Lifecycle Management, along with supported actions and notes. See Supported Actions for more details.

Enabling Lifecycle Management for Azure

Prerequisites

  1. You will need administrative access in Veza to configure the integration.

  2. Ensure you have an existing Azure integration in Veza or add a new one for use with Lifecycle Management.

  3. Verify your Azure integration has completed at least one successful extraction.

  4. The Azure integration will need the following additional Microsoft Graph API permissions:

    • Directory.ReadWrite.All - Required for creating, updating, and managing directory objects

    • Group.ReadWrite.All - Required for creating and managing groups

    • GroupMember.ReadWrite.All - Required for managing group memberships

    • User.EnableDisableAccount.All - Required for enabling/disabling user accounts

Configuration Steps

To enable the integration:

  1. In Veza, go to the Integrations overview

  2. Search for or create an Azure integration

  3. Check the box to Enable usage for Lifecycle Management

  4. For complete Azure integration setup instructions, including how to create an App Registration and grant permissions, please refer to the Azure Integration Guide

To verify the health of the Lifecycle Management data source:

  1. Use the main Veza navigation menu to open the Lifecycle Management > Integrations page or the Veza Integrations overview

  2. Search for the integration and click the name to view details

  3. In the Properties panel, click the magnifying glass icon under Lifecycle Management Enabled

Supported Actions

Azure AD serves as a target for identity management actions in Lifecycle Management Policies, based on changes in another external source of truth (such as Workday, Okta, or Oracle HCM) or as part of a workflow.

Note: Azure AD is not currently supported as a source of identity for Lifecycle Management. It can only be used as a target system for provisioning, deprovisioning, and access management actions.

The integration supports the following lifecycle management Actions:

Sync Identities

Primary action for user management (creating or updating users):

  • Entity Types: Azure AD User

  • Create Allowed: Yes (New user identities can be created if not found)

The following attributes can be synchronized:

Azure AD User Attributes
Property
Required
Type
Description
Notes

principal_name

Yes

String

User Principal Name

Unique identifier

mail_nickname

Yes

String

Mail nickname

display_name

Yes

String

Display name

account_enabled

No

Boolean

Enable/disable account

country_or_region

No

String

User's country or region

department

No

String

User's department

employee_id

No

String

Employee identifier

employee_type

No

String

Employee type

first_name (given_name)

No

String

User's first name

job_title

No

String

Job title or position

email

No

String

Email address

manager_principal_name

No

String

Manager's principal name

office

No

String

Office location

other_mails

No

Array

Additional email addresses

password_policies

No

String

Password policy settings

password_profile_force_change_password_next_sign_in

No

Boolean

Force password change on next sign-in

password_profile_password

No

String

Initial password setting

nickname

No

String

User's nickname

street_address

No

String

Street address

last_name (surname)

No

String

User's last name

usage_location

No

String

Usage location for licensing

user_type

No

String

Type of user

Create Guest User Accounts

Creates guest user accounts in Azure AD by sending invitations:

  • Required Attributes:

    • invited_user_email_address - Email address of the person to invite

    • invite_redirect_url - URL where the user is redirected after accepting the invitation

  • Optional Attributes:

    • principal_name - User principal name (if not provided, generated from email)

    • display_name - Display name (if not provided, generated from email)

    • mail_nickname - Mail nickname (if not provided, generated from email)

    • Other standard user attributes as needed

Manage Relationships

Controls relationships between users and Azure AD entities:

  • Supported Relationship Types:

    • Groups: Add or remove users from Azure AD groups

    • Roles: Assign or remove Azure AD roles

    • Licenses: Assign or remove license assignments

    • Distribution Lists: Manage Exchange Online distribution list memberships

  • Assignee Types: Azure AD Users

  • Supports Removing Relationships: Yes

Create Email

Creates or enables email functionality for users in Azure AD:

  • Implementation: Assigns Exchange Online license to the user

  • Requirements: Available Exchange Online license in your tenant

  • Results: Email-enabled user account with Exchange Online capabilities

Create Entitlement

Creates new entitlements in Azure AD, including groups and distribution lists:

  • Azure AD Group Creation:

    • Required Attributes: name

    • Optional Attributes:

      • mail_enabled - Whether the group is mail-enabled

      • is_security_group - Whether it's a security group

      • visibility - Privacy setting (Public, Private, HiddenMembership)

      • description - Group description

  • Distribution Group Creation:

    • Required Attributes: name

    • Optional Attributes:

      • identity - Unique identifier

      • alias - Email alias

      • primary_smtp_address - Primary email address

      • group_type - Type of distribution group

Deprovision Identity

When a user is deprovisioned:

  • Entity Type: Azure AD Users

  • Remove All Relationships: Yes (Removes group memberships, role assignments, and license assignments)

  • De-provisioning Method: Disabled (Users are marked as disabled rather than deleted)

  • Additional Options:

    • User Logout - Force user to log out from all active sessions

    • Remove All Licenses - Remove all license assignments

    • Remove All Personal Devices - Remove device registrations

Disable Guest Accounts

Specifically handles deprovisioning of guest user accounts:

  • Required Attributes:

    • invited_user_email_address - Email address of the guest user

  • Optional Attributes:

    • display_name - Display name of the guest user

Custom Properties

Azure AD integration supports custom properties defined in your tenant. These can be configured in the integration settings and used in attribute transformers for Lifecycle Management actions.

Reset Password

Allows password reset operations for Azure AD users:

  • Entity Type: Azure AD Users

  • Unique Identifiers: Can use principal_name, mail_nickname, or invited_user_email_address. At least one unique identifier is required to identify the user

  • Non-idempotent Action: Each execution creates a new password reset event

  • Complex Password Support: Supports complex password requirements per Azure AD policy

Password Profile Attributes:

Attributes for Reset Password
Property
Required
Type
Description
Notes

principal_name

No*

String

User Principal Name

Can be used as unique identifier

mail_nickname

No*

String

Mail nickname

Can be used as unique identifier

invited_user_email_address

No*

String

Email address for guest users

Can be used as unique identifier for guest accounts

password_profile_force_change_password_next_sign_in

No

Boolean

Require user to change password at next login

password_profile_force_change_password_next_sign_in_with_mfa

No

Boolean

Require MFA when changing password at next login

password_profile_password

No

String

New password value

Must meet Azure AD complexity requirements; autogenerated if not provided

Notes:

  • If no password is provided, a secure password will be generated automatically

  • Password must meet your Azure AD password policy requirements

  • Available options include forcing password change on next sign-in and requiring MFA

  • Uses Microsoft Graph API user update endpoint for password changes

PreviousAtlassian CloudNextCoupa Contingent Workforce

Last updated

Was this helpful?