Microsoft AD
Adding on-prem AD to the Veza authorization graph
This topic is for legacy Active Directory Domain Services. Azure AD is automatically parsed for configured Azure tenants.
Veza discovers Active Directory entities and authorization by connecting as a read-only user with an LDAP certificate. To enable a secure connection to the AD Domain Controller, the integration is typically configured to use an Insight Point deployed within your cloud environment.
See Notes and Supported Entities for more detail on how Veza converts AD User properties for use in search filters or to refine Access Review queries.
Prerequisites
To configure a new Active Directory integration, you will need the following:
Host and port for an AD Domain Controller (preferably the domain controller with the PDC emulator FSMO role role)
Username and password for Active Directory user with Read Only access to the Domain
The FQDN of the AD DS Domain.
LDAPS Enabled on the Domain Controller connecting to and the Root or Leaf Certification securing LDAPS on the AD DC.
An Insight Point with network connectivity to the AD DC (TCP 636) (see instructions for Docker-based deployment).
Get or Generate an LDAP certificate
If LDAPS is already enabled, Veza only requires the public certificate to validate the LDAPS Connection.
To get this certificate using python:
To retrieve an LDAPS certificate using openssl
:
If LDAPS was not already enabled, follow the steps below to generate a new certificate that includes a Subject Alternative Name (SAN). To get a new certificate with certreq.exe:
Please only follow these instructions if you do not already have LDAPS enabled on your AD DC.
Prepare the
request.inf
configuration file (see example below)Generate cert request from the .inf file:
certreq -new request.inf request.req
Submit the request to a CA (output is RequestID).
certreq -submit request.req certnew.cer
You might need to specify a Certificate Template as part of the submit command, for example:certreq -submit -attrib "certificatetemplate:webserver" request.req
Use the Request ID number to retrieve the certificate:
certreq -retrieve RequestID certnew.cer
Accept the issued certificate:
certreq -accept certnew.cer
The certificate must use the SAN, as shown in the [Extensions]
block in the example configuration:
For more information see the Microsoft documentation to add a subject alternative name to a secure LDAP certificate.
Registering a new AD provider
Browse to Configuration > Identity Providers, click Add new, and select Active Directory from the dropdown.
Field | Description |
---|---|
Data Plane | Use the default selection unless using an Insight Point for the connection |
Name | Name to use for the AD connection in Veza |
Host | Network address for the Domain Controller to connect to |
Port | Port serving LDAPS (Default 636) |
Username | Active Directory user to bind to the LDAP Connection (Recommended to use the UserPrincipalName) |
Password | Password for the Active Directory user |
Domains | The FQDN of the AD Domain (Only 1 can be listed) |
AD domain fully qualified domain name for cert | Subject Name on the LDAPS Leaf Certificate, should be the AD DC FQDN |
LDAP Certificate | SSL/TLS certificate used to establish the LDAP connection. |
To connect to multiple AD domains, you will need add a new integration for each domain to discover.
LDAP Certificate
andPassword
are secret, and will need to be re-entered if changing the Insight Point used for the AD integration.You can see all extracted AD entities under Data Catalog > Entities. Veza-built queries for Active Directory can be found in Reports and on the Saved Queries page.
Notes and Supported Entities
Active Directory Domain
Active Directory Computer
Active Directory Group
Active Directory User
Active Directory Organizational Unit
Active Directory Managed Service Account
Veza discovers built-in attributes for Active Directory Users, which can be used to specify the scope of Access Reviews and filter search results. In some cases, Veza derives values from other properties, or changes AD property names for consistency with other integrations.
To discover custom properties created in Active Directory, specify them by name and type in the Custom Properties section when configuring the integration.
To discover additional built-in properties, please contact our support team with more detail about your case.
Attribute | Standard AD User Property |
---|---|
Account Name | sAMAccountName |
Account Type | objectClass (User Object) |
Active Directory Domain | userPrincipalName (domain part) |
City | l (City) |
Common Name | cn (Common Name) |
Company | company |
Country Code | c (Country Code) |
Country Or Region | co (Country) |
Created At | whenCreated |
Department | department |
Description | description |
Display Name | displayName |
Distinguished Name | distinguishedName |
Domain Admin | memberOf (Domain Admins group) |
First Name | givenName |
Given Name | givenName |
Idp Unique Id | userPrincipalName |
Is Active | userAccountControl (Active flag) |
Is Locked | userAccountControl (Locked flag) |
Job Title | title |
Last Name | sn (Surname) |
Lower Email | (Derived from mail attribute) |
Manager | manager |
Manager Principal Name | (Derived from manager attribute) |
Office | physicalDeliveryOfficeName |
Password Last Set | pwdLastSet |
Physical Delivery Office Name | physicalDeliveryOfficeName |
Postal Code | postalCode |
Primary Group Id | primaryGroupID |
Sid | objectSid |
State Or Province Name | st (State) |
Street Address | streetAddress |
Sur Name | sn (Surname) |
Title | title |
User Principal Name | userPrincipalName |
User Password Expiration | (Derived from pwdLastSet and domain policy) |
Full Admin | True when a given User is a member of either the Administrators or Domain Admins group |
Last updated