Configuring the Azure integration for Veza Lifecycle Management
The Veza integration for Azure AD (Microsoft Entra ID) enables automated user provisioning, access management, and de-provisioning capabilities. This integration allows you to synchronize identity information, manage group memberships, assign licenses, and automate the user lifecycle from onboarding to offboarding.
SYNC_IDENTITIES
Synchronizes identity attributes between systems, with options to create new identities and update existing ones
✅
MANAGE_RELATIONSHIPS
Controls entitlements such as group memberships, role assignments, and license assignments
✅
CREATE_GUEST_USER
Creates guest user accounts by sending invitations
✅
CREATE_ENTITLEMENT
Creates new entitlements in Azure AD, including groups and distribution lists
✅
CREATE_EMAIL
Creates or enables email functionality for users
✅
DEPROVISION_IDENTITY
Safely removes or disables access for identities, includes user logout support
✅
DISABLE_GUEST_ACCOUNT
Specifically handles deprovisioning of guest user accounts
✅
SOURCE_OF_IDENTITY
Azure AD can act as a source system for identity lifecycle policies
✅
You will need administrative access in Veza to configure the integration.
Verify your Azure integration has completed at least one successful extraction.
The Azure integration will need the following additional Microsoft Graph API permissions:
Directory.ReadWrite.All - Required for creating, updating, and managing directory objects
Group.ReadWrite.All - Required for creating and managing groups
GroupMember.ReadWrite.All - Required for managing group memberships
User.EnableDisableAccount.All - Required for enabling/disabling user accounts
To enable the integration:
In Veza, go to the Integrations overview
Search for or create an Azure integration
Check the box to Enable usage for Lifecycle Management
To verify the health of the Lifecycle Management data source:
Use the main Veza navigation menu to open the Lifecycle Management > Integrations page or the Veza Integrations overview
Search for the integration and click the name to view details
In the Properties panel, click the magnifying glass icon under Lifecycle Management Enabled
Azure AD can also be a target for identity management actions, based on changes in another external source of truth or as part of a workflow.
Primary action for user management (creating or updating users):
Entity Types: Azure AD User
Create Allowed: Yes (New user identities can be created if not found)
The following attributes can be synchronized:
Creates guest user accounts in Azure AD by sending invitations:
Required Attributes:
invited_user_email_address - Email address of the person to invite
invite_redirect_url - URL where the user is redirected after accepting the invitation
Optional Attributes:
principal_name - User principal name (if not provided, generated from email)
display_name - Display name (if not provided, generated from email)
mail_nickname - Mail nickname (if not provided, generated from email)
Other standard user attributes as needed
Controls relationships between users and Azure AD entities:
Supported Relationship Types:
Groups: Add or remove users from Azure AD groups
Roles: Assign or remove Azure AD roles
Licenses: Assign or remove license assignments
Distribution Lists: Manage Exchange Online distribution list memberships
Assignee Types: Azure AD Users
Supports Removing Relationships: Yes
Creates or enables email functionality for users in Azure AD:
Implementation: Assigns Exchange Online license to the user
Requirements: Available Exchange Online license in your tenant
Results: Email-enabled user account with Exchange Online capabilities
Creates new entitlements in Azure AD, including groups and distribution lists:
Azure AD Group Creation:
Required Attributes: name
Optional Attributes:
mail_enabled - Whether the group is mail-enabled
is_security_group - Whether it's a security group
visibility - Privacy setting (Public, Private, HiddenMembership)
description - Group description
Distribution Group Creation:
Required Attributes: name
Optional Attributes:
identity - Unique identifier
alias - Email alias
primary_smtp_address - Primary email address
group_type - Type of distribution group
When a user is deprovisioned:
Entity Type: Azure AD Users
Remove All Relationships: Yes (Removes group memberships, role assignments, and license assignments)
De-provisioning Method: Disabled (Users are marked as disabled rather than deleted)
Additional Options:
User Logout - Force user to log out from all active sessions
Remove All Licenses - Remove all license assignments
Remove All Personal Devices - Remove device registrations
Specifically handles deprovisioning of guest user accounts:
Required Attributes:
invited_user_email_address - Email address of the guest user
Optional Attributes:
display_name - Display name of the guest user
Azure AD integration supports custom properties defined in your tenant. These can be configured in the integration settings and used in attribute transformers for Lifecycle Management actions.
This document includes steps to enable the Azure integration for use in Lifecycle Management, along with supported actions and notes. See for more details.
Ensure you have an existing in Veza or add a new one for use with Lifecycle Management.
For complete Azure integration setup instructions, including how to create an App Registration and grant permissions, please refer to the
Azure AD can serve as a source for identity information in Lifecycle Management . User identity details are synchronized from Azure AD with changes propagated to connected systems.
The integration supports the following lifecycle management :