To synchronize your users from Azure AD to Beekeeper, follow the steps below.
Add an app in the Microsoft portal
- Go to https://apps.dev.microsoft.com/
- Click on Add an app
- Give the app a name, e.g. “Beekeeper User Sync” app and uncheck “Let us help you get started"
- Copy and store the generated password
- Copy and store the Application ID shown on the page
- Change the permissions to have no delegated permissions and the grant the “User.Read.All” application permission
- Click Save
- Click Edit Application Manifest
- Replace the value of the “oauth2Permissions” attribute with the code below (you can edit the consent descriptions to your preferences):
"oauth2Permissions": [
{
"id": "974c519c-e5c1-424b-ac8d-4bb632f455ec",
"isEnabled": true,
"lang": null,
"type": "User",
"value": "access_as_user",
"adminConsentDescription": "Allow the Beeekeper user sync application to access all user directory information.",
"adminConsentDisplayName": "Beekeeper User Sync (Admin)",
"userConsentDescription": "Allow the Beekeeper user sync application to access your information.",
"userConsentDisplayName": "Beekeeper User Sync (You)"
}
],
Consent for access
- Go to https://login.microsoftonline.com/<YOUR_AD_DOMAIN>/adminconsent?client_id=<APPLICATION_ID> replacing <YOUR_AD_DOMAIN> with your Azure AD domain (e.g. beekeeper.io) and <APPLICATION_ID> with the application ID from step 5 in the previous section.
- Consent to the access: the response appears in a dialogue box, but you can set up a redirect in the manifest to go directly to the app.
Setting up a redirect
- To set up a redirect there are two values to set, both at the root level of the manifest: “replyUrls” and “signInUrl”. If we wanted, we could set up a dedicated redirect page that says something like: “Yay it worked, you’re all set!”. Or we could just redirect to our home page, as in this example:
"replyUrls": [
"https://beekeeper.io"
],
"signInUrl": "https://beekeeper.io" - Request a secure box.beekeeper.io link from your CSM/CSE to share the Application ID, Password and the AD Domain with them to configure the user sync application. Do NOT share this information via EMail.
Comments
0 comments
Please sign in to leave a comment.