Setyl's Microsoft 365 Azure Active Directory Integration: A Comprehensive Guide

This guide covers all aspects of integrating Microsoft 365/Azure/Entra with Setyl's platform

Microsoft 365 Azure Active Directory (Azure AD) is a cloud-based identity and access management service that provides authentication and authorization for users and devices across various cloud applications and services, including Microsoft 365. It enables administrators to manage user accounts, permissions, and security policies for their organization. With Azure AD, users can access applications and resources using a single set of credentials, and administrators can enforce policies for access, security, and identity management.

Setyl provides a core integration to Microsoft 365 Azure Active Directory, which enables Setyl to synchronize:

  • Employees: referencing Microsoft 365 Azure Active Directory’s user list, this is used to populate a complete list of employees on Setyl
  • Organizational structure: formed from user profile and org unit information on Microsoft 365 Azure Active Directory, this can be optionally used to import locations, departments, legal entities and more on Setyl
  • Applications: based on applications and services that employees have signed into using the Organization’s Azure Active Directory service (the sign in with Microsoft button)
  • Assets/Devices: based on a list of devices stored within Microsoft InTune

 

Information Synchronized

The information imported for each of the above areas includes:

  • Employee name
  • Employee email
  • Employee job title
  • Employee profile photo
  • Other employee information, accessible from within Active Directory and related Microsoft 365 information. This is primarily used as the the basis to populating the Organizational structure
  • Connected applications, used for populating Applications
  • Assets and devices listed within InTune, provided via Setyl's built in MDM integration
Screenshot 2023-04-03 at 15.37.52
 

Synchronization of Locations, Legal Entities and Departments

Setyl uses the Microsoft Graph API as a basis for importing Locations, Legal Entities and Departments.

 

The following fields in Microsoft are used:

officeLocation -> Location

employeeOrgData \ division -> Legal Entity

department -> Department

 

Connecting the Microsoft 365 Azure Active Directory Integration

Connecting Microsoft 365 Azure Active Directory normally takes less than one minute, provided you have the correct level of administrative access to Microsoft.

Checking permissions: a quick rule-of-thumb is to check that you're able to access admin.microsoft.com. Some more advanced Organizations will have further restricted access past the Microsoft default, so this method doesn't guarantee certainty.

To connect Setyl with Microsoft 365 Azure Active Directory:

  1. Go to app.setyl.com and log in. If someone else in the Organization is needed for the correct permission levels to make the connection, add them as a user within Setyl (‘+’ button > Create Person > enter their information and change the role type to “Owner”). Once saved, they will be able to sign in via app.setyl.com using Microsoft SSO.
  2. Within Setyl, go to Settings > Integrations, and find the Microsoft 365 Azure Active Directory option from the list. Click connect.
  3. You will be redirected to Microsoft's login page then to a page requesting confirmation that you want to provide Setyl with access to Microsoft. Note: Ensure that you approve this on behalf of the Organization.
  4. You will then be redirected to Setyl, to a mapping screen where you can decide which pieces of information you wish to synchronize from Google Workspace into Setyl.
  5. Once complete, the synchronization will begin. Depending on the amount of information being transferred, this can take some time and will continue in the background.

Note: You must keep Setyl and Microsoft 365 Azure Active Directory connected permanently for the integration to work. Please do not disconnect Microsoft. We recommend that the person responsible for connecting Setyl to Microsoft maintains access to Setyl, in case the need to reconnect the connection arises.

 

Ongoing synchronization of data

Through realtime webhooks and periodic synchronization, Setyl will ensure that the information in the Organization’s Microsoft 365 Azure Active Directory remains up to date on Setyl. Some examples include:

  • When a new user is created in Microsoft, this will be immediately synchronized into Setyl and a new user created with an onboarding status
  • When specific user information is updated in Microsoft, this will be either immediately, or over time, synchronized into Setyl
  • When a user is removed from Microsoft, the corresponding Setyl user will be moved to an offboarding status, unless already archived
  • When a user updates their Microsoft profile photo, this is updated within Setyl
  • When a user signs into a new service/application using their Microsoft SSO, this application is detected within Setyl

 

Microsoft 365 Azure Active Directory Scopes Required for the Integration to Function

The integration will request access to the following API scopes, in order for the Microsoft <> Setyl integration to function as intended:

See info about employees in your Organization: 'email', 'offline_access', 'openid', 'profile', 'User.Read', 'User.Read.All', 'Directory.Read.All', 'AuditLog.Read.All'

Detect applications in use within your Organization: 'Application.Read.All'

Detect assets/devices from Microsoft InTune: 'DeviceManagementManagedDevices.Read.All', 'DeviceManagementApps.Read.All'.

The user that makes the connection needs to belong to one of the following directory roles within Microsoft Azure/Entra:

  • Global Administrator
  • Global Reader
  • Reports Reader
  • Security Administrator
  • Security Operator
  • Security Reader