Configuring the Azure AD Enricher


Configuring the Azure AD Enricher


The Azure AD Enricher is a connector that allows you to import information from the Azure Active Directory. It is a component managed by Nexthink that will communicate with an Azure app configured using your Azure portal.

Please follow all the steps presented below before requesting the activation of the Azure AD Enricher.

Step 1 - Register an Azure app

As a first step, you need to connect to your Azure portal to register a new application.

During the registration process, make sure to select the Single tenant option.
For the Redirect URI part, using the drop-down list, select Web.
When asked for the application permissions, select the User.Read.All.

For more information regarding the process, check the Microsoft documentation.

Step 2 - Gather access information

For activating the connection between your Nexthink Experience instance and your Azure AD, Nexthink needs 3 values. You can find them in your Azure portal, by selecting Azure Active Directory, then select the application you created before.

  • Client secret key
  • Application (client) ID
  • Directory (tenant) ID

For more information on how to generate an application key, check the Microsoft documentation.

Step 3 - Mapping user properties

Nexthink Experience is able to import from the user resource type properties everything that the Microsoft Graph API allows. The match between Azure AD users and Nexthink users is based on their SID.

In order to store the data imported by the connector, you have to provide Nexthink with instructions on how to map the fields.

Here is an example of mapping between the Nexthink fields and Azure AD fields:

Nexthink fields Azure fields Description
Distinguished name displayName The name displayed in the address book for the user
Name givenName The first name of the user
Full name displayName The name displayed in the address book for the user
Department department The name of the department the user work for
Job title jobTitle The user job title
Location officeLocation The location where the user works
Locality name - No mapping asked
Country code postalCode The postal of the user country or region
Organizational unit name - No mapping asked

The first column contains all of the available Nexthink user fields available for storing Active Directory information. The second only has a small set of the many fields available in the Azure AD.

You are in control of the mapping, so you could ask to have the Distinguished name field populated with data coming from the employeeId Azure AD field or even the preferredLanguage Azure AD field.

Step 4 - Request connector activation

To initiate the process, create a support request using Nexthink Support will provide you with all the instructions to securely transfer the access information values and finalize the configuration. One way to package all the information is to use a CSV file.

Never transfer the CSV file or your IDs and your secret key using an email or a support request. Always wait for Nexthink Support to provide you with a dedicated secure transfer channel.

Here is an example of CSV file you can adapt to match your organization.

Replace 123-123-123 with your Application (client) ID.
Replace 321-321-321 with your Directory (tenant) ID.
Replace 111-222-333 with your Client secret key.
Underneath the line containing the secret, adapt the Azure AD fields on the right side of the comma.

Please note that the Distinguished name field is a compulsory one, thus it cannot be left empty. If no mapping is provided, Nexthink will populate it by default with the content of the displayName field coming from Azure AD.