Configuring the Azure AD Enricher
Contents |
Configuring the Azure AD Enricher
Overview
The Azure AD Enricher is a connector that allows you to import information from the Azure Active Directory. It is a component managed by Nexthink that will communicate with an Azure app configured using your Azure portal.
Please follow all the steps presented below before requesting the activation of the Azure AD Enricher.
Step 1 - Register an Azure app
As a first step, you need to connect to your Azure portal to register a new application.
- During the registration process, make sure to select the Single tenant option.
- For the Redirect URI part, using the drop-down list, select Web.
- When asked for the application permissions, select the User.Read.All.
For more information regarding the process, check the Microsoft documentation.
Step 2 - Gather access information
For activating the connection between your Nexthink Experience instance and your Azure AD, Nexthink needs 3 values. You can find them in your Azure portal, by selecting Azure Active Directory, then select the application you created before.
- Client secret key
- Application (client) ID
- Directory (tenant) ID
For more information on how to generate an application key, check the Microsoft documentation.
Step 3 - Mapping user properties
Nexthink Experience is able to import from the user resource type properties everything that the Microsoft Graph API allows. The match between Azure AD users and Nexthink users is based on their SID.
In order to store the data imported by the connector, you have to provide Nexthink with instructions on how to map the fields.
Here is an example of mapping between the Nexthink fields and Azure AD fields:
| Nexthink fields | Azure fields | Description |
|---|---|---|
| Distinguished name | displayName | The name displayed in the address book for the user |
| Name | givenName | The first name of the user |
| Full name | displayName | The name displayed in the address book for the user |
| Department | department | The name of the department the user work for |
| Job title | jobTitle | The user job title |
| Location | officeLocation | The location where the user works |
| Locality name | - | No mapping asked |
| Country code | postalCode | The postal of the user country or region |
| Organizational unit name | - | No mapping asked |
The first column contains all of the available Nexthink user fields available for storing Active Directory information. The second only has a small set of the many fields available in the Azure AD.
- You are in control of the mapping, so you could ask to have the Distinguished name field populated with data coming from the employeeId Azure AD field or even the preferredLanguage Azure AD field.
Step 4 - Request connector activation
To initiate the process, create a support request using support.nexthink.com. Nexthink Support will provide you with all the instructions to securely transfer the access information values and finalize the configuration. One way to package all the information is to use a CSV file.
-
- Never transfer the CSV file or your IDs and your secret key using an email or a support request. Always wait for Nexthink Support to provide you with a dedicated secure transfer channel.
Here is an example of CSV file you can adapt to match your organization.
- Replace
123-123-123with your Application (client) ID. - Replace
321-321-321with your Directory (tenant) ID. - Replace
111-222-333with your Client secret key. - Underneath the line containing the secret, adapt the Azure AD fields on the right side of the comma.
- Replace
Please note that the Distinguished name field is a compulsory one, thus it cannot be left empty. If no mapping is provided, Nexthink will populate it by default with the content of the displayName field coming from Azure AD.