Microsoft Entra ID (formerly Azure Active Directory) User Group Synchronization
Group synchronization is done as part of the OAuth 2.0 connector (see OpenID Connect).
Only Security groups are supported for group synchronization.
Group synchronization will work only with Application type Microsoft Graph API permissions and will NOT work with Delegated type API permissions. Delegated permissions require user interactivity and Seeq’s communication with the Graph API is machine-to-machine for indexing and checking user security group membership with Azure AD.
Prerequisites
Before you can add group synchronization, you will have to have an application registered in Microsoft Entra ID / Azure Active Directory. Follow the steps in App Registration if you need to create a new application registration.
To Enable Entra ID / Azure AD group synchronization
Your App Registration in Azure must be granted Application-level User.Read.All and Group.Read.All Microsoft Graph API permissions.
Fill out the following fields in the OAuth 2.0 Connector.json file, as part of your Azure Active Directory connection:
"IdentitySynchronization" : {
"Enabled" : true,
"GroupsToSyncFilter" : "('Group name', 'Another group name')"
},
"IdentitySynchronizationType" : "AZURE",The "GroupsToSyncFilter" parameter is a key element in determining which Entra ID / Azure Active Directory groups are synchronized with Seeq.
Valid values for "GroupsToSyncFilter" include:
A comma-separated list of specific group names enclosed in single quotes and parentheses, acting as an exhaustive list of groups for synchronization (e.g.,
"GroupsToSyncFilter" : "('Group name', 'Another group name')").
The comma-separated list cannot be combined with the wildcards (e.g."GroupsToSyncFilter" : "('Eng*', 'Fin*')"is not a valid filter).The value
null, indicating that no groups are to be synchronized.A wildcard-based filter, such as
"GroupsToSyncFilter" : "Seeq_*", allowing synchronization of groups with names matching the specified pattern. In this example, groups starting with "Seeq_" will be included. You can also use"GroupsToSyncFilter" : "*"if you want to synchronize all the groups from Azure Active Directory. Note that the asterisk (*) can appear only once in the filter. The wildcard-based expression can only be of the prefix form. For example: Seeq_*.A Microsoft Graph filter in the form of
gf(filter). For example,gf(startswith(displayName,'Grp3') or startswith(displayName,'Grp1') or startswith(displayName,'Grp2'))will return groups that start with Grp1, Grp2, or Grp3. Other filter syntax can be found here.
These options provide flexibility in configuring the synchronization process based on your specific requirements.
Groups are synchronized to Seeq according to the indexing schedule.
To allow Entra ID / Azure Active Directory membership synchronization
Your App Registration in Azure must be granted Application-level GroupMember.Read.All Microsoft Graph API permissions.
GroupMembershipSynchronizationEnabledhas to be set to true in OAuth 2.0 Connector configuration
Group membership for users is updated on login for groups that have been indexed to Seeq (if a user logs in before indexing is complete, some groups may be missing until next login).
Group membership synchronization supports up to 2046 groups for a given user.
It is possible to make Azure Group membership editable in Seeq and to disable Group membership synchronization from Azure.
"IdentitySynchronization" : {
"Enabled" : true,
"GroupsToSyncFilter" : "('Group name', 'Another group name')"
},
"IdentitySynchronizationType" : "AZURE",
"GroupMembershipSynchronizationEnabled" : falseOnce this flag is set to false, Seeq becomes source of truth for group membership.
If GroupMembershipSynchronizationEnabled is switched from false to true and non AZURE users were added to AZURE groups while it was false, non AZURE users has to be removed from AZURE groups before the setting is made true again (otherwise these users will remain in the groups and the groups are not anymore editable).