Entra ID Inbound¶
In order for users to be able to talk to the Fortytwo Universe, we need to identify them. This is done by matching the oid claim in the Entra ID access token, to a CoreIdentity's attribute entraObjectId. In order to populate this attribute, you can use this connector.
Pre-reqs:¶
- An attribute with the CoreIdentity's
idattribute set, either through syncing from AD or directly in Entra ID (when doing cloud only provisioning). When provisioning in AD, we recommend usingmsDs-cloudExtensionAttribute19as this attribute. - Admin consent our read access app
Steps¶
Create connector in IAM Core¶
No user interface available yet
Please follow the Authenticating PowerShell documentation in order to have a working PowerShell connection
Create a new connector using the below cmdlet:
This will cause the connector to be eventually provisioned, and users will be populated.
Sync rule¶
$InboundAttributeFlows = @(
@{
'$type' = "string"
targetAttributeName = "id"
joinPriority = 1
value = @{
'$type' = "attribute"
attribute = "extension_6bc257b4005f49359d9fdca3e38cbfdf_msDS_cloudExtensionAttribute19"
}
}
@{
'$type' = "string"
targetAttributeName = "entraUserPrincipalName"
value = @{
'$type' = "attribute"
attribute = "userPrincipalName"
}
}
@{
'$type' = "string"
targetAttributeName = "entraOnPremisesSamAccountName"
value = @{
'$type' = "attribute"
attribute = "onPremisesSamAccountName"
}
}
@{
'$type' = "string"
targetAttributeName = "entraOnPremisesDistinguishedName"
value = @{
'$type' = "attribute"
attribute = "onPremisesDistinguishedName"
}
}
@{
'$type' = "string"
targetAttributeName = "entraObjectId"
value = @{
'$type' = "externalid"
}
}
@{
'$type' = "string"
targetAttributeName = "email"
value = @{
'$type' = "attribute"
attribute = "mail"
}
}
)
New-IAMCoreSyncRule `
-Name "Entra ID - Inbound - User" `
-ConnectorId "00000000-0000-0000-0000-000000000000" `
-ConnectorObjectType "user" `
-CoreObjectType "Identity" `
-ProvisioningEnabled:$false `
-Priority 11000 `
-InboundAttributeFlows $InboundAttributeFlows