Microsoft Entra ID (client credentials) / Azure in China (operated by 21 Vianet)

This article shows you how to connect to Azure using client credentials. Use this if you have chosen to use client credentials when connecting Azure, or if you are using Azure in China (a service operated by 21 Vianet).

To configure the integration you must have Azure AD administrative access in order to create and configure a new App Registration

1. Create credentials in Azure (an 'app')
2. Connect Trelica to your Azure tenant using these credentials.

Register the app

1. Login to https://portal.azure.com/ (for Microsoft Entra ID) or https://portal.azure.cn/ (for Azure in China)
2. Find App registrations:
3. Click New registration.
4. Enter a name (e.g. Trelica)
5. Choose Accounts in this organizational directory only (Single tenant)
6. You do not need to enter a Redirect URI - just click Register to continue.

Configuring API permissions

1. On the API permissions tab, click Add a permission
2. Under the Microsoft APIs tab choose Microsoft Graph:
3. Choose Application permissions search for each of the scopes in the table below and tick them, depending on the features you require:
   

   Core scopes
   Application.Read.All	Read applications and service principals.
   RoleManagement.Read.Directory	Read directory role templates, directory roles, and memberships.
   Synchronization.Read.All	Read all Azure AD SCIM synchronization data. Used to understand if Azure is configured to provision and deprovision users for apps.
   GroupMember.Read.All	Read the memberships of groups.
   Directory.Read.All	Required to read OAuth token permissions. The integration will work without this but won't return data about OAuth logins.
   User.Read.All	Read the full set of profile properties including managers of users in your organization.
   AuditLog.Read.All	Read all audit log data.
   DeviceManagementManagedDevices.Read.All	Read the properties of devices managed by Microsoft Intune.
   Reports.Read.All	Read Microsoft365 usage reports.
   LicenseAssignment.Read.All	Read license assignments for all users.
   AppRoleAssignment.ReadWrite.All	Allows the app to manage user and app role assignments. ReadWrite is the minimum scope required, although Trelica does not write app role assignments.
   IdentityProvider.Read.All	Read all identity providers. Used to return verified domains.
   Organization.Read.All	Read the organization and related resources. Used to return the tenant ID and name.
   Deprovisioning
   User.ReadWrite.All	Update the profile of every user in the organization
   GroupMember.ReadWrite.All	Read and write group memberships
   UserAuthenticationMethod.ReadWrite.All	Read and write users' authentication methods
   Provisioning (additional to Deprovisioning scopes)
   RoleManagement.ReadWrite.Directory	Read and write directory RBAC settings

4. Click Add permissions
5. Finally, click Grant admin consent:

Create a new secret

1. Go to Certificates & secrets
2. Click New client secret
3. Give the secret a name (e.g. Trelica) and chose the Expiry duration that you are comfortable with (we recommend 12 or 24 months).
4. Click Add

Collecting the IDs you need

You need three IDs which you can copy from Azure.cn:

1. From the Certificates & secrets tab copy the Client Secret Value (not the Secret ID)

   The Client secret value will only be available for you to copy for a short period of time. If you are unable to view or copy it, then just create new one.

2. From the Overview tab copy the Application (client ID) and the Directory (tenant) ID

Connect from Trelica

1. In Trelica, go to Admin > Integrations and choose either Azure in China or Microsoft Entra ID.
2. Click Connect and enter the IDs that you gathered earlier:
3. Click Connect again.
4. The integration will run in the background.