Microsoft Entra ID (client credentials) / Azure in China (operated by 21 Vianet)

This article shows you how to connect to Azure using client credentials. Use this if you have chosen to use client credentials when connecting Azure, or if you're using Azure in China (a service operated by 21 Vianet).

To configure the integration, you must have Azure AD administrative access in order to create and configure a new App Registration.

  1. Create credentials in Azure.
  2. Connect 1Password SaaS Manager to your Azure tenant using these credentials.

Register the app

  1. Login to https://portal.azure.com/ for Microsoft Entra ID, or https://portal.azure.cn/ for Azure in China.
  2. Find App registrations:mceclip0.png
  3. Select New registration.
  4. Enter a name, such as "SaaS Manager".
  5. Select Accounts in this organizational directory only (Single tenant).
  6. Select Register to continue. You do not need to enter a Redirect URI.

Configuring API permissions

  1. On the API permissions tab, select Add a permission.
  2. Under the Microsoft APIs tab, select Microsoft Graph.

  3. Select Application permissions search for each of the scopes in the table below, then select permissions depending on the features you require.

    Core scopes
    Application.Read.All Read applications and service principals.
    RoleManagement.Read.Directory Read directory role templates, directory roles, and memberships.
    Synchronization.Read.All Read all Azure AD SCIM synchronization data. Used to understand if Azure is configured to provision and deprovision users for apps.
    Group.Read.All Read groups.
    GroupMember.Read.All Read the memberships of groups.
    Directory.Read.All Required to read OAuth token permissions. The integration will work without this, but won't return data about OAuth logins.
    User.Read.All Read the full set of profile properties, including managers of users in your organization.
    AuditLog.Read.All Read all audit log data.
    DeviceManagementManagedDevices.Read.All Read the properties of devices managed by Microsoft Intune.
    Reports.Read.All Read Microsoft365 usage reports.
    LicenseAssignment.Read.All Read license assignments for all users.
    AppRoleAssignment.ReadWrite.All Allows the app to manage user and app role assignments. ReadWrite is the minimum scope required, although SaaS Manager does not write app role assignments.
    IdentityProvider.Read.All Read all identity providers. Used to return verified domains.
    Organization.Read.All Read the organization and related resources. Used to return the tenant ID and name.
    Deprovisioning
    User.ReadWrite.All Update the profile of every user in the organization
    GroupMember.ReadWrite.All Read and write group memberships
    UserAuthenticationMethod.ReadWrite.All Read and write users' authentication methods
    Provisioning (additional to Deprovisioning scopes)
    RoleManagement.ReadWrite.Directory Read and write directory RBAC settings

  4. Optionally, configure Office365 Exchange Online API Mailbox features with the integration. To do this, you'll need permissions to allow the Exchange API to make requests as an application. From the Office365 Exchange Online API, add Exchange.ManageAsApp

  5. An additional role for the Exchange API is also required if it has not already been added for the connected account. Make sure the Exchange.ManageAsApp role is added.
  6. Select Add permissions.
  7. Select Grant admin consent.

Create a new secret

  1. Go to Certificates & secrets.
  2. Select New client secret.
  3. Give the secret a name, such as "SaaS Manager", then select the expiration duration. We recommend 12 or 24 months.
  4. Select Add.

Collecting the IDs you need

You need three IDs which you can copy from Azure.cn:

  1. From the Certificates & secrets tab, copy the Client Secret Value.

    The Client Secret Value will only be available for you to copy for a short period of time. If you're unable to view or copy it, create new one.

  2. From the Overview tab, copy the Application (client ID) and the Directory (tenant) ID.

Connect from SaaS Manager

  1. In SaaS Manager, go to Integrations and choose either Azure in China or Microsoft Entra ID.
  2. Select Connect and enter the IDs that you gathered earlier.
  3. Select Connect again.
  4. The integration will run in the background.

Learn more

Was this article helpful?

0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.