Azure Active DirectoryMicrosoft's identity and access management cloud solution
Azure Active Directory is a comprehensive, highly available identity and access management cloud solution that combines core directory services, advanced identity governance, and application access management.
In configuring a Tray app to integrate with Azure there are two very important points to be taken into consideration:
- The user who will be authenticating with Azure must have the right level of authority to register the Tray app with Azure.
- According to what operations you want to make use of, you should be aware of the individual permissions / scopes that the Tray app will access and set these accordingly when you are authenticating your Azure account in the Tray workflow.
Ensure the user has the authority to register the Tray.io app in Azure
If you are using an Azure account which has admin privileges, then you should already be able to access your Dynamics data through the Tray.io platform.
If not, then an Azure admin will need to set up access for the Tray app in one of three ways:
- Give all users the ability to consent to 3rd party apps accessing company data
- The Azure admin can login to Tray themselves in order to create the Authentication with their account
- An Azure admin can create a specific 'Tray app' user in Azure AD and give this user a specific role
The first option grants all users in your organisation the ability to log into Microsoft services through any 3rd party application. To enable this setting, an admin must sign into the Azure portal > Navigate to Azure Active Directory in the left hand navigation > Click on User Settings in the menu then Click on Enterprise applications > Manage how end users launch and view their applications > Click on yes to "Users can consent to apps accessing company data on their behalf"
The second option requires an Azure admin to log into the Tray app to create an Authentication and consent on behalf of the organisation. This means no other user for your organisation should have to consent to the Tray.io app accessing data in your organisation's Azure AD instance.
The third option requires creating a 'Tray app' user in Azure and then going to Users > Select User > Directory Role > Add Role:
For this user you will want to assign it the 'least priveleged role' in order for it to be able to carry out the operations you want.
There is a useful Microsoft guide on what roles are required for what tasks here
When using the Azure AD connector, the first thing you will have to do is click on 'New Authentication' in the step editor:
You will then have to specify the Directory ID, which will be 'common' unless more than one directory has been set up. The Directory ID can be found in the Properties pane of the Directory in Azure Active Directory:
If you only need to List Users and access Basic Profile information, you can uncheck the User.ReadWrite.All scope, but leave the other two scopes (User.Read and Offline_access) checked. You should also add "User.ReadBasic.All" under Extra Scopes. The Offline_access box should always be ticked to prevent the access token from expiring and breaking your integration:
Microsoft has a useful list here of the extra scopes that you can add to fine-tune the access which the Tray app has to your Azure AD instance.
After clicking 'Next' you can sign into your Microsoft account with the appropriate credentials.
The Azure admin should be able to confirm the permissions delegated to the app in Azure Active Directory under Users > Click on the specific user > Applications > Click on the app > View Granted Permissions:
To access Full Profile information
If you need to access profile information that is not available as part of Basic Profile information, you will need access to users' Full Profile.
To do this you can follow exactly the same steps as for Basic Profile but when creating your authentication in Tray you should also add the User.Read.All scope which will allow the application to access Full Profile information of all users, but will also require the user logging in to be an Administrator.
In Azure Active Directory > Users > Directory Role:
Example - List Users
Create a new workflow with a Manual Trigger and add an Azure AD connector
Select the List Users operation and choose an appropriate limit for the number of users to return:
Click Run Workflow Now. Then select the Debug tab and you should be able to see a successful run of the workflow to click on and view the successful output of the workflow run: