Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry. Saviynt Copilot Icon
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

API permissions for Azure AD - Saviynt integration

KP18
New Contributor
New Contributor

‎10/07/2024 11:52 PM

Hi,

We have a requirement where we need to integrate Saviynt with Azure AD just to reconcile Accounts and Groups to Saviynt. What are the API permissions we need to assign at Azure AD level while registering the application at Azure AD level just to provide Read-Only access?

Labels:
0 Kudos
4 REPLIES 4

NM
Honored Contributor II
Honored Contributor II

‎10/07/2024 11:53 PM

@KP18 read only permission to pull in users and groups will be fine.

0 Kudos

KP18
New Contributor
New Contributor
In response to NM

‎10/08/2024 01:23 AM

@NM Assigning the user.read.all and groups.read.all API permissions at the Azure AD level should allow us to fetch account and group data or if we assign the Directory.Read.All permission instead, it should also fulfill these requirements. Can we proceed with this approach?

0 Kudos

Amit_Malik
Valued Contributor II
Valued Contributor II
In response to KP18

‎10/08/2024 08:03 AM

@KP18 , user.read.all and groups.read.all will work as well. Below is what we are using.

Amit_Malik_0-1728399798322.png

 

Kind Regards,
Amit Malik
If this helped you move forward, please click on the "Kudos" button.
If this answers your query, please select "Accept As Solution".
0 Kudos

rushikeshvartak
All-Star
All-Star
In response to KP18

‎10/08/2024 08:22 AM

Yes, your approach is correct in terms of API permissions needed to reconcile Accounts and Groups from Azure AD to Saviynt with read-only access.

Here are the necessary API permissions you should assign to the application in Azure AD when registering it for this purpose:

For Account Data:

  1. User.Read.All: This permission allows the app to read user profiles without requiring the signed-in user's consent. It is necessary to fetch user details (accounts) from Azure AD.

For Group Data:

  1. Group.Read.All: This permission enables the app to read all group properties and memberships without a signed-in user. It will be used to fetch groups and their memberships.

Alternatively (for both Accounts and Groups):

  1. Directory.Read.All: This is a broader permission that includes access to all user profiles and group details. It can serve both purposes (reading users and groups) in a single permission.

Permission Types:

  • Delegated permissions: Used when the app is accessing resources as the signed-in user.
  • Application permissions: Used when the app needs to access resources independently, without a signed-in user.

In this case, you will need Application permissions for User.Read.All and Group.Read.All (or Directory.Read.All), since the reconciliation task doesn't require user interaction.

Steps to Assign Permissions:

  1. Register your application in Azure AD.
  2. Go to API permissions under your application settings.
  3. Add the required Application permissions:
    • User.Read.All (or Directory.Read.All).
    • Group.Read.All (if not using Directory.Read.All).
  4. Click Grant admin consent for your organization to give the required permissions.

Once this is done, Saviynt should be able to reconcile Accounts and Groups from Azure AD.


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.
0 Kudos
Copyright © 2024 Khoros, LLC