Click HERE to see how Saviynt Intelligence is transforming the industry. |
10/07/2024 11:52 PM
Hi,
We have a requirement where we need to integrate Saviynt with Azure AD just to reconcile Accounts and Groups to Saviynt. What are the API permissions we need to assign at Azure AD level while registering the application at Azure AD level just to provide Read-Only access?
10/07/2024 11:53 PM
@KP18 read only permission to pull in users and groups will be fine.
10/08/2024 01:23 AM
@NM Assigning the user.read.all and groups.read.all API permissions at the Azure AD level should allow us to fetch account and group data or if we assign the Directory.Read.All permission instead, it should also fulfill these requirements. Can we proceed with this approach?
10/08/2024 08:03 AM
@KP18 , user.read.all and groups.read.all will work as well. Below is what we are using.
10/08/2024 08:22 AM
Yes, your approach is correct in terms of API permissions needed to reconcile Accounts and Groups from Azure AD to Saviynt with read-only access.
Here are the necessary API permissions you should assign to the application in Azure AD when registering it for this purpose:
In this case, you will need Application permissions for User.Read.All and Group.Read.All (or Directory.Read.All), since the reconciliation task doesn't require user interaction.
Once this is done, Saviynt should be able to reconcile Accounts and Groups from Azure AD.