Azure AD syncer
Sync users from Azure Active Directory (Microsoft Entra ID) to Hanzo IAM via Microsoft Graph.
The Azure AD syncer pulls users from Azure Active Directory (Microsoft Entra ID) into Hanzo IAM using the Microsoft Graph API and keeps the directory in sync.
Prerequisites
Register an application in the Azure Portal and grant it the permissions below.
Step 1: Register an Application
Navigate to Azure Portal and register a new application:
- Go to Azure Active Directory → App registrations → New registration
- Enter a name for your application
- Select the appropriate account type (typically "Accounts in this organizational directory only")
- Click Register
Step 2: Create a Client Secret
After registration, create a client secret:
- In your application, go to Certificates & secrets
- Click New client secret
- Add a description and select an expiration period
- Click Add and copy the secret value immediately (it won't be shown again)
Step 3: Grant API Permissions
Configure the required Microsoft Graph API permissions:
- Go to API permissions → Add a permission
- Select Microsoft Graph → Application permissions
- Add the
User.Read.Allpermission - Click Grant admin consent for your organization
:::tip
The User.Read.All permission allows the syncer to read all user profiles in your Azure AD tenant.
:::
Configuration
To create an Azure AD syncer in Hanzo IAM:
- Navigate to the Syncers tab
- Click Add to create a new syncer
- Fill in the following required fields:
| Field | Description |
|---|---|
| Organization | The Hanzo IAM organization where users will be imported |
| Name | A unique identifier for this syncer |
| Type | Select "Azure AD" |
| Tenant ID | Your Azure AD tenant ID (found in Azure Portal → Azure Active Directory → Overview) |
| Client ID | The Application (client) ID from your app registration |
| Client Secret | The client secret value you created earlier |
Other database-related fields (Database type, Port, Database, Table) are not used for Azure AD syncer and can be left empty.
Field Mappings
The syncer automatically maps Azure AD user attributes to Hanzo IAM user fields:
| Azure AD Field | Hanzo IAM Field | Description |
|---|---|---|
| id | Id | User's unique identifier |
| userPrincipalName | Name | User principal name |
| displayName | DisplayName | User's display name |
| givenName | FirstName | First name |
| surname | LastName | Last name |
| Email address | ||
| mobilePhone | Phone | Mobile phone number |
| jobTitle | Title | Job title |
| officeLocation | Location | Office location |
| preferredLanguage | Language | Preferred language |
| accountEnabled | IsForbidden | Account status (inverted) |
:::info
The accountEnabled field is inverted when mapped to IsForbidden. When a user is disabled in Azure AD (accountEnabled: false), they will be marked as forbidden in Hanzo IAM (IsForbidden: true).
:::
Running the Syncer
After configuration:
- Click Test Connection to verify your credentials and permissions
- Enable the syncer by toggling Is enabled
- Click Sync to trigger an immediate synchronization
- The syncer will automatically fetch all users from your Azure AD tenant
The syncer handles pagination automatically, retrieving all users regardless of the total count.
How is this guide?
Last updated on