Azure Active Directory

Microsoft Azure Active Directory is now Microsoft Entra ID

Azure Active Directory (Azure Active Directory) is Microsoft’s multi-tenant cloud based directory and identity management service. The Azure Active Directory Service Type provides the ability to read from and manage users and groups in Azure Active Directory. The product uses this service type for user identification, authorization and integration with Azure Active Directory using the Azure Active Directory workflow wizards.

The Azure Active Directory Service Type exposes Azure Active Directory User methods (such as reading user information, updating user information) Group methods (such as retrieving groups and a user's group memberships) and User-Group operations (such as adding users to groups).

Service Authentication

OAuth is the only supported Authentication Mode for the Azure Active Directory Service Type .

Service Keys (Service Instance Configuration Settings)

Key Can be modified Data Type Sample Value Notes
ClientId Yes Text 5701318dfgkj654h74332

The Client ID from your Azure Active Directory configuration for the App. Normally, this setting is not required unless you have manually configured an application for access in the Azure Active Directory using the Azure Management tools. For more general information see the MSDN article on Azure Active Directory and OAuth.

This property contains sensitive information. You can enter and see your values when you first configure this value. The value will be masked when the service instance is updated.
ClientSecret Yes Text fjds543kjdfs87fih234khs

The Client Secret ID from your Azure Active Directory configuration. Normally, this setting is not required unless you have manually configured an application for access in your Azure Active Directory using the Azure Management tools. (For more information on this, please see this article: Azure Active Directory and OAuth.)

This property contains sensitive information. You can enter and see your values when you first configure this value. The value will be masked when the service instance is updated.
Realm Yes Text https://yourtenantname .onmicrosoft.com/yourapp The APP ID URI from your Azure Active Directory configuration. Normally, this setting is not required unless you have manually configured an application for access in your Azure Active Directory using the Azure Management tools.
Filter in Azure Active Directory Yes True/False True Filter in Azure Active Directory sends the filter through to Azure Active Directory to filter before it returns the results. There are limitations regarding filtering in Azure Active Directory, see the Limitations section below. With the setting set to false, the unfiltered results are fetched from Azure Active Directory, and then filtered in the broker.
Number of pages to return Yes Text 100 Azure Active Directory works on a paged request system, so No of pages to return and Page Size are used to manage the number of results to return. This is an important setting when working with the cloud. We recommend 100, as this is also the default Azure Active Directory uses. Increasing the results per page, will require less calls to Azure Active Directory, but will transmit more data over the network at a time, increasing the likelihood of a timeout or disconnect. Decreasing the value can have a performance impact, as more calls are made to Azure Active Directory, and can cause throttling if to many calls are made to a system. Setting this to 0, will bring back all pages, thus return all results, and can have a negative performance impact. But setting to 0 is needed if the FilterInAAD setting is false, as the SmartObject Broker will need all the results, to accurately apply the filter and return the expected results.
Page Size Yes Text 1 Azure Active Directory works on a paged request system, so No of pages to return and Page Size are used together to manage the number of results to return.

Permissions

The SharePoint application requires Write permissions, configured in Azure Active Directory, in order for the Create and Update methods to function correctly when using the Azure Active Directory wizards in a workflow.

Service Objects

The Active Directory Service 2 typically exposes the following Service Objects:

  • Group (exposes Azure Active Directory Group data and methods))
  • User (exposes User level data and methods)
  • User and Groups (interacts with the global Azure Active Directory API)

SmartObjects

If an Azure Active Directory environment is configured during installation, the product automatically generates SmartObjects for these Service Objects. SmartObjects can be automatically created by selecting the Generate SmartObjects for this Service Instance check box when creating a new Service Instance. Designers can use the SmartObject design tools to build advanced SmartObjects that leverage the Service Objects in this service. It is recommended to use the SmartObject design tools to create SmartObjects rather than generating SmartObjects, since this allows better control over the naming, behavior and design of the SmartObject and its methods and properties.

Considerations

The default Service Instance of this service is used internally by the environment. Do not modify or delete the existing service instance. You can create a new instance or use the methods from the existing instance

When applying filters to the Azure Active Directory SmartObject, limitations regarding the Azure Active Directory Service cause different expected behavior. For example, the logical filter “Startswith” is used by the Azure Active Directory Service instead of the “Contains” filter.

Logical filtering that is available in the Azure Active Directory Service:

  1. Equals
  2. Startswith
  3. GreaterThan
  4. LessThan

Logical filter limitations:

  1. The “Contains” filter is not available in the Azure Active Directory Service, and when the Azure Active Directory SmartObject applies the “Contains” filter such as used by the Picker control, the “Startswith” filter is applied by the Azure Active Directory Service.
  2. The “Endswith” filter is not available in the Azure Active Directory Service.

Other limitations

  • Only filter on string values (AccountDisable which is bool or OtherMail which is a collection filters will be ignored).
  • Some text properties are not filterable at all:
    • FacsimileTelephoneNumber
    • Mobile
    • PhysicalDeliveryOfficeName
    • PostalCode
    • PreferredLanguage
    • StreetAddress
    • TelephoneNumber

    Azure Active Directory will throw a Microsoft.Azure.ActiveDirectory.GraphClient.UnsupportedQueryException exception and the folowing message will be displayed:

    "Unsupported Azure Active Directory filter used. Revise Filter or disable 'Filter in Azure Active Directory': Unsupported or invalid query filter clause specified for property 'mobile' of resource 'User'."

    This mean the filter contains a field that is not filterable. In this instance the field is called 'mobile'.

    SmartForms QuickFilter will filter on all fields, and will cause Azure Active Directory to throw errors if FilterInAAD is enabled.

  • These properties are filterable:
    • City
    • Country
    • Department
    • DisplayName
    • GivenName
    • JobTitle
    • Mail
    • MailNickname
    • ObjectID*
    • State
    • Surname
    • UsageLocation
    • UserPrincipalName

    *ObjectId cannot be used with other properties in a filter. It must be filtered on its own, else Azure Active Directory will error as above.

  • Complex grouping in filters also have a limitation in Azure Active Directory. Azure Active Directory will throw an exception if filter grouping is to complex and will show the following error:

    "Unsupported Azure Active Directory filter used. Revise Filter or disable 'Filter in Azure Active Directory': Search filter expression has excessive height."

  • Filters are not applied when specifying a SmartObject input property. If an input property is specified, the input property is used as an “Equals” logical operation for that field with ‘and’ joins between the properties if multiple expressions are specified, and ignores any filter specified.
  • Azure Active Directory only supports filtering a property against a value. So we allow Property=value or Value=Property expressions, but not Value=Value or Property=Property. For example “DisplayName Contains Bob”
  • Paging and ordering is not implemented in the Azure Active Directory SmartObject and is handled by the SmartObject Broker on the returned results.
  • By default, we set the page size to 100 and to only return 1 page's results.
  • FilterInAAD is only implemented for the GetList method on the User and Group Azure Active Directory SmartObject.

When changes are made in Azure Active Directory that impact existing Azure Active Directory SmartObjects in your environment, the Azure Active Directory SmartObjects contact Azure Active Directory and synchronize and apply any changes.