Azure Active Directory - User Guide

Microsoft 365 and Azure Active Directory users can connect using Azure AD

Integrating with Azure Active Directory and Microsoft 365 will allow Scytale to collect relevant user access information and their access privilege rights on Microsoft. This will help to inspect and ensure that only authorized users have access to Microsoft - which is one of the key criteria when testing logical access. Manually collecting this type of evidence can take some time, especially when you need to prove to the auditors that the user listings are complete and accurate, and when you have a long list of users that require multiple pieces of evidence to be provided.

Automating the collection of user listings and access privileges streamlines the sampling process for the audit, and also provides assurance over the accuracy and completeness of the evidence collected.

How to connect Azure Active Directory integration?

💡Global admin role should create the application.

Step 1: Register an application

• Log in to the Azure portal and then navigate to Azure Active Directory.

• On the left menu, click on App registrations

• On the screen that loads, click on New registration and fill in the following details:

  • Name - you can choose a name, for example: scytale-integration

  • Supported account types - the first option must be selected - "Accounts in this organizational directory only (Default Directory only - Single tenant)".

  • Redirect URI - select Web from the drop-down menu, and in the text box paste the following: https://api.scytale.ai/integrations/microsoft-graph/callback/microsoft-graph 

  • Click on Register

• Next, navigate to the app registrations page.

• On the app registrations page, click on scytale-integration (the application you just created in the previous step).

• On the left menu, select "overview".

• Under "Essentials", copy the (A) - Application (Client) ID and the (B) - Directory (tenant) ID (You'll need this to connect the integration in step 3).

Step 2: Create a new client secret for the app

• Go to App registrations.

• Go to "Certificates & secrets"

• Click on New client secret

  • Description - scytale-key

  • Expires - we recommend selecting 24 months. We cannot collect data after the key expires.

  • Click on Add

• Click on the copy sign on the (C) - "Value" column. (You'll need this to connect the integration in step 3)

Step 3: Add permissions

• Go to App registrations.

• Go to the app that you created in step 1: scytale-integration.

• Go to "API permissions"

• Click on Add a permission

• Under "Request API permissions",

• In Microsoft API's tab, select "Microsoft Graph" and then select select "application permissions".

• Select to add the following permissions (you can do it by search the permissions from the list):

  • User.Read.All

  • RoleManagement.Read.Directory

  • GroupMember.Read.All

  • Group.Read.All

  • Directory.Read.All

  • Application.Read.All

  • UserAuthenticationMethod.Read

  • Reports.Read.All

• Click on Add permissions

• Under API permissions - to grant permission, select "Grant admin consent for Default Directory".

Step 4: Log in to the Scytale web app

• Click on the "Integrations" menu screen to the left.

• Click on the Connect button under the Azure Active Directory icon.

• After reading the permissions window, click on Next

• Now, paste the following details into the connection screen:

  • Application ID - A (from step 1 above)

  • Secret Value - C (from step 2 above)

  • Directory ID - B (from step 1 above)

All the permissions that are required for the integration with Azure Active Directory are read-only permissions and do not allow Scytale to perform any actions within your Azure AD account.