Connectors

Azure AD User Management Connector

The Azure AD User Management connector lets you manage users, groups, and software licenses in your PingOne DaVinci flow.

You can use the Azure AD User Management connector to:

  • Query user information

  • Create, update, and delete users

  • List the users in a group

  • Add and remove group members

  • Add and remove software licenses and disable plans

Setup

Resources

For information and setup help, see the following:

Requirements

To use the connector, you’ll need:

  • Administrator access to Microsoft Azure

Setting up Azure AD

  1. Sign on to the Azure portal.

  2. Create the application:

    1. Search for and select Azure Active Directory.

    2. Under Manage, select App registrations → New registration.

    3. On the Register an Application page, for Supported account types, select Accounts in any organizational directory and personal Microsoft accounts.

    4. Leave the Redirect URI field blank.

    5. Click Register.

      A screen capture of the Azure AD application configuration.
  3. On your app’s Overview page, note the Application (client) ID and Directory (tenant) ID. You’ll use these in the connector configuration.

    A screen capture of the application details page in Microsoft Azure.
  4. Create a client secret:

    1. Under Manage, click Certificates & secrets. On the Client secrets tab, click New client secret.

    2. Enter a name and select an expiry time. Click Add.

    3. Note the Value of the secret. You’ll use this in the connector configuration.

      A screen capture of the client secret in Microsoft Azure.
  5. Give the connector permission to manage users and send messages:

    1. Under Manage, click API permissions.

    2. Click Add a permission and add the following Microsoft Graph API permissions:

      Application permissions
      Permission Type

      Directory.Read.All

      Application

      Directory.ReadWrite.All

      Application

      Group.Read.All

      Application

      Group.ReadWrite.All

      Application

      GroupMember.Read.All

      Application

      GroupMember.ReadWrite.All

      Application

      User.EnableDisableAccount.All

      Application

      User.ManageIdentities.All

      Application

      User.Read.All

      Application

      User.ReadWrite.All

      Application

    3. Click Grant admin consent for <your organization>.

  6. Grant your application the User Administrator role:

    1. In the Azure portal, search for and select Azure AD roles and administrators.

    2. On the All Roles list, search for and select User Administrator.

    3. On the User Administrator > Assignments page, click Add assignments.

      A screen capture of the Add assignments page in Microsoft Azure.
    4. Search for and select your application. Click Add.

Configuring the Azure AD User Management connector

Add the connector in DaVinci as shown in Adding a connector, then configure it as follows.

Connector configuration

Client ID

The Application (client) ID that you noted in Setting up Azure AD.

Client Secret

The client secret Value that you noted in Setting up Azure AD.

Tenant ID

The Directory (tenant) ID that you noted in Setting up Azure AD.

Using the connector in a flow

Get user attributes based on a query

The Query Users capability allows you to get information about one or more users based on a query function.

This capability queries the Azure AD users endpoint. You can select certain user attributes, and filter, order, or format the results. For help creating a query, see Use query parameters and Advanced query capabilities in the Microsoft documentation.

Enter queries in the Query Parameters field. See the following table for examples.

Example queries
Description Query Parameters

List users whose given name starts with J.

$filter=startswith(givenName, 'J')

Get users' given name and surname only.

$select=givenName,surname

Combined query: List users whose given name starts with J and get their given name and surname only.

$filter=startswith(givenName%2C+'J')&$select=givenName,surname

List changes to users since a previous query

The Query User Changes capability allows you to get information about one or more users based on a query function, then repeat the same query one or more times and only receive the information that has changed since the previous query. This includes data that has been created, modified, or deleted. Because only changes are included, the query runs more quickly and can provide valuable or actionable results. For more information about this function, see Get delta in the Graph API documentation.

In your initial request, you can specify a set of query parameters. You’ll receive the requested information, as well as a deltaLink URL, which includes a delta token. In subsequent requests, you only need to provide the delta token as a parameter. The results include any changed data that matches the original query parameters.

Microsoft provides a limited query options for this function. For details, see the Query parameters section of the Get delta topic in the Graph API documentation.

  1. Define and test your query parameters:

    1. Create a flow and add an Azure AD User Management with the Query User Changes capability.

    2. In the Query Parameters field, enter your initial query parameters to define the user information you want to track. For example:

      $select=givenName,surname
    3. Add an HTTP connector with the Custom HTML Message and use it to display the output variable from the Query User Changes node. Click Apply.

      A screen capture of the user inserting the
    4. Click Save, Deploy, and Try Flow.

    5. In the output, check that your queries returns the information that you want.

  2. Get the delta token:

    1. Open the Query User Changes node for editing.

    2. In the Query Parameters field, add the parameter to get the delta token. For example:

      $deltaToken=latest&$select=givenName,surname
    3. In the Custom HTML Message node, remove the output variable and add the deltaToken variable.

    4. Click Save, Deploy, and Try Flow.

    5. In the output, copy the delta token parameter. For example:

      $deltatoken=slyJnDHUp6df3Y...nTlLFOVXPjexmCk2a
  3. Use the delta token to make subsequent requests:

    1. Create a new flow and add an Azure AD User Management with the Query User Changes capability.

    2. In the Query Parameters field, enter your delta token parameter only. For example:

      $deltatoken=slyJnDHUp6df3Y...nTlLFOVXPjexmCk2a
    3. Add an HTTP connector with the Custom HTML Message and use it to display the output variable from the Query User Changes node. Click Apply.

    4. Click Save, Deploy, and Try Flow.

    5. In the output, see the list of user attributes that have been created, modified, or deleted since you generated the delta token.

User management

The connector has several capabilities that allow you to manage users:

  • Read User

  • Create User

  • Update User

  • Delete User

No special configuration is needed. Add the capability and populate its properties according to the help text.

Group membership management

The connector has several capabilities that allow you to manage the groups that a user is part of:

  • List User’s Groups

  • Add User to Group

  • Remove User From Group

No special configuration is needed. Add the capability and populate its properties according to the help text.

Manage user licenses

The Manage User License capability lets you select a user and define one or more licenses to add, remove, or disable for that user.

For more information, see user: assignLicense in the Graph API documentation.

No special configuration is needed. Add the capability and populate its properties according to the help text.

Creating a custom API call

If you want to do something that isn’t supported by one of the provided capabilities, you can use the Make a Custom API Call capability to define your own action.

This capability uses the credentials from your connector to make an API call with the HTTP method, headers, query parameters, and body you specify.

Capabilities

Query Users

Get user attributes based on a custom query.

Show details
Properties
Query Parameters textField

Customize your request with a user filter or query, such as "$select=displayName,givenName,postalCode". See 'User Query' in the Graph API documentation for help. This field is optional.

Input Schema
default object
clientId string
clientSecret string
tenantId string
userQuery string
Output Schema
output object
rawResponse object
properties object
@odata.context string
@odata.nextLink string
value array
items array
type object
properties
statusCode integer

Query User Changes

Get user attributes based on an initial query, then run subsequent queries to get a list of attributes that have been created, modified, or deleted since the initial query. See 'user: Delta' in the Graph API documentation for help.

Show details
Properties
Query Parameters textField

Customize your request with a user filter or query, such as "$select=displayName,givenName,postalCode". See 'User Query' in the Graph API documentation for help. This field is optional.

Input Schema
default object
clientId string
clientSecret string
tenantId string
userQuery string
Output Schema
output object
rawResponse object
properties object
@odata.context string
@odata.nextLink string
@odata.deltaLink string
skiptoken string
deltatoken string
value array
items array
type object
properties
statusCode integer

Read User

Select a single user to get all of their attributes.

Show details
Properties
User dropDown required

The user to target. For a dynamic value, select Use User ID and enter a value in the User ID field.

  • Use User ID

User ID textField

The user’s principal name, such as "jsmith@example.com" or "144c6d7e-ef33-46b8-847a-7021943e9900".

Input Schema
default object
clientId string
clientSecret string
tenantId string
userId string
Output Schema
output object
rawResponse object
properties object
businessPhones array
displayName string
givenName string
jobTitle string
mail string
mobilePhone string
officeLocation string
preferredLanguage string
surname string
userPrincipalName string
id string
statusCode integer

Create User

Create a new user account

Show details
Properties
Account Enabled toggleSwitch required

When enabled, the new account is enabled and ready to use.

Display Name textField required

The name to display in the address book for the user.

Mail Nickname textField required

The mail alias for the user, such as "jsmith".

Principal Name textField required

The user’s principal name, such as "jsmith@example.com".

Password textField required

The user’s password

Force Change Password toggleSwitch

When enabled, the user must set a new password the next time they sign on.

Force Change Password with MFA toggleSwitch

When enabled, the user must authenticate with MFA then set a new password the next time they sign on.

Other Attributes variableInputList

Define additional attributes to add to the user account.

Input Schema
default object
clientId string
clientSecret string
tenantId string
createUserAccountEnabled boolean
createUserDisplayName string
createUserMailNickname string
createUserPrincipalName string
forceChangePasswordNextSignIn boolean
forceChangePasswordNextSignInWithMfa boolean
createUserPassword string
Output Schema
output object
rawResponse object
properties object
@odata.context string
id string
businessPhones array
displayName string
givenName string
jobTitle string
mail string
mobilePhone string
officeLocation string
preferredLanguage string
surname string
userPrincipalName string
statusCode integer

Update User

Update information about a user.

Show details
Properties
User dropDown required

The user to target. For a dynamic value, select Use User ID and enter a value in the User ID field.

  • Use User ID

User ID textField

The user’s principal name, such as "jsmith@example.com" or "144c6d7e-ef33-46b8-847a-7021943e9900".

Given Name textField

The given name (first name) of the user

Surname textField

The user’s surname (family name or last name).

Display Name textField

The name to display in the address book for the user.

Password textField

The user’s password.

Force Change Password toggleSwitch

When enabled, the user must set a new password the next time they sign on.

Force Change Password with MFA toggleSwitch

When enabled, the user must authenticate with MFA then set a new password the next time they sign on.

Country textField

The user’s country, in ISO 3166-1 alpha-2 format, such as "US".

State or Province textField

The user’s state or province, such as "WA".

City textField

The user’s city, such as "Seattle".

Department textField

The user’s department, such as "Accounting".

Employee ID textField

The user’s employee identifier, such as "A2304884". Maximum length is 16 digits.

Mail textField

The user’s SMTP address, such as "jsmith@example.com". Changes to this property will also update the user’s proxyAddresses collection to include the value as an SMTP address.

Other Attributes variableInputList

Define additional attributes to add to the user account.

Input Schema
default object
clientId string
clientSecret string
tenantId string
userId string
displayName string
accountEnabled boolean
password string
forceChangePasswordNextSignIn boolean
forceChangePasswordNextSignInWithMfa boolean
givenName string
surname string
country string
state string
city string
department string
employeeId string
mail string
Output Schema
output object
rawResponse object
properties object
ok
statusCode integer

Delete User

Delete a user account

Show details
Properties
User dropDown required

The user to target. For a dynamic value, select Use User ID and enter a value in the User ID field.

  • Use User ID

User ID textField

The user’s principal name, such as "jsmith@example.com" or "144c6d7e-ef33-46b8-847a-7021943e9900".

Input Schema
default object
userId string
clientId string
clientSecret string
tenantId string
Output Schema
output object
rawResponse object
properties object
ok
statusCode integer

Manage User License

Manage a user’s access to products by adding, removing, or disabling licenses.

Show details
Properties
User dropDown required

The user to target. For a dynamic value, select Use User ID and enter a value in the User ID field.

  • Use User ID

User ID textField

The user’s principal name, such as "jsmith@example.com" or "144c6d7e-ef33-46b8-847a-7021943e9900".

Remove License textField

The ID for the license that you want to revoke, such as ["bea13e0c-3828-4daa-a392-28af7ff61a0f"]. Separate multiple IDs with a comma.

Default:

[""]
Add License textField

The SKU ID for the license that you want to grant, such as "45715bb8-13f9-4bf6-927f-ef96c102d394".

Disable Plan textField

The ID of a plan associated with the new license, such as ["11b0131d-43c8-4bbb-b2c8-e80f9a50834a"]. Separate multiple IDs with a comma.

Default:

[""]
Input Schema
default object
clientId string
clientSecret string
tenantId string
userId string
removeLicenses array
skuId string
disabledPlans array
Output Schema
output object
rawResponse object
properties object
accountEnabled boolean
assignedLicenses array
items array
type object
properties
assignedPlans array
items array
type object
properties
businessPhones array
items array
type string
city string
companyName string
statusCode integer
headers object

List User’s Groups

Get a list of groups that a user belongs to.

Show details
Properties
User dropDown required

The user to target. For a dynamic value, select Use User ID and enter a value in the User ID field.

  • Use User ID

User ID textField

The user’s principal name, such as "jsmith@example.com" or "144c6d7e-ef33-46b8-847a-7021943e9900".

Limit to Security Groups toggleSwitch required

When enabled, the request only lists the user’s security groups.

Input Schema
default object
clientId string
clientSecret string
tenantId string
userId string
Output Schema
output object
rawResponse object
properties object
@odata.context string
value array
items array
type string
statusCode integer

Add User to Group

Add a member to a security or Microsoft 365 group.

Show details
Properties
User dropDown required

The user to target. For a dynamic value, select Use User ID and enter a value in the User ID field.

  • Use User ID

User ID textField

The user’s ID such as "144c6d7e-ef33-46b8-847a-7021943e9900".

Group dropDown required

The group to target. For a dynamic value, select Use Group ID and enter a value in the Use Group ID field.

  • Use Group ID

Group textField

The id of the group, such as "0b2b7c5b-4eb2-5c7b-a94b-bea34ac31c30".

Input Schema
default object
clientId string
clientSecret string
tenantId string
userId string
groupId string
Output Schema
output object
rawResponse object
properties object
ok
statusCode integer

Remove User From Group

Remove a user from a group.

Show details
Properties
Group dropDown required

The group to target. For a dynamic value, select Use Group ID and enter a value in the Use Group ID field.

  • Use Group ID

Group textField

The id of the group, such as "0b2b7c5b-4eb2-5c7b-a94b-bea34ac31c30".

User dropDown required

The user to target. For a dynamic value, select Use User ID and enter a value in the User ID field.

  • Use User ID

User ID textField

The user’s ID such as "144c6d7e-ef33-46b8-847a-7021943e9900".

Input Schema
default object
clientId string
clientSecret string
tenantId string
userId string
groupId string
Output Schema
output object
rawResponse object
properties object
ok
statusCode integer

Make a Custom API Call

Define and use your own call to the Microsoft Graph API

Show details
Properties
Endpoint textField required

The Microsoft Graph API endpoint, such as "/user". This endpoint is added to the base API URL selected in the connector configuration.

HTTP Method dropDown required

The HTTP method of the API call.

  • GET

  • POST

  • PUT

  • DELETE

  • PATCH

Body codeEditor

The body of the API call.

Input Schema
default object
clientId string
clientSecret string
tenantId string
endpoint string
method string
customQueryParams array
headers array
bodyData object
Output Schema
output object
rawResponse object
statusCode integer
headers object