The Azure AD User Management connector lets you manage users, groups, and software licenses in your PingOne DaVinci flow.
You can use the Azure AD User Management connector to:
- Query user information
- Create, update, and delete users
- List the users in a group
- Add and remove group members
- Add and remove software licenses and disable plans
Setup
Resources
For information and setup help, see the following documentation:
- Microsoft documentation:
- DaVinci documentation:
Requirements
To use the connector, you'll need:
- Administrator access to Microsoft Azure
Setting up Azure AD
- Sign on to the Azure portal.
- Create the application:
- Search for and select Azure Active Directory.
- Under Manage, select .
- On the Register an Application page, for Supported account types, select Accounts in any organizational directory and personal Microsoft accounts.
- Leave the Redirect URI field blank.
- Click Register.
- On your app's Overview page, note the Application (client) ID and Directory (tenant) ID. You'll use these in the connector configuration.
- Create a client secret:
- Under Manage, click Certificates & secrets. On the Client secrets tab, click New client secret.
- Enter a name and select an expiry time. Click Add.
- Note the Value of the secret. You'll use this in the connector configuration.
- Give the connector permission to manage users and send messages:
- Under Manage, click API permissions.
- Click Add a permission and add the
following Microsoft Graph API permissions:
Application permissions Permission Type Directory.Read.All Application Directory.ReadWrite.All Application Group.Read.All Application Group.ReadWrite.All Application GroupMember.Read.All Application GroupMember.ReadWrite.All Application User.EnableDisableAccount.All Application User.ManageIdentities.All Application User.Read.All Application User.ReadWrite.All Application - Click Grant admin consent for <your organization>.
- Grant your application the User Administrator role:
- In the Azure portal, search for and select Azure AD roles and administrators.
- On the All Roles list, search for and select User Administrator.
- On the User Administrator | Assignments page, click Add assignments.
- Search for and select your application. Click Add.
Configuring the Azure AD User Management connector
Add the connector in DaVinci as shown in Adding a connector, then configure it as follows.
Connector configuration
Client ID
Client Secret
Tenant ID
Using the connector in a flow
Get user attributes based on a query
The Query Users capability allows you to get information about one or more users based on a query function.
This capability queries the Azure AD users
endpoint. You can select
certain user attributes, and filter, order, or format the results. For
help creating a query, see Use query parameters and Advanced query capabilities in the Microsoft
documentation.
Enter queries in the Query Parameters field. See the following table for examples.
Description | Query Parameters |
---|---|
List users whose given name starts with J. |
$filter=startswith(givenName, 'J') |
Get users' given name and surname only. |
$select=givenName,surname |
Combined query: List users whose given name starts with J and get their given name and surname only. |
$filter=startswith(givenName%2C+'J')&$select=givenName,surname |
List changes to users since a previous query
The Query User Changes capability allows you to get information about one or more users based on a query function, then repeat the same query one or more times and only receive the information that has changed since the previous query. This includes data that has been created, modified, or deleted. Because only changes are included, the query runs more quickly and can provide valuable or actionable results. For more information about this function, see Get delta in the Graph API documentation.
In your initial request, you can specify a set of query parameters. You'll receive the
requested information, as well as a deltaLink
URL,
which includes a delta token. In subsequent requests, you only need to
provide the delta token as a parameter. The results include any changed
data that matches the original query parameters.
Microsoft provides a limited query options for this function. For details, see the Query parameters section of the Get delta topic in the Graph API documentation.
- Define and test your query parameters:
- Create a flow and add an Azure AD User Management with the Query User Changes capability.
- In the Query Parameters field, enter
your initial query parameters to define the user information
you want to track. For
example:
$select=givenName,surname
- Add an HTTP connector with the Custom HTML Message and use it to display the output variable from the Query User Changes node. Click Apply.
- Click Save, Deploy, and Try Flow.
- In the output, check that your queries returns the information that you want.
- Get the delta token:
- Open the Query User Changes node for editing.
- In the Query Parameters field, add
the parameter to get the delta token. For
example:
$deltaToken=latest&$select=givenName,surname
- In the Custom HTML Message node, remove the output variable and add the deltaToken variable.
- Click Save, Deploy, and Try Flow.
- In the output, copy the delta token parameter. For
example:
$deltatoken=slyJnDHUp6df3Y...nTlLFOVXPjexmCk2a
- Use the delta token to make subsequent requests:
- Create a new flow and add an Azure AD User Management with the Query User Changes capability.
- In the Query Parameters field, enter
your delta token parameter only. For
example:
$deltatoken=slyJnDHUp6df3Y...nTlLFOVXPjexmCk2a
- Add an HTTP connector with the Custom HTML Message and use it to display the output variable from the Query User Changes node. Click Apply.
- Click Save, Deploy, and Try Flow.
- In the output, see the list of user attributes that have been created, modified, or deleted since you generated the delta token.
User management
The connector has several capabilities that allow you to manage users:
- Read User
- Create User
- Update User
- Delete User
No special flow configuration is needed. Add the capability and populate its properties according to the help text.
Group membership management
The connector has several capabilities that allow you to manage the groups that a user is part of:
- List User's Groups
- Add User to Group
- Remove User From Group
No special flow configuration is needed. Add the capability and populate its properties according to the help text.
Manage user licenses
The Manage User License capability lets you select a user and define one or more licenses to add, remove, or disable for that user.
For more information, see user: assignLicense in the Graph API documentation.
No special flow configuration is needed. Add the capability and populate its properties according to the help text.
Creating a custom API call
If you want to do something that isn't supported by one of the provided capabilities, you can use the Make a Custom API Call capability to define your own action.
This capability uses the credentials from your connector to make an API call with the HTTP method, headers, query parameters, and body you specify.
Capabilities
- Query Users
-
Get user attributes based on a custom query.
Details - Query User Changes
-
Get user attributes based on an initial query, then run subsequent queries to get a list of attributes that have been created, modified, or deleted since the initial query. See 'user: Delta' in the Graph API documentation for help.
Details - Read User
-
Select a single user to get all of their attributes.
Details - Create User
-
Create a new user account
Details - Update User
-
Update information about a user.
Details - Delete User
-
Delete a user account
Details - Manage User License
-
Manage a user's access to products by adding, removing, or disabling licenses.
Details - List User's Groups
-
Get a list of groups that a user belongs to.
Details - Add User to Group
-
Add a member to a security or Microsoft 365 group.
Details - Remove User From Group
-
Remove a user from a group.
Details - Make a Custom API Call
-
Define and use your own call to the Microsoft Graph API
Details