Skip to content

Entra as an Identity Provider for IAM

Microsoft Entra ID, formerly known as Azure Active Directory, can be integrated into CyberHive Connect and used in an Organisation's IAM Policy to allow or restrict access to resources within the TAN.

An Entra ID tenant must be registered and configured to work with Connect first.

Referencing a Group

An IAM Policy document is made up of one or more ACLs. A Group from an Entra tenant is referenced in the Source or Destination of an ACL using the syntax group:<group>@<tenant>.

For example, when an Entra tenant called wayland-yutani has been added to Connect, and a Group androids exists in the tenant, the Group can be referenced by name or Object ID, as defined in Entra:

  • group:androids@wayland-yutani
  • group:87b3ecb5-569c-45d3-95f5-85b7436484bd@wayland-yutani

A Group name is more readable, though it can be changed in Entra; an Object ID is less readable, though it cannot be changed in Entra.

Referencing tenants

Tenants can only be referenced by the name given to them in Connect.

Connect will fetch membership information for all Groups referenced in the IAM Policy.

If an Entra Group is not referenced in the IAM Policy, Connect will not be aware of it or its User membership. Similarly, removing a Group reference from the IAM Policy will result in Connect no longer using it for access controls.

A summary of the Entra Groups known by Connect for a tenant can be found in the Identity Providers tab in the Control Service.

To verify that a User's Group membership is up to date, see How to view a User's Group membership.

Change notifications

Change Notifications are used to notify Connect of any changes to a Group.

A single subscription per tenant is used, rather than a subscription per Group. This reduces the load on the Entra tenant.

Subscriptions are created automatically when an Entra Group is referenced by an ACL.

When a change is made to an Entra group, a notification will be sent to Connect. There will be a short delay before Entra sends the notification. In practice, we have found the delay to be less than 2 minutes but, ultimately, it depends on Microsoft.

Group re-synchronisation

Groups may also be manually re-synchronised. Generally this won't be required, but it can be used if synchronisation issues occur.

Group re-synchronisation may be useful in the following scenarios:

  1. Changes to Entra Groups are not reflected in Connect after a period of time.
  2. An Entra Group referenced in the IAM Policy did not exist, or was otherwise unavailable in Entra, but can now be accessed.

To manually re-synchronise an Entra Group, browse to the Identity Providers tab for the Organisation and find the Entra tenant in the list. Select the re-synchronise icon, then choose the Group you want to re-synchronise.

Re-synchronise

Tip

Checking a User's Group membership may show that synchronisation is needed, when it differs from their Entra Group membership.