Add an Entra group to an IAM Policy

If all of the previous steps have been followed, you should have an Entra tenant in your Connect Organisation with a status of "The tenant exists in Entra. None of its Groups are referenced in this Organisation’s IAM Policy."

You are now ready to add Entra groups to your Organisation's IAM policy. This will enable Connect to determine which Endpoints may talk to each other based on Entra group membership (as well as anything else defined in the IAM policy).

You will need the name or Object ID of the Entra group you wish to use for defining access in Connect.

A group name is more readable, though it can be changed in Entra; an Object ID is less readable, though it cannot be changed in Entra.

Find groups in Entra

You can find details about a group, including its name and Object ID, in the Microsoft Entra admin center by going to Groups -> All groups and selecting a group.

In this example we will use a group with the name "Sales Group" in the tenant "Demo Tenant".

Referencing tenants

Tenants can only be referenced by the name given to them in Connect. This can be found in the Identity Providers tab of your Organisation.

For example, the tenant shown below has the name "Demo Tenant"

1. In the Connect Control Service, browse to the Organisation that uses the Entra tenant.
2. Open the IAM Policy tab.
3. Click "Edit" to edit the existing policy.

4. Add a reference to the Entra group in the policy; for example:

   {
       "acls": [
           // Allow Users in the Entra group "Sales Group" to talk to each other
           {
               "action": "accept",
               "src": ["group:Sales Group@Demo Tenant"],
               "dst": ["group:Sales Group@Demo Tenant"]
           }
       ]
   }
   

   Group names

   • When creating groups in the Microsoft Entra admin center you will be warned if a new name clashes with an existing one, regardless of case.
   • In a Connect IAM Policy "Sales Group" will refer to the same Entra group as "sales group" or "SALES GROUP".
   • Spaces are allowed in Entra group names and must be included, if present, when the group is referenced in a Connect IAM Policy.

5. Click "Save". You should then see a message confirming that the IAM Policy has been successfully updated.

In this example, the following would happen:

• User membership of "Sales Group" in "Demo Tenant" will be synchronised between Entra and Connect
• Members of "Sales Group" will be able to communicate with each other

• The tenant status will change in the Identity Providers tab to "The tenant has Groups referenced in this Organisation’s IAM Policy, all of which are up to date."

  

Further changes to the Entra user group will be synced to Connect. The time delay for this is dependent on Entra, but is usually within a few minutes.

Further groups may be added to the acls section as necessary.

To check the groups that apply to a specific User please see the guide for viewing group membership.

For more details about what is possible with IAM Policy in Connect, such as controlling access to specific Endpoints or grouping Endpoints with tags, see the IAM policy explainer.

---

Previous

See Also

• IAM Policy
• Manage IAM Policy
• Manage Tags
• Working with Entra