Retrieve Groups from Azure Active Directory

This section describes how to retrieve user and group information from an Azure Active Directory. OmniGroupServer retrieves information from Azure Active Directory through the Microsoft Graph API.

Set up an OAuth Service Application

To use the Microsoft Graph API, you must go to the Azure portal and register an application to represent OmniGroupServer. Full instructions about how to create an application are available in the Microsoft documentation.

To set up an OAuth Service Application

  1. Go to the Microsoft Azure Portal.
  2. Click New registration.

    1. Type a name for the new application.
    2. Specify a redirect URL. The "type" of the redirect URL should be "Web". The redirect URL must match the value of the RedirectUrl parameter in the OAuth tool configuration file, oauth_tool.cfg, that is supplied with OmniGroupServer. The default value is http://localhost:7878/oauth.

  3. Click Certificates and Secrets and upload a certificate to use to authenticate the OmniGroupServer. You can use a self-signed certificate.

  4. Click API Permissions > Add a permission.

    The Request API permissions dialog box opens.

  5. Click Microsoft Graph, followed by Application permissions and select the following permissions.

    Permissions
    Directory.Read.All
    Group.Read.All
    GroupMember.Read.All
    OrgContact.Read.All
    User.Read
    User.Read.All
  6. Run the OAuth configuration tool that is supplied with OmniGroupServer.

    1. Open the OAuth tool configuration file, oauth_tool.cfg, in a text editor.
    2. In the [Default] section, set any SSL or proxy settings that are required to access the Graph API:

      SSLMethod The version of SSL/TLS to use.
      ProxyHost The host name or IP address of the proxy server to use.
      ProxyPort The port of the proxy server to use.

      For example:

      SSLMethod=NEGOTIATE
      ProxyHost=10.0.0.1
      ProxyPort=8080
    3. In the [Azure] section, set the following parameters:

      AdminConsentUrl Replace the placeholder {TenantId} with your Microsoft 365 Tenant, for example mydomain.onmicrosoft.com.
      TokenUrl Replace the placeholder {TenantId} with your Microsoft 365 Tenant, for example mydomain.onmicrosoft.com.
      CustomValue0 The path to the .pfx file that contains the certificate and private key to use to authenticate the OmniGroupServer.
      CustomValue1 The password for the private key.
      AppKey The application (client) ID that was provided when you created the OAuth application.
    4. Open a command-line window and run the following command:

      oauth_tool.exe oauth_tool.cfg Azure

      A web browser opens, asking you to log in and grant admin consent.

    5. Log in and grant admin consent.

      The web page displays a message stating that the OAuth details have been successfully stored, and the OAuth tool creates the files oauth.cfg and oauth2_sites.bin. When you configure OmniGroupServer, import the parameters from oauth.cfg into your task configuration.

Configure OmniGroupServer

This section describes how to configure an OmniGroupServer repository to store information from Azure Active Directory.

To retrieve security information from Azure Active Directory

  1. Open the OmniGroupServer configuration file.
  2. In the [Repositories] section, create a repository. For example:

    [Repositories]
    Number=1
    0=AzureAD
    
    [AzureAD]
  3. Include the OAuth configuration parameters necessary to authenticate with the Azure Active Directory. For example:

    [AzureAD] < "oauth.cfg" [OAUTH]

    For information about how to generate the oauth.cfg file, see Set up an OAuth Service Application.

  4. Set the following configuration parameters:

    GroupServerLibrary The path (including the file name) to the library file that allows the group server to access the repository. Use the library ogs_azure.
    UseSystemProxy Specifies whether to obtain details about your HTTP proxy from the system. You might need to configure a proxy server to access the Microsoft Graph API.
    SSLMethod The SSL/TLS version to use.

    For example:

    [AzureAD] < "oauth.cfg" [OAUTH]
    GroupServerLibrary=ogs_azure
    UseSystemProxy=true
    SSLMethod=negotiate
    

    For a complete list of configuration parameters that you can use, refer to the OmniGroupServer Reference.

  5. Save and close the OmniGroupServer configuration file.