Synchronize with Entra ID
Atualizado
Atualizado
Entra ID's automatic group synchronization improves user governance by automatically synchronizing Power Embedded's local groups with the groups in Entra ID.
This functionality allows the security, service desk or infrastructure team to manage user and group associations directly from Entra ID, without the need to have permission in Power Embedded, and these changes will be reflected in the system automatically.
In Power Embedded, it was already possible to create groups and also import them from CSV files or from Entra ID or programmatically via the API, greatly speeding up the process of importing users and groups.
However, these options require some manual action by the user or that you create an integration using programming (in the case of the API).
Synchronization is a feature that allows you to synchronize Entra ID data simply and automatically, making it easier to manage security, RLS and permissions.
If you don't want to synchronize groups, but just want to perform a one-off import of groups and their users, read the article Importing Groups from Entra ID.
If you want to import a few users at a time, instead of importing or synchronizing a group, read the article Importing Users from Entra ID.
In order for group synchronization with Entra ID to work correctly, you need to define how the system will behave when synchronizing.
To configure the synchronization behaviour, go to the “Settings” menu > “Integrations” tab > Group synchronization with Entra ID.
Below, we'll explain in detail what each permission means and how it affects the synchronization process:
Create user in system when added to synchronized groups: This permission is responsible for automatically registering in Power Embedded and associating with the respective groups in the system, users who are added to synchronized groups in Entra ID. If this permission is disabled, new users created in Entra ID will not be added to the system automatically.
What to do when a user is removed from a synchronized group in Entra ID?
There are four options for defining what the system will do when a user is removed from a group that is synchronized with Entra ID, and understanding each of them is crucial to making effective use of the functionality:
Disabled: This is the system's default option, and if it is checked, removing the user from the synchronized group in Entra ID will have no effect in Power Embedded.
Exclude the user from the system: When a user is removed from an Entra ID group, they will automatically be removed from that same group in Power Embedded. If the user is still part of any other synchronized group, the system will only remove them from the Power Embedded groups that the user is no longer part of in Entra ID. If the user is no longer part of any synchronized group, they will be permanently removed from the system, including their settings and permissions.
Block the user from the system: When a user is removed from an Entra ID group, they will automatically be removed from that same group in Power Embedded. If the user is still part of any other synchronized group, the system will only remove them from the Power Embedded groups that the user is no longer part of in Entra ID. If the user is no longer part of any synchronized group, they will be blocked in the system, preventing them from accessing it, but still retaining their permissions and settings. This is a more conservative option than deletion, guaranteeing easy recovery (just unblock the user) in the event of an error when removing the user from the Entra ID group.
Remove the user from the group in the system: When a user is removed from an Entra ID group, they remain registered in the portal, but are only removed from the specific group from which they were removed in Entra ID. Unlike the other options, the user remains active in the portal, but without association with the group from which they were removed.
Synchronization on the portal is done automatically once a day. However, if you need to force this synchronization, you can do it in two ways:
Clicking on the “Synchronize Now” button to synchronize all groups.
Choose a specific group, click the “Actions” button and then the “Synchronize” button to synchronize only the selected group.
For synchronization to actually take place, you need to select which groups you want to synchronize.
Step 1: Go to the “Groups” screen Step 2: Click on the “Synchronize” button Step 3: On the “Groups synchronized with Entra ID” screen, click on the “Add Groups” button. Step 4: All Entra ID groups will be listed. Select one or more of the groups you want to synchronize and save.
Synchronization will only be carried out if you have enabled the automatic creation of users OR have configured an action to be carried out when the user is removed from Entra ID, other than the “Disabled” option.
If the group selected for synchronization does not exist in Power Embedded, it will be created automatically in the system.
If a group already exists in the system with the same name that was selected for synchronization with Entra ID, that group will be included in the synchronization. If any user is part of this group in Power Embedded and is not part of this group in Entra ID, they will be removed from the group in Power Embedded, and may even be blocked or removed from the system, depending on the synchronization settings.
Automatic synchronization runs daily at 10pm.
To be able to import user and group data from Entra ID, you need to assign some permissions to the Service Principal, created in the Azure Portal, used by Power Embedded to communicate with your environment.
On the Application Registration screen, search for the name of the application you created (The default name is PowerEmbedded-App).
On the application screen, click API permissions in the side menu and then Add a Permission.
On the next screen, select the Microsoft Graph option.
Then select the Application permissions option.
In the next tab, search for Directory and select the first option Directory.Read.All and click Add permissions.
Finally, grant the administrator's consent by clicking on Grant admin consent for.
Now you can import users and groups from Azure AD (Entra ID) into Power Embedded.