Lucy Awareness
Visit our WebsiteContact Support
  • Wiki Overview
  • Guides
    • Quick Guides
      • Create Your First Campaign
        • Adding a New Client
        • Register an Attack Domain
        • Campaign Setup
          • Selecting an Attack
          • Attack Settings
          • Awareness Settings
          • Recipients
          • Review
        • Whitelisting
    • Installing Lucy
      • On-Premise vs Cloud Installation
      • Architecture
      • Hardware Requirements
      • Network Communication
      • Installing Lucy
      • Post Installation
    • Manage Blacklisted Domains
      • Managing Google SafeBrowsing Alerts
    • Whitelisting a Lucy Server
      • Google Workspace Whitelisting
      • Microsoft O365 Whitelisting
      • File Attack Whitelisting
    • Attack Simulations
      • Attack Types
        • Data Entry Attack
        • Hyperlink Attack
        • File Attack
        • Portable Media
        • Smishing
        • Lures
        • QR Codes
        • Ransomware Emulation
        • Technical Malware Test
          • Malware Toolkit Test Suite
        • Mail & Web Filter Test
        • Email Spoofing Test
      • Attack Template Customization
      • Firewall Protection Interval
      • Email Tracking Technologies
      • Advanced Information Gathering
      • Regular Expressions in Login Fields
      • Copy a Website
      • Redirecting Users
    • Awareness Training
      • Awareness Template Customization
      • Awareness Only Campaigns
        • Using Multiple Awareness Trainings
      • Use extended method of tracking the end of the quiz
    • Reporting Plugin
      • Deploying Office 365
      • Deploying Outlook Native
      • Deploying Gmail
  • Application Screens Reference
    • Statistics Dashboard
    • Campaigns Dashboards
    • Campaigns
      • New Campaign
        • Wizard Mode
          • Selecting an Attack
          • Attack Settings
          • Awareness Settings
          • Recipients
          • Review
        • Expert Mode
      • Campaign Settings
        • Configuration
          • Base Settings
          • Awareness Settings
          • Attack Settings
          • Schedule
            • Schedule Plan
          • Recipients
        • Advanced Settings
          • User Settings
          • Filters
          • Custom Fields
          • Reminders
        • Campaign Checks
        • Logs
        • Results
          • Summary
          • Statistics
          • Reports
          • Exports
    • Templates
      • Attack Templates
      • Awareness Templates
      • File Templates
      • Report Templates
      • Campaign Templates
      • Training Diploma
      • Download templates
      • Variables in Lucy
    • Users
      • Recipient Groups
      • End Users
      • End User Portal Settings
      • Administrative Users
      • Reputation Levels
    • Settings
      • Common System Settings
        • Domains
          • Supported TLDs
        • Firewall
        • Web Proxy
        • Mail Settings
        • SMTP Servers
        • SSL Settings
          • SSL for Campaigns
        • SMS Settings
        • Filter Settings
        • API Whitelist
          • API Routes
        • LDAP Servers
          • LDAP Sync Tool
        • LDAP Settings
        • Azure Applications
        • Azure AD Settings
        • SSO Configuration
      • Advanced System Settings
        • Advanced Settings
        • SSH Password
      • Submitted Email Settings
        • Custom Rules & Score Factors
        • Abuse Reports
        • Incident Autoresponder
        • Plugin Settings
      • Clients
        • Client Invoices
        • Client Invoice Settings
      • Backup and Restore
        • Backup Settings
      • Benchmark Sectors
      • Whitelabeling
      • File Browser
    • Incidents
    • Support
      • Status
        • Status
        • System Monitoring
        • System Health Check
        • Notifications
      • System Tests
        • Test Email
        • Performance Test
        • Spam Test
        • Mail Spoofing Test
        • Mail and Web Filter Test
      • System Logs
      • Manual
      • Update
      • Reboot
      • Mail Manager
      • Terms & Conditions
    • Account Settings
      • Two Factor Authentication
      • License
      • Invoices
    • Notifications
  • Release Notes
    • 5.4
    • 5.3.5
    • 5.3.4
    • 5.3.3
    • 5.3.2
    • 5.3.1
    • 5.3
    • 5.2.1
    • 5.2
    • 5.1
    • 5.0
    • Version 4
      • 4.14
      • 4.13
      • 4.12.1
      • 4.11
      • 4.10.1
      • 4.9.5
      • 4.9.2
      • 4.9.1
  • Legal
    • EULA
    • Privacy Policy
    • DPA, Customer and Partner Info
    • Service Level Agreement
    • Confidentiality of Campaign Data
  • When to Contact Us
    • Contact Technical Support
Powered by GitBook
On this page
  • Introduction
  • Creating an application in Azure
  • Add an application to Lucy
  • What API permissions are required for this integration?

Was this helpful?

  1. Application Screens Reference
  2. Settings
  3. Common System Settings

Azure Applications

PreviousLDAP SettingsNextAzure AD Settings

Last updated 1 month ago

Was this helpful?

Introduction

Lucy offers the capability to integrate with Azure for importing users, distribute awareness training via SMTP, and implement the Microsoft Graph API XML reporting plugin. Administrators can synchronize several Azure applications, organized by client, to ensure applications are accessible solely to administrative users associated with the respective client.

Navigate to Settings -> Common System Settings -> Azure Applications

Creating an application in Azure

See here for a guide on setting up an application in Entra ID:

Add an application to Lucy

On this page you can view, add, and delete Azure applications in Lucy.

To add an application, select + Add Application. On the page that follows, fill out the application details:

This is the Lucy client associated with the Azure app registration. Lucy ensures data segregation on a client basis, meaning that all data is containerized within the respective client. This setup guarantees that the app integration remains accessible solely to administrative users for the specified client. Moreover, it enables Managed Security Service Providers (MSSPs) and Partners to integrate multiple Azure tenants for their respective clients, further enhancing security and customization.

Give your App registration a friendly name so you can recognize it elsewhere in Lucy.

Once your app is registered copy the Client ID, Secret, and Tenant ID into the corresponding fields.

After configuring all the parameters mentioned above, proceed by clicking "Save". After saving the application, a new button will appear labeled "Authorize". Click this button to grant the required permissions to your Azure application.

This action will redirect you to the Microsoft authentication page, where you will be asked to provide consent on behalf of your organization. This consent is necessary to establish the connection between Lucy and Azure.

To integrate Lucy with your Azure App Registration, it's essential to have Global Azure Administrative consent for your organization. If the administrator account in Lucy lacks the necessary privileges to grant consent on behalf of the organization, refer to the guide provided below to establish a consent flow in Azure.

Setup Admin Consent flow in Azure

Purpose

The integration of third-party applications like Lucy with Azure requires careful configuration to ensure API permissions are correctly set. This is crucial for applications such as Lucy demanding access beyond the Azure permission set of the Lucy administrative users. A common challenge faced during integration is a permissions mismatch, leading to integration errors. This guide aims to navigate administrators through the consent framework in Azure, enabling Lucy to receive the necessary permissions while upholding the security and integrity of the Azure environment.

Who Should Use This Guide?

Configuration

Accessing Azure

Setting Up Consent Flow

  1. Navigate to Microsoft Entra ID: Find and select the Microsoft Entra ID option to proceed.

  2. Enterprise Applications: In the Microsoft Entra ID section, locate and click on “Enterprise Applications.”

  3. Consent and Permissions: Inside Enterprise Applications settings, select “Consent and Permissions.”

  4. Admin Consent Settings: Search for “Admin consent settings” and click it to modify the consent flow settings.

  5. Enable Consent Requests: Activate the option “Users can request admin consent to apps they are unable to consent to” by toggling it to “Yes.” This allows non-admin users to request admin consent for applications.

  6. Designate Reviewers: Specify Azure Administrative users for the consent review process, selecting your Azure Admin under Review Type as Users.

  7. Save Your Settings: Click “Save” to apply the changes.

Finalizing Configuration in Lucy

  1. Adjustments in Lucy: Instruct the Lucy admin to try saving the application configuration again, preferably using an incognito window to avoid caching issues.

  2. Consent Request Initiation: The Lucy admin will see a consent request dialog, allowing them to submit a consent request to the Azure Admin.

Consent Approval Process

  1. Initiating Approval: The Lucy admin clicks “Request Approval” to start the consent process.

  2. Notification to Administrator: An approval request is sent to the Azure Administrator's email, and the request appears under Enterprise Applications -> Admin Consent Requests in the Azure portal.

  3. Admin Review and Consent Granting: The Azure Administrator reviews the request in the portal and grants consent on behalf of the organization.

  4. Confirmation to Lucy Admin: The Azure Administrator should inform the Lucy admin of the consent approval.

Completing Integration

  1. Finalizing in Lucy Settings: The Lucy admin goes to Common System Settings -> Azure Applications in Lucy, selects the application, and clicks “Save” to proceed with the integration.

  2. Microsoft Login and Token Allocation: This prompts the Lucy admin to log in with Microsoft credentials again to generate a refresh token for the integration.

  3. Binding to Lucy Server: Successfully obtaining the refresh token completes the integration, effectively binding the Azure app registration to the Lucy server.

What API permissions are required for this integration?

Lucy is configured to utilize the Microsoft Graph API to access and manage various resources from Microsoft services. The configured permissions include both delegated permissions, which act on behalf of a user, and those requiring administrative consent to access specific types of data, like directory data and full user profiles. These permissions are in line with the version 1.0 standard of the Microsoft Graph API.

API Permissions explained

Permission
Type
Description
Admin consent?

OpenID

Delegated

Sign users in

No

offline_access

Delegated

Maintain access to data after granting access

No

email

Delegated

View user's email address

No

User.Read.All

Delegated

Read all users' full profiles

Yes

GroupMember.Read.All

Delegated

Read group memberships

Yes

Permission
Type
Description
Admin consent?

Mail.ReadWrite

Delegated

Create, read, update, and delete email in user mailboxes.

No

User.Read

Delegated

Read the profile of signed-in users. Read basic company information of signed-in users

No

Mail.Send

Delegated

Send mail as users in the organization.

No

Permission
Type
Description
Admin consent?

OpenID

Delegated

Sign users in

No

offline_access

Delegated

Maintain access to data after granting access

No

email

Delegated

View user's email address

No

User.Read.All

Delegated

Read all users' full profiles

Yes

GroupMember.Read.All

Delegated

Read group memberships

Yes

This guide is intended for Lucy Administrators who lack Azure Administrative privileges to grant organizational consent, as well as situations where Lucy servers operate without an Azure Administrator to facilitate the saving of Azure application configurations within Lucy. Lack of Administrative consent is evident if the following message is displayed after saving your application in Lucy:

Log into the Azure Portal: Start by visiting and logging in with your credentials.

For a complete explanation of MS Graph permissions .

portal.azure.com
see their documentation
https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app