Azure Applications
Last updated
Last updated
Lucy offers the capability to integrate with Azure for importing users, distribute awareness training via SMTP, and implement the Microsoft Graph API XML reporting plugin. Administrators can synchronize several Azure applications, organized by client, to ensure applications are accessible solely to administrative users associated with the respective client.
This guide provides the foundational steps required for synchronizing with Azure using OAuth 2.0.
Navigate to Settings -> Common System Settings -> Azure Applications
In this view, you will find all the related Azure application integrations along with their respective statuses.
For the scope of this reference article, our focus will be on synchronizing users from Azure Entra ID to Lucy.
Login to your Azure tenant - portal.azure.com
Navigate to Microsoft Entra ID
Select App Registrations
Select "New Registration"
Give your App a user-facing name
Select - Accounts in this organizational directory only
Select Redirect URI platform as "Web"
Enter and append the following URI - https://your-lucy-domain.com/oauth
Select "Register"
On the Overview page, select the hyperlink to add more Redirect URIs
Select "Add URI"
Add two additional URIs: -> https://your-lucy-domain.com/oauth/admin -> https://your-lucy-domain.com/oauth/user
Scroll down to the bottom and click "Save"
Navigate to "Certificates and Secrets"
Select "New Client Secret"
From the pop-up, enter a description and your preferred expiration of the secret
Select "Add"
Copy the Secret Value
Go back to Overview and copy both the Application (client) ID and Directory (tenant) ID
With the Azure (Entra ID) configuration complete, you are now ready to finish your app registration on your Lucy server.
Navigate to Settings -> Common System Settings -> Azure Applications
Select "Add Application"
On the page that follows, fill out the application details:
This is the client associated with the Azure app registration. Lucy ensures data segregation on a client basis, meaning that all data is containerized within the respective client. This setup guarantees that the app integration remains accessible solely to administrative users for the specified client. Moreover, it enables Managed Security Service Providers (MSSPs) and Partners to integrate multiple Azure tenants for their respective clients, further enhancing security and customization.
After configuring all the parameters mentioned above, proceed by clicking "Save". This action will redirect you to the Microsoft authentication page, where you will be asked to provide consent on behalf of your organization. This consent is necessary to establish the connection between Lucy and Azure.
To integrate Lucy with your Azure App Registration, it's essential to have Global Azure Administrative consent for your organization. If the administrator account in Lucy lacks the necessary privileges to grant consent on behalf of the organization, refer to the guide provided below to establish a consent flow in Azure.
Lucy is configured to utilize the Microsoft Graph API to access and manage various resources from Microsoft services. The configured permissions include both delegated permissions, which act on behalf of a user, and those requiring administrative consent to access specific types of data, like directory data and full user profiles. These permissions are in line with the version 1.0 standard of the Microsoft Graph API.
For a complete explanation of MS Graph permissions see their documentation.
This guide is intended for Lucy Administrators who lack Azure Administrative privileges to grant organizational consent, as well as situations where Lucy servers operate without an Azure Administrator to facilitate the saving of Azure application configurations within Lucy. Lack of Administrative consent is evident if the following message is displayed after saving your application in Lucy:
| Permission | Type | Description | Admin consent? |
|---|---|---|---|
| Permission | Type | Description | Admin consent? |
|---|---|---|---|
| Permission | Type | Description | Admin consent? |
|---|---|---|---|
OpenID
Delegated
Sign users in
No
offline_access
Delegated
Maintain access to data after granting access
No
Delegated
View user's email address
No
User.Read.All
Delegated
Read all users' full profiles
Yes
GroupMember.Read.All
Delegated
Read group memberships
Yes
Mail.ReadWrite
Delegated
Create, read, update, and delete email in user mailboxes.
No
User.Read
Delegated
Read the profile of signed-in users. Read basic company information of signed-in users
No
Mail.Send
Delegated
Send mail as users in the organization.
No
OpenID
Delegated
Sign users in
No
offline_access
Delegated
Maintain access to data after granting access
No
Delegated
View user's email address
No
User.Read.All
Delegated
Read all users' full profiles
Yes
GroupMember.Read.All
Delegated
Read group memberships
Yes
