Azure Applications

Introduction

Lucy offers the capability to integrate with Azure for importing users, distribute awareness training via SMTP, and implement the Microsoft Graph API XML reporting plugin. Administrators can synchronize several Azure applications, organized by client, to ensure applications are accessible solely to administrative users associated with the respective client.

Navigate to Settings -> Common System Settings -> Azure Applications

Creating an application in Azure

See here for a guide on setting up an application in Entra ID: https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app

Add an application to Lucy

On this page you can view, add, and delete Azure applications in Lucy.

To add an application, select + Add Application. On the page that follows, fill out the application details:

This is the Lucy client associated with the Azure app registration. Lucy ensures data segregation on a client basis, meaning that all data is containerized within the respective client. This setup guarantees that the app integration remains accessible solely to administrative users for the specified client. Moreover, it enables Managed Security Service Providers (MSSPs) and Partners to integrate multiple Azure tenants for their respective clients, further enhancing security and customization.

After configuring all the parameters mentioned above, proceed by clicking "Save". After saving the application, a new button will appear labeled "Authorize". Click this button to grant the required permissions to your Azure application.

This action will redirect you to the Microsoft authentication page, where you will be asked to provide consent on behalf of your organization. This consent is necessary to establish the connection between Lucy and Azure.

What API permissions are required for this integration?

Lucy is configured to utilize the Microsoft Graph API to access and manage various resources from Microsoft services. The configured permissions include both delegated permissions, which act on behalf of a user, and those requiring administrative consent to access specific types of data, like directory data and full user profiles. These permissions are in line with the version 1.0 standard of the Microsoft Graph API.

API Permissions explained

Permission
Type
Description
Admin consent?

OpenID

Delegated

Sign users in

No

offline_access

Delegated

Maintain access to data after granting access

No

email

Delegated

View user's email address

No

User.Read.All

Delegated

Read all users' full profiles

Yes

GroupMember.Read.All

Delegated

Read group memberships

Yes

For a complete explanation of MS Graph permissions see their documentation.

Last updated

Was this helpful?