Configure Microsoft Azure Active Directory

This topic provides basic information about how to set up a Microsoft Azure Active Directory (AD) as a realm you can use with the CDO. We expect you to already be familiar with Azure AD; if not, consult documentation or a support resource before you get started.

Give your application the Microsoft Graph permission

Grant your Azure AD application the following permissions to Microsoft Graph as discussed in Authorization and the Microsoft Graph Security API on the Microsoft site:

  • Reader role

  • User.Read.All permission

  • Group.Read.All permission

This permission enables the CDO to download users and groups from Azure AD the first time.

Required information from this step for setting up the Azure AD realm in the CDO:

  • Name of the app you registered

  • Application (client) ID

  • Client secret

  • Directory (tenant) ID

Set up an event hub

Set up the event hub as discussed in Quickstart: Create an event hub using Azure portal on the Microsoft site. The CDO uses the event hub audit log to download periodic updates to users and groups.

More information: Features and terminology in Azure Event Hubs.

Important

You must choose the Standard pricing tier or better. If you choose Basic, the realm cannot be used.

Required information from this step for setting up the Azure AD realm in the CDO:

  • Namespace Name

  • Connection string—primary key

  • Event Hub Name

  • Consumer group Name

Enable the audit log

Enable the audit log as discussed in Tutorial: Stream Azure Active Directory logs to an Azure event hub on the Microsoft site.

Configure Cisco ISE for Azure AD

To send user session information to the CDO, configure Cisco ISE for Azure AD as discussed in Configure ISE 3.0 REST ID with Azure Active Directory.

What to do next

See How to Configure ISE for Microsoft Azure AD.