Migrating an
Azure LDAP to Microsoft Entra ID C2C
You can configure an Microsoft Entra ID directory to manage your users and groups through Identity as a Service. You can also manage your Microsoft Entra ID password (change or reset) through Identity as a Service and can use them to log in to Identity as a Service.
IDaaS uses Read/Write as the default permission to
allow all operations. Once the directory is created with the Read/Write
permission, the Enterprise application will have all the scopes associated
to Read/Write.
To change it back to Read-Only, the associated Read/Write scopes must be
revoked from the Enterprise application. This can be done in two ways:
1. Manually revoke all read/write the scopes associated with the enterprise application.
2. Delete the Enterprise application and reauthorize.
Note: The Administrator who has the privilege to grant the permission can be used to consent for the requested scopes, for example, the Global Administrator.
The following table outlines the tested roles and supported actions.
SI No. |
Role |
Permission |
User Sync |
Group Sync |
Password Reset |
1 |
Global Administrator |
Read-Only |
Yes |
Yes |
No |
Read/Write |
Yes |
Yes |
Yes |
||
Note: Roles 2, 3, and 4 do not have the privilege to grant consent. A Requisite Global Administrator must grant consent. |
|||||
2 |
Reauthorize with User Administrator |
Read-Only |
Yes |
Yes |
No |
Read/Write |
Yes |
Yes |
Yes |
||
3 |
Reauthorize with Global Reader |
Read-Only |
Yes |
Yes |
No |
Read/Write |
Yes |
Yes |
No |
||
4 |
Reauthorize with Directory Reader |
Read-Only |
Yes |
Yes |
No |
Read/Write |
Yes |
Yes |
No |
||
The following are Active Directory Domain user roles:
● Domain Administrator—Users with this role can connect with IDaaS with write permissions and can perform User synchronization, Group synchronization, Password Reset, and Password change.
● Domain User—Users with this role can connect with IDaaS with read only permissions and can perform User synchronization and Group synchronization but not Password Reset and Password change.
Before you begin, if you have already configured an on-premise directory and want to migrate your directory to Microsoft Entra ID, see the following:
Migrating an
Azure LDAP to Microsoft Entra ID C2CMigrating an
On-Premise (Windows server-based) active directory to Microsoft
Entra ID C2C1. Click 
> Resources > Directories.
The Directories List page appears.
2. Click 
and
select Azure Directory from the drop-down list.
The Azure Authorization dialog box appears.
3. Select the Authorization permission for Microsoft Entra ID (Azure AD) sync with Identity as a Service. If you select, Read Only, password change and password reset will not be available.
4. Click Authorize. You are redirected to Microsoft to sign in to your account.
5. Sign in to your Microsoft Entra ID account. You are redirected to the Microsoft Permissions page. The Permissions page lists all the permissions needed for Identity as a Service to import users and groups from your Microsoft Entra ID.
6. Click Consent on behalf of your organization. You must select this checkbox to use an Microsoft Entra ID directory with Identity as a Service.
7. Click Accept. You are redirected to the Add Directory page.
Note: When you log in to Microsoft Entra ID, a token is generated. The token remains valid for 10 minutes. If you do not complete log in and permission acceptance within 10 minutes, the token expires. If this happens, Identity as a Service creates the directory but it is in an unauthorized state. On the Directories List page, click the directory name. The Edit Azure Directory page appears. Click Re-Authorize.
8. Enter a Directory Name to identify your Microsoft Entra ID.
9. In the Group Filters field enter the name of the group that you want to filter. For example, enter Sales to sync all users in the Sales Department. By default all groups are synchronized.
Note: If there are no group filters set, all users are imported. If there is more than one group filter set, the user must belong to one of the groups identified by the group filters. Only enter one value per Group Filter text box.
10. Optional: Click Add to add more group filters.
11. In the Attributes Mappings section, map the user attributes to the Microsoft Entra ID attributes.
Note: If a user does not have an email and phone or mobile attribute in Microsoft Entra ID or they are not properly mapped, they will not have the OTP capability. You must at a minimum map the mandatory system attributes. They are flagged with an asterisk (*).
12. Optional. Add Custom User Attributes. (See Create and manage user attributes).
Note: You must map attributes
to the Microsoft Entra
ID attributes. For a complete list, on the Add
Directory page, click 
next to either System User Attributes or Custom User Attributes and then click the Azure user attributes link. For example, if you
want to add a custom user attribute for a user's a Hire Date, you can
create it in Identity as a Service and call it Hire
Date (or anything you want) but you must map it to hireDate,
which is the acceptable Azure attribute.
13. In the Synchronization section, do the following:
a. From the Group Synchronization drop-down list, select the groups that you want to add to Identity as a Service. Only groups with users synced to Identity as a Service are created. The group synchronization options include:
– All groups—All groups from users synced to Identity as a Service are added.
– Groups Matching Group Filter—Only groups matching the filter are added to Identity as a Service.
– No Groups—No groups are added to Identity as a Service.
b. Select the User Desynchronization Policy from the drop-down list. This policy determines what happens to user accounts in Identity as a Service that are no longer found in the directory or no longer match the filters.
Note: Microsoft Entra ID synchronization occurs automatically every 8 hours.
14. Click Add.
When synchronization completes, the new directory
appears on the Directories List
page. A check mark 
appears in the Connection Status column to indicate
that Identity as a Service has successfully connected to Azure AD.
unauthorized icon appearsIf an unauthorized icon appears,
you cannot access the Microsoft
Entra ID account or revoke permissions for Identity as a Service.
This might happen if you remove an application from Microsoft
Entra ID. If this occurs, do the following:
1. In the Identity as a Service Directories List page, select the Microsoft Entra ID directory name. The Edit Directory page appears, click Re-authorize.
2. Sign in to your Microsoft Entra ID account. You are redirected to the Microsoft Permissions page. The Permissions page lists all the permissions needed for Identity as a Service to import users and groups from your Microsoft Entra ID.
3. Click Consent on behalf of your organization. You must select this check box to use a Microsoft Entra ID directory with Identity as a Service.
4. Click Accept. You are redirected to the Edit Directory page.
5. Click Save.
When syncing users through Microsoft Entra ID with Conditional Access enabled or users with Office365 federated domains, Identity as a Service is unable to perform password authentication. Only second-factor authentication for users protected by conditional access is available. This only affects Microsoft Entra ID Cloud to Cloud sync. This is not an issue if you are syncing users from Microsoft Entra ID through the Enterprise Service Gateway.