- 22 Sep 2024
- 2 Minutes to read
- Print
- DarkLight
- PDF
Microsoft Entra ID (formerly Azure AD) - Add or Remove Members from Administrative Unit
- Updated on 22 Sep 2024
- 2 Minutes to read
- Print
- DarkLight
- PDF
Microsoft Entra ID (formerly Azure AD) - Add or Remove Members from Administrative Unit adds or removes a user to or from an Entra ID Administrative unit for each asset (users, groups, or devices) that is a result of the saved query supplied as a trigger (or devices that have been selected in the asset table).
- Not all asset categories are supported for all Enforcement Actions.
- See Actions supported for Activity Logs, Adapters Fetch History, and Asset Investigation modules.
- See Actions supported for Vulnerabilities.
- See Actions supported for Software.
General Settings
- Action name - The name of this Enforcement Action. The system sets a default name. You can change the name.
- Configure Dynamic Values - Toggle on to enter a Dynamic Value statement. See Creating Enforcement Action Dynamic Value Statements to learn more about Dynamic Value statement syntax.
- Use stored credentials from the Entra ID adapter - Select this option to use the first connected Entra ID adapter credentials.
Required Fields
These fields must be configured to run the Enforcement Set.
- Administrative Unit ID - The object ID of the Administrative Unit to which to add the users or to remove the users from.
- Operation - Select the operation you want to perform, either Add members or Remove members.
Compute Node - The Axonius node to use when connecting to the specified host. For more details, see Connecting Additional Axonius Nodes.
Additional Fields
Connection and Credentials
When Use stored credentials from the adapter is toggled off, some of the connection fields below are required to create the connection, while other fields are optional.
- Azure Client ID - The Application ID of the Axonius application.
- Azure Client Secret - Specify a non-expired key generated from the new client secret.
- Azure Tenant ID - The ID for Microsoft Entra ID.
- Verify SSL - Select whether to verify the SSL certificate of the server against the CA database inside of Axonius. For more details, see SSL Trust & CA Settings.
- Account Sub Domain - The Microsoft account's sub domain (<sub_domain>.onmicrosoft.com).
- Username and Password - The credentials for a user account that has the permissions needed to perform this action.
- 2FA Secret Key - The secret generated in Microsoft Entra ID for setting up 2-factor authentication for the Microsoft user.
- SSO Provider - If your organization uses Microsoft Entra ID for SSO, you can select this check box.
For more information, see Connecting your SSO Solution Provider Adapter.
APIs
Axonius uses the Microsoft Graph REST API v1.0 Add a Member and Remove a Member API.
Required Permissions
The associated application must be granted AdministrativeUnit.ReadWrite.All Application permission and must be assigned the Privileged Role Administrator or Global Administrator role.
For full ands up-to-date information about permissions required for working with Microsoft Entra ID refer to permissions in Microsoft Graph API Documentation.
For more details about other Enforcement Actions available, see Action Library.