Creating an Entra ID Application for Himmelblau GroupMember.Read.All Permissions - himmelblau-idm/himmelblau GitHub Wiki

Overview

Himmelblau requires additional API permissions to read group names and extended attributes such as a groups' gidNumber (which is essential for RFC2307 attribute ID mapping). The following configuration is necessary in order for Himmelblau to read the names of groups, but user-group associations can still function without it. To achieve this, you must create an Azure Entra ID application and assign it GroupMember.Read.All permissions.

Steps to Create an Entra ID Application

1. Register a New Application in Azure Entra ID

  1. Navigate to the Azure Entra ID portal.
  2. In the left-hand menu, select App registrations.
  3. Click New registration.
  4. Enter a Name for the application (e.g., Himmelblau).
  5. Under Supported account types, choose Accounts in this organizational directory only.
  6. Under Redirect URI, choose Public client/native (mobile & desktop) for the platform and enter himmelblau://Himmelblau.EntraId.BrokerPlugin for the URI.
  7. Click Register.

Register a New Application in Azure Entra ID

2. Assign API Permissions

  1. In the newly created application, navigate to API permissions.
  2. Click Add a permission.
  3. Select Microsoft Graph.
  4. Choose Delegated permissions.
  5. Search for GroupMember.Read.All and select it.
  6. Click Add permissions.

Assign API Permissions

  1. Click Grant admin consent for the tenant.

Grant Admin Consent

3. Obtain the Application ID

  1. Go to Overview in the application’s page.
  2. Copy the Application (client) ID. This value will be used in Himmelblau’s configuration.

4. Configure Himmelblau

Edit the /etc/himmelblau/himmelblau.conf file and add the following entry under the relevant domain:

[example.com]
app_id = 98fa618b-e5d2-4697-b0fd-fe3ec5eecdd3

Replace 98fa618b-e5d2-4697-b0fd-fe3ec5eecdd3 with your actual Application ID from Azure Entra ID.

5. Restart Himmelblau Services

To apply changes, restart Himmelblau:

sudo systemctl restart himmelblaud
sudo systemctl restart himmelblaud-tasks

Conclusion

By following these steps, Himmelblau will be able to retrieve group information necessary for accurate ID mapping using Entra ID. Ensure that the application has the necessary permissions and is correctly configured in himmelblau.conf for seamless integration.