Azure Active Directory is a managed multi-tenant service from Microsoft that offers identity and access capabilities for the cloud using Azure Active Directory REST API services.
This document provides information about the Azure Active Directory connector, which facilitates automated interactions, between Azure Active Directory REST API services and FortiSOAR™ playbooks. Add the Azure Active Directory connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving a list of users from Azure Active Directory, or disabling the account of a specific user in Azure Active Directory.
Connector Version: 2.2.0
FortiSOAR™ Version Tested on: 7.4.0-3024
Azure Active Directory Version Tested on: Azure Cloud
Authored By: Fortinet
Certified: Yes
Following enhancements have been made to the Azure Active Directory connector in version 2.2.0:
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum
command as a root user to install the connector:
yum install cyops-connector-azure-active-directory
login.microsoftonline.com
on port 443 is in the allowlist of your Firewall or Proxy servers.For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, click the Azure Active Directory connector row (if you are in the Grid view on the Connectors page), and in the Configurationstab enter the required configuration details:
Parameter | Description |
---|---|
Get Access Token | Select the method using which you will get authentication tokens used to access the security graph APIs. You can choose between On behalf of User – Delegate Permission or Without a User - Application Permission. For more information, see the Getting Access Tokens section. |
Server URL | The service-based URL to which you will connect and perform the automated operations. |
Client ID | Unique ID of the Azure Active Directory application that is used to create an authentication token required to access the API. |
Client Secret | Unique Client Secret of the Azure Active Directory application that is used to create an authentication token required to access the API. For information on how to get the secret key, see https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp. |
Tenant ID | ID of the tenant that you have been provided for your Azure Active Directory instance. |
Authorization Code | (Only Applicable to On behalf of User – Delegate Permission) The authorization code that you acquired during the authorization step. For more information, see the Getting Access Tokens using the On behalf of the user – Delegate Permission method section. |
Redirect URL | (Only Applicable to On behalf of User – Delegate Permission) The redirect_uri of your app, where authentication responses can be sent and received by your app. The redirect URL that you specify here must exactly match one of the redirect_uri's you have registered in your app registration portal. For more information, see the Getting Access Tokens using the On behalf of the user – Delegate Permission method section. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True . |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from version 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Get User Membership | Retrieves groups, directory roles, and administrative units of which the user is a direct member. | get_user_membership Enrichment |
Get People | Retrieves a collection of person objects in order of their relevance to the user, determined by the user's communication, collaboration patterns, and business relationships. | get_people Enrichment |
Get Managers | Retrieves the chain of managers for a specified user. | get_managers Enrichment |
Revoke SignIn Sessions | Invalidates all the refresh tokens issued to applications for a user. Action typically performed if the user's device is lost or stolen. | revoke_sign_in_sessions Response |
List Direct Reports | Retrieves the direct reports for the specified user. | list_direct_reports Investigation |
List Devices | Retrieves a list of device objects registered in the organization. | list_devices Investigation |
List Registered Owners | Retrieves a list of users registered as owners of a device. | get_registered_owners Investigation |
List Registered Users | Retrieves a list of registered users of a device. | get_registered_users Investigation |
List User Owned Devices | Lists the devices that are owned by a user. | list_user_owned_devices Enrichment |
List User Owned Objects | Get the list of directory objects that are owned by a user. | list_user_owned_objects Enrichment |
List Groups | Retrieves a list of groups from Azure Active Directory based on the query for filtering groups that you have specified. | list_groups Investigation |
Get Group Details | Retrieves the details of a particular group from Azure Active Directory based on the group ID that you have specified. | get_group_details Investigation |
List SignIns Events | Retrieves the list of sign-in events from Azure Active Directory based on the query for filtering users that you have specified. | list_sign_ins Investigation |
Remove Member | Removes a member from a group based on the group and user ID that you have specified. | remove_member Investigation |
Add Member | Adds a member to a group based on the group and user ID that you have specified. | add_member Investigation |
List Group Members | Retrieves a list of members of a particular group from Azure Active Directory based on the query for filtering group members that you have specified. | list_group_members Investigation |
List Users | Retrieves a list of users from Azure Active Directory based on the query for filtering users you have specified. | list_users Investigation |
Get User Details | Retrieves specific information for a specific user from Azure Active Directory, based on the Object ID or User Principal Name you have specified. | get_user_details Investigation |
Add User | Creates a new user in Azure Active Directory, based on the User Principal Name, Display Name, Password, and other input parameters you have specified. | add_user Investigation |
Enable User | Enables a specific user's account in Azure Active Directory, based on the Object ID or User Principal Name you have specified. | enable_user Containment |
Disable User | Disables a specific user's account in Azure Active Directory, based on the Object ID or User Principal Name you have specified. | disable_user Containment |
Delete User | Deletes a specific user's account from Azure Active Directory, based on the Object ID or User Principal Name you have specified. | delete_user Investigation |
Reset Password | Resets the password for an existing Azure Active Directory user, based on the Object ID or User Principal Name, password, and other input parameters you have specified. | reset_password Containment |
Generic REST API Call | Make a Generic MS Graph API Call | rest_api_call |
Parameter | Description |
---|---|
User ID | Specify the user ID or the principal name of the user whose group memberships to fetch. |
Membership Type | Select the type of group membership to retrieve from following options:
|
The output contains the following populated JSON schema:
{ "value": [ { "@odata.type": "", "displayName": "", "mailEnabled": "", "securityEnabled": "" } ] }
Parameter | Description |
---|---|
User ID | Specify the user ID or the principal name of the user for which to fetch the people records. |
Filter Query | Specify the filter query based on which to retrieve people. Refer to Azure Filter Query Parameters for information on the filter query syntax. |
Select Query | Specify the $select query to retrieve people from Azure Active Directory. The OData's Select query is supported on fields such as id , displayName , etc. Refer to OData system query options for more information. |
Number Of Records To Fetch | (Optional) Specify the maximum number of records that this operation should return from Azure. |
Offset | (Optional) Specify the count of the first few records to skip while retrieving response from Azure Active Directory. |
The output contains the following populated JSON schema:
{ "value": [ { "id": "", "displayName": "", "givenName": "", "surname": "", "birthday": "", "personNotes": "", "isFavorite": "", "jobTitle": "", "companyName": "", "yomiCompany": "", "department": "", "officeLocation": "", "profession": "", "userPrincipalName": "", "imAddress": "", "scoredEmailAddresses": [ { "address": "", "relevanceScore": "" } ], "phones": "", "postalAddresses": "", "websites": "", "personType": { "class": "", "subclass": "" } }, { "id": "", "displayName": "", "givenName": "", "surname": "", "birthday": "", "personNotes": "", "isFavorite": "", "jobTitle": "", "companyName": "", "yomiCompany": "", "department": "", "officeLocation": "", "profession": "", "userPrincipalName": "", "imAddress": "", "scoredEmailAddresses": [ { "address": "", "relevanceScore": "" } ], "phones": [ { "type": "", "number": "" } ], "postalAddresses": "", "websites": "", "personType": { "class": "", "subclass": "" } } ] }
Parameter | Description |
---|---|
User ID | Specify the user ID or the principal name of the user for whom to fetch the managers list. |
The output contains the following populated JSON schema:
{ "id": "", "displayName": "", "manager": { "id": "", "displayName": "", "manager": { "id": "", "displayName": "", "manager": { "id": "", "displayName": "" } } } }
Parameter | Description |
---|---|
User ID | Specify the user ID or the principal name of the user for whom to revoke all sign in sessions. |
The output contains the following populated JSON schema:
{ "@odata.context": "", "value": "" }
Parameter | Description |
---|---|
User ID | Specify the user ID or the principal name of the user for whom to fetch the direct reports. |
The output contains the following populated JSON schema:
{ "@odata.context": "", "value": [ { "@odata.type": "", "id": "", "businessPhones": "", "displayName": "", "givenName": "", "jobTitle": "", "mail": "", "mobilePhone": "", "officeLocation": "", "preferredLanguage": "", "surname": "", "userPrincipalName": "" } ] }
Parameter | Description |
---|---|
Filter Query | Specify the filter query based on which to retrieve the list of devices. Refer to Azure Filter Query Parameters for information on the filter query syntax. |
Select Query | Specify the $select query to retrieve people from Azure Active Directory. The OData's Select query is supported on fields such as id , displayName , etc. Refer to OData system query options for more information. |
Number Of Records To Fetch | (Optional) Specify the maximum number of records that this operation should return from Azure. |
Get All Pages | Select this option, i.e., set it to true , to fetch all pages containing all available records from Azure. |
Skip Token | (Optional) Specify a skip token if a previous operation returned a partial result. If the previous response contains a nextLink element, the value of the nextLink element includes a skip token parameter that specifies a starting point to use for subsequent calls. |
The output contains the following populated JSON schema:
{ "value": [ { "accountEnabled": "", "deviceId": "", "deviceVersion": "", "displayName": "", "Manufacturer": "", "Model": "", "operatingSystemVersion": "" } ] }
Parameter | Description |
---|---|
Device ID | Specify the device ID for which to fetch registered owners. |
The output contains the following populated JSON schema:
{ "@odata.context": "", "value": [ { "@odata.type": "", "@odata.id": "", "id": "" } ] }
Parameter | Description |
---|---|
Device ID | Specify the device ID for which to fetch registered owners. |
The output contains the following populated JSON schema:
{ "@odata.context": "", "value": [ { "@odata.type": "", "@odata.id": "", "id": "", "displayName": "", "mail": "", "mailNickname": "" } ] }
Parameter | Description |
---|---|
User ID | Specify the user ID or the principal name of the user for which to fetch owned devices. |
The output contains the following populated JSON schema:
{ "value": [ { "id": "" } ] }
Parameter | Description |
---|---|
User ID | Specify the user ID or the principal name of the user for which to fetch directory objects. |
The output contains the following populated JSON schema:
{ "value": [ { "id": "" } ] }
Parameter | Description |
---|---|
Filter Query | Specify the filter query based on which to retrieve groups. Refer to Azure Filter Query Parameters for information on the filter query syntax. |
Select Query | Specify the $select query to retrieve groups from Azure Active Directory. The OData's Select query is supported on fields such as id , displayName , etc. Refer to OData system query options for more information. |
Number Of Groups To Fetch | (Optional) Specify the maximum number of groups that this operation should return from Azure. |
Get All Pages | Select this option, i.e., set it to true , to fetch all pages containing all available records from Azure. |
Skip Token | (Optional) Specify a skip token if a previous operation returned a partial result. If the previous response contains a nextLink element, the value of the nextLink element includes a skip token parameter that specifies a starting point to use for subsequent calls. |
The output contains the following populated JSON schema:
{ "@odata.context": "", "@odata.count": "", "value": [ { "id": "", "deletedDateTime": "", "classification": "", "createdDateTime": "", "creationOptions": [], "description": "", "displayName": "", "expirationDateTime": "", "groupTypes": [], "isAssignableToRole": "", "mail": "", "mailEnabled": "", "mailNickname": "", "membershipRule": "", "membershipRuleProcessingState": "", "onPremisesDomainName": "", "onPremisesLastSyncDateTime": "", "onPremisesNetBiosName": "", "onPremisesSamAccountName": "", "onPremisesSecurityIdentifier": "", "onPremisesSyncEnabled": "", "preferredDataLocation": "", "preferredLanguage": "", "proxyAddresses": [], "renewedDateTime": "", "resourceBehaviorOptions": [], "resourceProvisioningOptions": [], "securityEnabled": "", "securityIdentifier": "", "theme": "", "visibility": "", "onPremisesProvisioningErrors": [] } ] }
Parameter | Description |
---|---|
Group ID | Specify an ID of the group for which to list the members. |
Filter Query | Specify the filter query based on which to retrieve group members. Refer to Azure Filter Query Parameters for information on the filter query syntax. |
Select Query | Specify the $select query to retrieve people from Azure Active Directory. The OData's Select query is supported on fields such as id , displayName , etc. Refer to OData system query options for more information. |
Number Of Group Members To Fetch | (Optional) Specify the maximum number of group members that this operation should return from Azure. |
Get All Pages | Select this option, i.e., set it to true , to fetch all pages containing all available records from Azure. |
Skip Token | (Optional) Specify a skip token if a previous operation returned a partial result. If the previous response contains a nextLink element, the value of the nextLink element includes a skip token parameter that specifies a starting point to use for subsequent calls. |
The output contains the following populated JSON schema:
{ "@odata.context": "", "@odata.count": "", "value": [ { "@odata.type": "", "id": "", "businessPhones": [], "displayName": "", "givenName": "", "jobTitle": "", "mail": "", "mobilePhone": "", "officeLocation": "", "preferredLanguage": "", "surname": "", "userPrincipalName": "" } ] }
Parameter | Description |
---|---|
Group ID | Specify a group ID to fetch the details for that group. |
The output contains the following populated JSON schema:
{ "@odata.context": "", "id": "", "deletedDateTime": "", "classification": "", "createdDateTime": "", "creationOptions": [], "description": "", "displayName": "", "expirationDateTime": "", "groupTypes": [], "isAssignableToRole": "", "mail": "", "mailEnabled": "", "mailNickname": "", "membershipRule": "", "membershipRuleProcessingState": "", "onPremisesDomainName": "", "onPremisesLastSyncDateTime": "", "onPremisesNetBiosName": "", "onPremisesSamAccountName": "", "onPremisesSecurityIdentifier": "", "onPremisesSyncEnabled": "", "preferredDataLocation": "", "preferredLanguage": "", "proxyAddresses": [], "renewedDateTime": "", "resourceBehaviorOptions": [], "resourceProvisioningOptions": [], "securityEnabled": "", "securityIdentifier": "", "theme": "", "visibility": "", "onPremisesProvisioningErrors": [] }
Parameter | Description |
---|---|
Group ID | Specify a group ID from which to remove the user. |
User ID | Specify the directory object ID of the user to remove from the group. |
The output contains the following populated JSON schema:
{ "status": "", "result": "" }
Parameter | Description |
---|---|
Group ID | Specify a group ID to which to add a user. |
User ID | Specify the directory object ID of the user to add to the group. |
The output contains the following populated JSON schema:
{ "status": "", "result": "" }
Parameter | Description |
---|---|
Filter Query | Specify the filter query based on which to retrieve sign-in events from Azure Active Directory. The OData's Filter query is supported on the following fields: id , userPrincipalName , displayName , givenName and jobTitle . For example [userPrincipalName eq 'username@example.com'] retrieves a user whose userPrincipalName is username@example.com . Refer to OData system query options for more information. |
Number of Events to Fetch | (Optional) Specify the maximum number of events that this operation should return from Azure. |
Get All Pages | Select this option, i.e., set it to true , to fetch all pages containing all available records from Azure. |
Skip Token | (Optional) Specify a skip token if a previous operation returned a partial result. If the previous response contains a nextLink element, the value of the nextLink element includes a skip token parameter that specifies a starting point to use for subsequent calls. |
The output contains the following populated JSON schema:
{ "@odata.context": "", "@odata.nextLink": "", "value": [ { "id": "", "createdDateTime": "", "userDisplayName": "", "userPrincipalName": "", "userId": "", "appId": "", "appDisplayName": "", "ipAddress": "", "clientAppUsed": "", "correlationId": "", "conditionalAccessStatus": "", "isInteractive": "", "riskDetail": "", "riskLevelAggregated": "", "riskLevelDuringSignIn": "", "riskState": "", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "", "resourceId": "", "status": { "errorCode": "", "failureReason": "", "additionalDetails": "" }, "deviceDetail": { "deviceId": "", "displayName": "", "operatingSystem": "", "browser": "", "isCompliant": "", "isManaged": "", "trustType": "" }, "location": { "city": "", "state": "", "countryOrRegion": "", "geoCoordinates": { "altitude": "", "latitude": "", "longitude": "" } }, "appliedConditionalAccessPolicies": [] } ] }
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Filter Query | Specify the filter query based on which to retrieve users from Azure Active Directory. The OData's Filter query is supported on the following fields: id , userPrincipalName , displayName , givenName and jobTitle . For example [userPrincipalName eq "username@example.com"] retrieves a user whose userPrincipalName is username@example.com |
Select Query | Specify the $select query to retrieve user fields from Azure Active Directory. The OData's Select query is supported on fields such as id , userPrincipalName , displayName , etc. Refer to OData system query options for more information. |
Search Query | Specify the search query to retrieve user details from Azure Active Directory. The OData's Search query is supported on fields such as id , userPrincipalName , displayName , etc. Refer to OData system query options for more information. |
The output contains the following populated JSON schema:
{ "@odata.context": "", "value": [ { "businessPhones": [], "displayName": "", "givenName": "", "jobTitle": "", "mail": "", "mobilePhone": "", "officeLocation": "", "preferredLanguage": "", "surname": "", "userPrincipalName": "", "id": "" } ] }
Parameter | Description |
---|---|
Based On | Select the parameter based on which to retrieve details of a user from Azure Active Directory. You can choose from the following options:
|
The output contains the following populated JSON schema:
Output schema when you choose Provide Additional Details as false
:
{ "id": "", "city": "", "mail": "", "state": "", "country": "", "surname": "", "ageGroup": "", "jobTitle": "", "userType": "", "faxNumber": "", "givenName": "", "department": "", "employeeId": "", "identities": [ { "issuer": "", "signInType": "", "issuerAssignedId": "" } ], "otherMails": [], "postalCode": "", "companyName": "", "displayName": "", "imAddresses": [], "mobilePhone": "", "creationType": "", "employeeType": "", "mailNickname": "", "assignedPlans": [ { "service": "", "servicePlanId": "", "assignedDateTime": "", "capabilityStatus": "" } ], "streetAddress": "", "usageLocation": "", "@odata.context": "", "accountEnabled": "", "businessPhones": [], "officeLocation": "", "proxyAddresses": [], "createdDateTime": "", "deletedDateTime": "", "employeeOrgData": "", "passwordProfile": "", "assignedLicenses": [], "employeeHireDate": "", "passwordPolicies": "", "provisionedPlans": [ { "service": "", "capabilityStatus": "", "provisioningStatus": "" } ], "externalUserState": "", "isResourceAccount": "", "preferredLanguage": "", "showInAddressList": "", "userPrincipalName": "", "securityIdentifier": "", "onPremisesDomainName": "", "onPremisesImmutableId": "", "onPremisesSyncEnabled": "", "preferredDataLocation": "", "consentProvidedForMinor": "", "licenseAssignmentStates": [], "onPremisesSamAccountName": "", "lastPasswordChangeDateTime": "", "onPremisesLastSyncDateTime": "", "legalAgeGroupClassification": "", "onPremisesDistinguishedName": "", "onPremisesUserPrincipalName": "", "onPremisesProvisioningErrors": [], "onPremisesSecurityIdentifier": "", "onPremisesExtensionAttributes": { "extensionAttribute1": "" }, "refreshTokensValidFromDateTime": "", "externalUserStateChangeDateTime": "", "signInSessionsValidFromDateTime": "" }
Output schema when you choose Provide Additional Details as true
:
{ "id": "", "city": "", "mail": "", "state": "", "mySite": "", "skills": [], "aboutMe": "", "country": "", "schools": [], "surname": "", "ageGroup": "", "birthday": "", "hireDate": "", "jobTitle": "", "userType": "", "faxNumber": "", "givenName": "", "interests": [], "department": "", "employeeId": "", "identities": [ { "issuer": "", "signInType": "", "issuerAssignedId": "" } ], "otherMails": [], "postalCode": "", "companyName": "", "displayName": "", "imAddresses": [], "mobilePhone": "", "creationType": "", "employeeType": "", "mailNickname": "", "pastProjects": [], "assignedPlans": [ { "service": "", "servicePlanId": "", "assignedDateTime": "", "capabilityStatus": "" } ], "preferredName": "", "streetAddress": "", "usageLocation": "", "@odata.context": "", "accountEnabled": "", "businessPhones": [], "officeLocation": "", "proxyAddresses": [], "createdDateTime": "", "deletedDateTime": "", "employeeOrgData": "", "passwordProfile": "", "assignedLicenses": [ { "skuId": "", "disabledPlans": [] } ], "employeeHireDate": "", "passwordPolicies": "", "provisionedPlans": [ { "service": "", "capabilityStatus": "", "provisioningStatus": "" } ], "responsibilities": [], "externalUserState": "", "isResourceAccount": "", "preferredLanguage": "", "showInAddressList": "", "userPrincipalName": "", "securityIdentifier": "", "onPremisesDomainName": "", "onPremisesImmutableId": "", "onPremisesSyncEnabled": "", "preferredDataLocation": "", "consentProvidedForMinor": "", "licenseAssignmentStates": [ { "error": "", "skuId": "", "state": "", "disabledPlans": [], "assignedByGroup": "", "lastUpdatedDateTime": "" } ], "onPremisesSamAccountName": "", "lastPasswordChangeDateTime": "", "onPremisesLastSyncDateTime": "", "legalAgeGroupClassification": "", "onPremisesDistinguishedName": "", "onPremisesUserPrincipalName": "", "onPremisesProvisioningErrors": [], "onPremisesSecurityIdentifier": "", "onPremisesExtensionAttributes": { "extensionAttribute1": "" }, "refreshTokensValidFromDateTime": "", "externalUserStateChangeDateTime": "", "signInSessionsValidFromDateTime": "" }
Parameter | Description |
---|---|
Display Name | Specify the name that you want to be displayed in the address book for the user that you are creating in Azure Active Directory. |
Mail Nick Name | Specify the mail alias for the user that you are creating in Azure Active Directory. |
User Principal Name | Specify the principal name of the user that you are creating in Azure Active Directory. |
Password | Specify the password of the user that you are creating in Azure Active Directory. |
Force Change Password Next Login | Select this option, i.e., set it to true, to force the users to change their password when they next log on to Azure Active Directory. |
Account Enabled | Select this option, i.e., set it to true, to enable this user's account on Azure Active Directory. |
Additional Fields | (Optional) Specify additional fields to add to the user's account that you are creating in Azure Active Directory. |
The output contains the following populated JSON schema:
{ "@odata.context": "", "id": "", "businessPhones": [], "displayName": "", "givenName": "", "jobTitle": "", "mail": "", "mobilePhone": "", "officeLocation": "", "preferredLanguage": "", "surname": "", "userPrincipalName": "" }
Parameter | Description |
---|---|
Based On | Select the parameter based on which to enable a user's account on Azure Active Directory. You can choose from the following options:
|
The output contains the following populated JSON schema:
{ "status": "", "result": "" }
Parameter | Description |
---|---|
Based On | Select the parameter based on which to disable a user's account on Azure Active Directory. You can choose from the following options:
|
The output contains the following populated JSON schema:
{ "status": "", "result": "" }
Parameter | Description |
---|---|
Based On | Select the parameter based on which to delete a user's account on Azure Active Directory. You can choose from the following options:
|
The output contains the following populated JSON schema:
{ "status": "", "result": "" }
Parameter | Description |
---|---|
Based On | Select the parameter based on which to reset the password of a user's account on Azure Active Directory. You can choose from the following options:
|
Password | Specify a temporary password that you want to set for the user on Azure Active Directory. |
Force Change Password Next Login | Select this option, i.e., set it to true, to force the users to change their password when they next log on to Azure Active Directory. |
The output contains the following populated JSON schema:
{ "status": "", "result": "" }
Parameter | Description |
---|---|
API Endpoint | Specify the MS Graph API Endpoint from which to fetch details. |
HTTP method | Specify the HTTP Method used to access the endpoint. |
Query params | Specify query parameters in JSON format to send as part of the URL. |
Request Payload | Specify the Body of the POST/PUT/PATCH request in JSON. |
The output contains a non-dictionary value.
The Sample - Azure Active Directory - 2.2.0
playbook collection comes bundled with the Azure Active Directory connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Azure Active Directory connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
The Sample - Azure Active Directory - 2.2.0 playbook collection contains pluggable enrichment playbooks that are used to provide verdicts for the indicator of type user.
The pluggable enrichment playbooks are of the format: 'user > Azure Active Directory > Enrichment'
The 'Configuration' step in all the pluggable enrichment playbooks contain variables that have default values for calculating the 'Verdict' for various indicator types.
Based on the Azure Active Directory integration API response following variables are returned:
Variable Name | Description | Return Value |
---|---|---|
cti_name |
The name of the connector is called the CTI (Cyber Threat Intelligence) name | AzureActiveDirectory |
source_data |
The source_data response returned by the integration API. |
A JSON response object containing the source data of the threat intelligence integration. |
enrichment_summary |
The contents that are added, in the HTML format, in the Description field of the specified FortiSOAR™ indicator record. |
The following tables are returned in the HTML format:
|
You can get authentication tokens to access the security graph APIs using two methods:
User.Read
User.Read.All
User.ReadWrite
User.ReadWrite.All
User.ReadBasic.All
User.ManageIdentities.All
People.Read
People.Read.All
Device.Read.All
Group.ReadWrite.All
GroupMember.Read.All
GroupMember.ReadWrite.All
Group.Read.All
AuditLog.Read.All
Directory.Read.All
Directory.ReadWrite.All
Directory.AccessAsUser.All
of type Delegated.TENANT_ID
, CLIENT_ID
, and REDIRECT_URI
with your tenant ID, client ID, and the following redirect URL:https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/authorize?response_type=code&scope=offline_access https://graph.microsoft.com/.default&client_id=CLIENT_ID&redirect_uri=REDIRECT_URI
REDIRECT_URI?code=AUTH_CODE&session_state=SESSION_STATE
AUTH_CODE
(without the "code=" prefix) and paste it in your instance configuration in the Authorization Code parameter.User.Read.All
User.ReadWrite.All
People.Read.All
Device.Read.All
Device.ReadWrite.All
GroupMember.Read.All
GroupMember.ReadWrite.All
Group.ReadWrite.All
Group.Read.All
AuditLog.Read.All
Directory.Read.All
Directory.ReadWrite.All
User.ManageIdentities.All
of type Application.Azure Active Directory is a managed multi-tenant service from Microsoft that offers identity and access capabilities for the cloud using Azure Active Directory REST API services.
This document provides information about the Azure Active Directory connector, which facilitates automated interactions, between Azure Active Directory REST API services and FortiSOAR™ playbooks. Add the Azure Active Directory connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving a list of users from Azure Active Directory, or disabling the account of a specific user in Azure Active Directory.
Connector Version: 2.2.0
FortiSOAR™ Version Tested on: 7.4.0-3024
Azure Active Directory Version Tested on: Azure Cloud
Authored By: Fortinet
Certified: Yes
Following enhancements have been made to the Azure Active Directory connector in version 2.2.0:
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum
command as a root user to install the connector:
yum install cyops-connector-azure-active-directory
login.microsoftonline.com
on port 443 is in the allowlist of your Firewall or Proxy servers.For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, click the Azure Active Directory connector row (if you are in the Grid view on the Connectors page), and in the Configurationstab enter the required configuration details:
Parameter | Description |
---|---|
Get Access Token | Select the method using which you will get authentication tokens used to access the security graph APIs. You can choose between On behalf of User – Delegate Permission or Without a User - Application Permission. For more information, see the Getting Access Tokens section. |
Server URL | The service-based URL to which you will connect and perform the automated operations. |
Client ID | Unique ID of the Azure Active Directory application that is used to create an authentication token required to access the API. |
Client Secret | Unique Client Secret of the Azure Active Directory application that is used to create an authentication token required to access the API. For information on how to get the secret key, see https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp. |
Tenant ID | ID of the tenant that you have been provided for your Azure Active Directory instance. |
Authorization Code | (Only Applicable to On behalf of User – Delegate Permission) The authorization code that you acquired during the authorization step. For more information, see the Getting Access Tokens using the On behalf of the user – Delegate Permission method section. |
Redirect URL | (Only Applicable to On behalf of User – Delegate Permission) The redirect_uri of your app, where authentication responses can be sent and received by your app. The redirect URL that you specify here must exactly match one of the redirect_uri's you have registered in your app registration portal. For more information, see the Getting Access Tokens using the On behalf of the user – Delegate Permission method section. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True . |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from version 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Get User Membership | Retrieves groups, directory roles, and administrative units of which the user is a direct member. | get_user_membership Enrichment |
Get People | Retrieves a collection of person objects in order of their relevance to the user, determined by the user's communication, collaboration patterns, and business relationships. | get_people Enrichment |
Get Managers | Retrieves the chain of managers for a specified user. | get_managers Enrichment |
Revoke SignIn Sessions | Invalidates all the refresh tokens issued to applications for a user. Action typically performed if the user's device is lost or stolen. | revoke_sign_in_sessions Response |
List Direct Reports | Retrieves the direct reports for the specified user. | list_direct_reports Investigation |
List Devices | Retrieves a list of device objects registered in the organization. | list_devices Investigation |
List Registered Owners | Retrieves a list of users registered as owners of a device. | get_registered_owners Investigation |
List Registered Users | Retrieves a list of registered users of a device. | get_registered_users Investigation |
List User Owned Devices | Lists the devices that are owned by a user. | list_user_owned_devices Enrichment |
List User Owned Objects | Get the list of directory objects that are owned by a user. | list_user_owned_objects Enrichment |
List Groups | Retrieves a list of groups from Azure Active Directory based on the query for filtering groups that you have specified. | list_groups Investigation |
Get Group Details | Retrieves the details of a particular group from Azure Active Directory based on the group ID that you have specified. | get_group_details Investigation |
List SignIns Events | Retrieves the list of sign-in events from Azure Active Directory based on the query for filtering users that you have specified. | list_sign_ins Investigation |
Remove Member | Removes a member from a group based on the group and user ID that you have specified. | remove_member Investigation |
Add Member | Adds a member to a group based on the group and user ID that you have specified. | add_member Investigation |
List Group Members | Retrieves a list of members of a particular group from Azure Active Directory based on the query for filtering group members that you have specified. | list_group_members Investigation |
List Users | Retrieves a list of users from Azure Active Directory based on the query for filtering users you have specified. | list_users Investigation |
Get User Details | Retrieves specific information for a specific user from Azure Active Directory, based on the Object ID or User Principal Name you have specified. | get_user_details Investigation |
Add User | Creates a new user in Azure Active Directory, based on the User Principal Name, Display Name, Password, and other input parameters you have specified. | add_user Investigation |
Enable User | Enables a specific user's account in Azure Active Directory, based on the Object ID or User Principal Name you have specified. | enable_user Containment |
Disable User | Disables a specific user's account in Azure Active Directory, based on the Object ID or User Principal Name you have specified. | disable_user Containment |
Delete User | Deletes a specific user's account from Azure Active Directory, based on the Object ID or User Principal Name you have specified. | delete_user Investigation |
Reset Password | Resets the password for an existing Azure Active Directory user, based on the Object ID or User Principal Name, password, and other input parameters you have specified. | reset_password Containment |
Generic REST API Call | Make a Generic MS Graph API Call | rest_api_call |
Parameter | Description |
---|---|
User ID | Specify the user ID or the principal name of the user whose group memberships to fetch. |
Membership Type | Select the type of group membership to retrieve from following options:
|
The output contains the following populated JSON schema:
{ "value": [ { "@odata.type": "", "displayName": "", "mailEnabled": "", "securityEnabled": "" } ] }
Parameter | Description |
---|---|
User ID | Specify the user ID or the principal name of the user for which to fetch the people records. |
Filter Query | Specify the filter query based on which to retrieve people. Refer to Azure Filter Query Parameters for information on the filter query syntax. |
Select Query | Specify the $select query to retrieve people from Azure Active Directory. The OData's Select query is supported on fields such as id , displayName , etc. Refer to OData system query options for more information. |
Number Of Records To Fetch | (Optional) Specify the maximum number of records that this operation should return from Azure. |
Offset | (Optional) Specify the count of the first few records to skip while retrieving response from Azure Active Directory. |
The output contains the following populated JSON schema:
{ "value": [ { "id": "", "displayName": "", "givenName": "", "surname": "", "birthday": "", "personNotes": "", "isFavorite": "", "jobTitle": "", "companyName": "", "yomiCompany": "", "department": "", "officeLocation": "", "profession": "", "userPrincipalName": "", "imAddress": "", "scoredEmailAddresses": [ { "address": "", "relevanceScore": "" } ], "phones": "", "postalAddresses": "", "websites": "", "personType": { "class": "", "subclass": "" } }, { "id": "", "displayName": "", "givenName": "", "surname": "", "birthday": "", "personNotes": "", "isFavorite": "", "jobTitle": "", "companyName": "", "yomiCompany": "", "department": "", "officeLocation": "", "profession": "", "userPrincipalName": "", "imAddress": "", "scoredEmailAddresses": [ { "address": "", "relevanceScore": "" } ], "phones": [ { "type": "", "number": "" } ], "postalAddresses": "", "websites": "", "personType": { "class": "", "subclass": "" } } ] }
Parameter | Description |
---|---|
User ID | Specify the user ID or the principal name of the user for whom to fetch the managers list. |
The output contains the following populated JSON schema:
{ "id": "", "displayName": "", "manager": { "id": "", "displayName": "", "manager": { "id": "", "displayName": "", "manager": { "id": "", "displayName": "" } } } }
Parameter | Description |
---|---|
User ID | Specify the user ID or the principal name of the user for whom to revoke all sign in sessions. |
The output contains the following populated JSON schema:
{ "@odata.context": "", "value": "" }
Parameter | Description |
---|---|
User ID | Specify the user ID or the principal name of the user for whom to fetch the direct reports. |
The output contains the following populated JSON schema:
{ "@odata.context": "", "value": [ { "@odata.type": "", "id": "", "businessPhones": "", "displayName": "", "givenName": "", "jobTitle": "", "mail": "", "mobilePhone": "", "officeLocation": "", "preferredLanguage": "", "surname": "", "userPrincipalName": "" } ] }
Parameter | Description |
---|---|
Filter Query | Specify the filter query based on which to retrieve the list of devices. Refer to Azure Filter Query Parameters for information on the filter query syntax. |
Select Query | Specify the $select query to retrieve people from Azure Active Directory. The OData's Select query is supported on fields such as id , displayName , etc. Refer to OData system query options for more information. |
Number Of Records To Fetch | (Optional) Specify the maximum number of records that this operation should return from Azure. |
Get All Pages | Select this option, i.e., set it to true , to fetch all pages containing all available records from Azure. |
Skip Token | (Optional) Specify a skip token if a previous operation returned a partial result. If the previous response contains a nextLink element, the value of the nextLink element includes a skip token parameter that specifies a starting point to use for subsequent calls. |
The output contains the following populated JSON schema:
{ "value": [ { "accountEnabled": "", "deviceId": "", "deviceVersion": "", "displayName": "", "Manufacturer": "", "Model": "", "operatingSystemVersion": "" } ] }
Parameter | Description |
---|---|
Device ID | Specify the device ID for which to fetch registered owners. |
The output contains the following populated JSON schema:
{ "@odata.context": "", "value": [ { "@odata.type": "", "@odata.id": "", "id": "" } ] }
Parameter | Description |
---|---|
Device ID | Specify the device ID for which to fetch registered owners. |
The output contains the following populated JSON schema:
{ "@odata.context": "", "value": [ { "@odata.type": "", "@odata.id": "", "id": "", "displayName": "", "mail": "", "mailNickname": "" } ] }
Parameter | Description |
---|---|
User ID | Specify the user ID or the principal name of the user for which to fetch owned devices. |
The output contains the following populated JSON schema:
{ "value": [ { "id": "" } ] }
Parameter | Description |
---|---|
User ID | Specify the user ID or the principal name of the user for which to fetch directory objects. |
The output contains the following populated JSON schema:
{ "value": [ { "id": "" } ] }
Parameter | Description |
---|---|
Filter Query | Specify the filter query based on which to retrieve groups. Refer to Azure Filter Query Parameters for information on the filter query syntax. |
Select Query | Specify the $select query to retrieve groups from Azure Active Directory. The OData's Select query is supported on fields such as id , displayName , etc. Refer to OData system query options for more information. |
Number Of Groups To Fetch | (Optional) Specify the maximum number of groups that this operation should return from Azure. |
Get All Pages | Select this option, i.e., set it to true , to fetch all pages containing all available records from Azure. |
Skip Token | (Optional) Specify a skip token if a previous operation returned a partial result. If the previous response contains a nextLink element, the value of the nextLink element includes a skip token parameter that specifies a starting point to use for subsequent calls. |
The output contains the following populated JSON schema:
{ "@odata.context": "", "@odata.count": "", "value": [ { "id": "", "deletedDateTime": "", "classification": "", "createdDateTime": "", "creationOptions": [], "description": "", "displayName": "", "expirationDateTime": "", "groupTypes": [], "isAssignableToRole": "", "mail": "", "mailEnabled": "", "mailNickname": "", "membershipRule": "", "membershipRuleProcessingState": "", "onPremisesDomainName": "", "onPremisesLastSyncDateTime": "", "onPremisesNetBiosName": "", "onPremisesSamAccountName": "", "onPremisesSecurityIdentifier": "", "onPremisesSyncEnabled": "", "preferredDataLocation": "", "preferredLanguage": "", "proxyAddresses": [], "renewedDateTime": "", "resourceBehaviorOptions": [], "resourceProvisioningOptions": [], "securityEnabled": "", "securityIdentifier": "", "theme": "", "visibility": "", "onPremisesProvisioningErrors": [] } ] }
Parameter | Description |
---|---|
Group ID | Specify an ID of the group for which to list the members. |
Filter Query | Specify the filter query based on which to retrieve group members. Refer to Azure Filter Query Parameters for information on the filter query syntax. |
Select Query | Specify the $select query to retrieve people from Azure Active Directory. The OData's Select query is supported on fields such as id , displayName , etc. Refer to OData system query options for more information. |
Number Of Group Members To Fetch | (Optional) Specify the maximum number of group members that this operation should return from Azure. |
Get All Pages | Select this option, i.e., set it to true , to fetch all pages containing all available records from Azure. |
Skip Token | (Optional) Specify a skip token if a previous operation returned a partial result. If the previous response contains a nextLink element, the value of the nextLink element includes a skip token parameter that specifies a starting point to use for subsequent calls. |
The output contains the following populated JSON schema:
{ "@odata.context": "", "@odata.count": "", "value": [ { "@odata.type": "", "id": "", "businessPhones": [], "displayName": "", "givenName": "", "jobTitle": "", "mail": "", "mobilePhone": "", "officeLocation": "", "preferredLanguage": "", "surname": "", "userPrincipalName": "" } ] }
Parameter | Description |
---|---|
Group ID | Specify a group ID to fetch the details for that group. |
The output contains the following populated JSON schema:
{ "@odata.context": "", "id": "", "deletedDateTime": "", "classification": "", "createdDateTime": "", "creationOptions": [], "description": "", "displayName": "", "expirationDateTime": "", "groupTypes": [], "isAssignableToRole": "", "mail": "", "mailEnabled": "", "mailNickname": "", "membershipRule": "", "membershipRuleProcessingState": "", "onPremisesDomainName": "", "onPremisesLastSyncDateTime": "", "onPremisesNetBiosName": "", "onPremisesSamAccountName": "", "onPremisesSecurityIdentifier": "", "onPremisesSyncEnabled": "", "preferredDataLocation": "", "preferredLanguage": "", "proxyAddresses": [], "renewedDateTime": "", "resourceBehaviorOptions": [], "resourceProvisioningOptions": [], "securityEnabled": "", "securityIdentifier": "", "theme": "", "visibility": "", "onPremisesProvisioningErrors": [] }
Parameter | Description |
---|---|
Group ID | Specify a group ID from which to remove the user. |
User ID | Specify the directory object ID of the user to remove from the group. |
The output contains the following populated JSON schema:
{ "status": "", "result": "" }
Parameter | Description |
---|---|
Group ID | Specify a group ID to which to add a user. |
User ID | Specify the directory object ID of the user to add to the group. |
The output contains the following populated JSON schema:
{ "status": "", "result": "" }
Parameter | Description |
---|---|
Filter Query | Specify the filter query based on which to retrieve sign-in events from Azure Active Directory. The OData's Filter query is supported on the following fields: id , userPrincipalName , displayName , givenName and jobTitle . For example [userPrincipalName eq 'username@example.com'] retrieves a user whose userPrincipalName is username@example.com . Refer to OData system query options for more information. |
Number of Events to Fetch | (Optional) Specify the maximum number of events that this operation should return from Azure. |
Get All Pages | Select this option, i.e., set it to true , to fetch all pages containing all available records from Azure. |
Skip Token | (Optional) Specify a skip token if a previous operation returned a partial result. If the previous response contains a nextLink element, the value of the nextLink element includes a skip token parameter that specifies a starting point to use for subsequent calls. |
The output contains the following populated JSON schema:
{ "@odata.context": "", "@odata.nextLink": "", "value": [ { "id": "", "createdDateTime": "", "userDisplayName": "", "userPrincipalName": "", "userId": "", "appId": "", "appDisplayName": "", "ipAddress": "", "clientAppUsed": "", "correlationId": "", "conditionalAccessStatus": "", "isInteractive": "", "riskDetail": "", "riskLevelAggregated": "", "riskLevelDuringSignIn": "", "riskState": "", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "", "resourceId": "", "status": { "errorCode": "", "failureReason": "", "additionalDetails": "" }, "deviceDetail": { "deviceId": "", "displayName": "", "operatingSystem": "", "browser": "", "isCompliant": "", "isManaged": "", "trustType": "" }, "location": { "city": "", "state": "", "countryOrRegion": "", "geoCoordinates": { "altitude": "", "latitude": "", "longitude": "" } }, "appliedConditionalAccessPolicies": [] } ] }
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Filter Query | Specify the filter query based on which to retrieve users from Azure Active Directory. The OData's Filter query is supported on the following fields: id , userPrincipalName , displayName , givenName and jobTitle . For example [userPrincipalName eq "username@example.com"] retrieves a user whose userPrincipalName is username@example.com |
Select Query | Specify the $select query to retrieve user fields from Azure Active Directory. The OData's Select query is supported on fields such as id , userPrincipalName , displayName , etc. Refer to OData system query options for more information. |
Search Query | Specify the search query to retrieve user details from Azure Active Directory. The OData's Search query is supported on fields such as id , userPrincipalName , displayName , etc. Refer to OData system query options for more information. |
The output contains the following populated JSON schema:
{ "@odata.context": "", "value": [ { "businessPhones": [], "displayName": "", "givenName": "", "jobTitle": "", "mail": "", "mobilePhone": "", "officeLocation": "", "preferredLanguage": "", "surname": "", "userPrincipalName": "", "id": "" } ] }
Parameter | Description |
---|---|
Based On | Select the parameter based on which to retrieve details of a user from Azure Active Directory. You can choose from the following options:
|
The output contains the following populated JSON schema:
Output schema when you choose Provide Additional Details as false
:
{ "id": "", "city": "", "mail": "", "state": "", "country": "", "surname": "", "ageGroup": "", "jobTitle": "", "userType": "", "faxNumber": "", "givenName": "", "department": "", "employeeId": "", "identities": [ { "issuer": "", "signInType": "", "issuerAssignedId": "" } ], "otherMails": [], "postalCode": "", "companyName": "", "displayName": "", "imAddresses": [], "mobilePhone": "", "creationType": "", "employeeType": "", "mailNickname": "", "assignedPlans": [ { "service": "", "servicePlanId": "", "assignedDateTime": "", "capabilityStatus": "" } ], "streetAddress": "", "usageLocation": "", "@odata.context": "", "accountEnabled": "", "businessPhones": [], "officeLocation": "", "proxyAddresses": [], "createdDateTime": "", "deletedDateTime": "", "employeeOrgData": "", "passwordProfile": "", "assignedLicenses": [], "employeeHireDate": "", "passwordPolicies": "", "provisionedPlans": [ { "service": "", "capabilityStatus": "", "provisioningStatus": "" } ], "externalUserState": "", "isResourceAccount": "", "preferredLanguage": "", "showInAddressList": "", "userPrincipalName": "", "securityIdentifier": "", "onPremisesDomainName": "", "onPremisesImmutableId": "", "onPremisesSyncEnabled": "", "preferredDataLocation": "", "consentProvidedForMinor": "", "licenseAssignmentStates": [], "onPremisesSamAccountName": "", "lastPasswordChangeDateTime": "", "onPremisesLastSyncDateTime": "", "legalAgeGroupClassification": "", "onPremisesDistinguishedName": "", "onPremisesUserPrincipalName": "", "onPremisesProvisioningErrors": [], "onPremisesSecurityIdentifier": "", "onPremisesExtensionAttributes": { "extensionAttribute1": "" }, "refreshTokensValidFromDateTime": "", "externalUserStateChangeDateTime": "", "signInSessionsValidFromDateTime": "" }
Output schema when you choose Provide Additional Details as true
:
{ "id": "", "city": "", "mail": "", "state": "", "mySite": "", "skills": [], "aboutMe": "", "country": "", "schools": [], "surname": "", "ageGroup": "", "birthday": "", "hireDate": "", "jobTitle": "", "userType": "", "faxNumber": "", "givenName": "", "interests": [], "department": "", "employeeId": "", "identities": [ { "issuer": "", "signInType": "", "issuerAssignedId": "" } ], "otherMails": [], "postalCode": "", "companyName": "", "displayName": "", "imAddresses": [], "mobilePhone": "", "creationType": "", "employeeType": "", "mailNickname": "", "pastProjects": [], "assignedPlans": [ { "service": "", "servicePlanId": "", "assignedDateTime": "", "capabilityStatus": "" } ], "preferredName": "", "streetAddress": "", "usageLocation": "", "@odata.context": "", "accountEnabled": "", "businessPhones": [], "officeLocation": "", "proxyAddresses": [], "createdDateTime": "", "deletedDateTime": "", "employeeOrgData": "", "passwordProfile": "", "assignedLicenses": [ { "skuId": "", "disabledPlans": [] } ], "employeeHireDate": "", "passwordPolicies": "", "provisionedPlans": [ { "service": "", "capabilityStatus": "", "provisioningStatus": "" } ], "responsibilities": [], "externalUserState": "", "isResourceAccount": "", "preferredLanguage": "", "showInAddressList": "", "userPrincipalName": "", "securityIdentifier": "", "onPremisesDomainName": "", "onPremisesImmutableId": "", "onPremisesSyncEnabled": "", "preferredDataLocation": "", "consentProvidedForMinor": "", "licenseAssignmentStates": [ { "error": "", "skuId": "", "state": "", "disabledPlans": [], "assignedByGroup": "", "lastUpdatedDateTime": "" } ], "onPremisesSamAccountName": "", "lastPasswordChangeDateTime": "", "onPremisesLastSyncDateTime": "", "legalAgeGroupClassification": "", "onPremisesDistinguishedName": "", "onPremisesUserPrincipalName": "", "onPremisesProvisioningErrors": [], "onPremisesSecurityIdentifier": "", "onPremisesExtensionAttributes": { "extensionAttribute1": "" }, "refreshTokensValidFromDateTime": "", "externalUserStateChangeDateTime": "", "signInSessionsValidFromDateTime": "" }
Parameter | Description |
---|---|
Display Name | Specify the name that you want to be displayed in the address book for the user that you are creating in Azure Active Directory. |
Mail Nick Name | Specify the mail alias for the user that you are creating in Azure Active Directory. |
User Principal Name | Specify the principal name of the user that you are creating in Azure Active Directory. |
Password | Specify the password of the user that you are creating in Azure Active Directory. |
Force Change Password Next Login | Select this option, i.e., set it to true, to force the users to change their password when they next log on to Azure Active Directory. |
Account Enabled | Select this option, i.e., set it to true, to enable this user's account on Azure Active Directory. |
Additional Fields | (Optional) Specify additional fields to add to the user's account that you are creating in Azure Active Directory. |
The output contains the following populated JSON schema:
{ "@odata.context": "", "id": "", "businessPhones": [], "displayName": "", "givenName": "", "jobTitle": "", "mail": "", "mobilePhone": "", "officeLocation": "", "preferredLanguage": "", "surname": "", "userPrincipalName": "" }
Parameter | Description |
---|---|
Based On | Select the parameter based on which to enable a user's account on Azure Active Directory. You can choose from the following options:
|
The output contains the following populated JSON schema:
{ "status": "", "result": "" }
Parameter | Description |
---|---|
Based On | Select the parameter based on which to disable a user's account on Azure Active Directory. You can choose from the following options:
|
The output contains the following populated JSON schema:
{ "status": "", "result": "" }
Parameter | Description |
---|---|
Based On | Select the parameter based on which to delete a user's account on Azure Active Directory. You can choose from the following options:
|
The output contains the following populated JSON schema:
{ "status": "", "result": "" }
Parameter | Description |
---|---|
Based On | Select the parameter based on which to reset the password of a user's account on Azure Active Directory. You can choose from the following options:
|
Password | Specify a temporary password that you want to set for the user on Azure Active Directory. |
Force Change Password Next Login | Select this option, i.e., set it to true, to force the users to change their password when they next log on to Azure Active Directory. |
The output contains the following populated JSON schema:
{ "status": "", "result": "" }
Parameter | Description |
---|---|
API Endpoint | Specify the MS Graph API Endpoint from which to fetch details. |
HTTP method | Specify the HTTP Method used to access the endpoint. |
Query params | Specify query parameters in JSON format to send as part of the URL. |
Request Payload | Specify the Body of the POST/PUT/PATCH request in JSON. |
The output contains a non-dictionary value.
The Sample - Azure Active Directory - 2.2.0
playbook collection comes bundled with the Azure Active Directory connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Azure Active Directory connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
The Sample - Azure Active Directory - 2.2.0 playbook collection contains pluggable enrichment playbooks that are used to provide verdicts for the indicator of type user.
The pluggable enrichment playbooks are of the format: 'user > Azure Active Directory > Enrichment'
The 'Configuration' step in all the pluggable enrichment playbooks contain variables that have default values for calculating the 'Verdict' for various indicator types.
Based on the Azure Active Directory integration API response following variables are returned:
Variable Name | Description | Return Value |
---|---|---|
cti_name |
The name of the connector is called the CTI (Cyber Threat Intelligence) name | AzureActiveDirectory |
source_data |
The source_data response returned by the integration API. |
A JSON response object containing the source data of the threat intelligence integration. |
enrichment_summary |
The contents that are added, in the HTML format, in the Description field of the specified FortiSOAR™ indicator record. |
The following tables are returned in the HTML format:
|
You can get authentication tokens to access the security graph APIs using two methods:
User.Read
User.Read.All
User.ReadWrite
User.ReadWrite.All
User.ReadBasic.All
User.ManageIdentities.All
People.Read
People.Read.All
Device.Read.All
Group.ReadWrite.All
GroupMember.Read.All
GroupMember.ReadWrite.All
Group.Read.All
AuditLog.Read.All
Directory.Read.All
Directory.ReadWrite.All
Directory.AccessAsUser.All
of type Delegated.TENANT_ID
, CLIENT_ID
, and REDIRECT_URI
with your tenant ID, client ID, and the following redirect URL:https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/authorize?response_type=code&scope=offline_access https://graph.microsoft.com/.default&client_id=CLIENT_ID&redirect_uri=REDIRECT_URI
REDIRECT_URI?code=AUTH_CODE&session_state=SESSION_STATE
AUTH_CODE
(without the "code=" prefix) and paste it in your instance configuration in the Authorization Code parameter.User.Read.All
User.ReadWrite.All
People.Read.All
Device.Read.All
Device.ReadWrite.All
GroupMember.Read.All
GroupMember.ReadWrite.All
Group.ReadWrite.All
Group.Read.All
AuditLog.Read.All
Directory.Read.All
Directory.ReadWrite.All
User.ManageIdentities.All
of type Application.