Skip to main content

EmpowerID Admin Lab 4: Entra ID Account Store

Purpose

This lab guides you through creating an account store connection to an Azure Entra ID tenant.

Prerequisites

  1. Access to the EmpowerID training environment.
  2. Azure Entra ID tenant information:
    • App service URL
    • Azure application object ID (Client ID)
    • Azure directory ID (Tenant ID)
    • Certificate thumbprint for authentication

Steps

1. Navigate to the Azure RBAC Manager

  1. Open your browser and log in to EmpowerID.
  2. Go to Azure RBAC Manager > Configuration.
  3. Click on the Tenants tab.

2. Create an Entra ID Account Store

  1. Click the + button to create a new account store connection.
  2. Fill in the following details provided in the lab information document:
    • Account Store Name: Enter a name for the account store (e.g., Entra ID Tenant).
    • App Service URL: Enter the URL of the app service.
    • Azure Application Object ID: Enter the Client ID.
    • Azure Directory ID: Enter the Tenant ID.
    • Certificate Thumbprint: Select the CN=EntraScimAuth certificate from the dropdown.
  3. Click Save to create the account store.

3. Verify and Edit Account Store Settings

  1. Click the Tenant name in the list of tenants to bring up the main Account Store page.
  2. Click the pencil icon by the account store name to edit the configuration

General Settings

Configure the following settings in the Settings page

  1. Enable the Is Visible in IAM Shop flag to allow the resources to be visible in the IAM Shop
  2. Enable the Allow Password Sync to synchronize passwords with AD.
  3. Disable the Allow Person Provisioning (Identity Source) since we do not want to provision people from this account store.
  4. Enable Allow Attribute Flow.
  5. Enable Allow Provisioning (By RET) and Allow Deprovisioning (By RET) to allow account creation and deletion by the provisioning policies
  6. Disable Allow Business Role and Location Re-Evaluation (OROZ Source) since we will not be using assigning roles and locations from data in this system.

Inventory Settings

  1. Go to the Inventory tab.
  2. Enable Inventory Enabled.

Membership Settings

  1. Go to the Membership tab.
  2. Enable Enable Group Membership Reconciliation to manage group memberships.

Save the account store settings.

4. Monitor the Inventory Job

  1. Navigate to the Job History tab.
  2. Wait for the inventory job to run and monitor its progress.
  3. Confirm successful completion of the inventory job:
    • The Succeeded column will have a check mark in the box if the job completed successfully

5. Verify Imported Data

  1. Navigate to the User Accounts Tab
    • You should see the list of users that was inventoried from the system.
  2. Navigate to the Groups Tab
    • You should see the list of groups that was inventoried from the system.
  3. Select a user or group by clicking on one of the name linkds to view details and confirm data accuracy.

Notes

  • Ensure that the Azure application registration and SCIM microservice are correctly set up before starting this lab.
  • Refer to EmpowerID documentation for detailed guidance on deploying the SCIM microservice and configuring the Azure app registration.
  • If issues arise, consult the logs or your instructor for assistance.

Completion

Once you’ve successfully set up the Entra ID account store, verified the imported user accounts and groups, and confirmed the inventory settings, this lab is complete. Prepare for the next lab to continue building on this configuration.

Video Walk-thru

View a video walk-thru of this lab exercise.