1. Using the Azure Active Directory Adapter with Oracle Integration 3
  2. Create an Azure Active Directory Adapter Connection
  3. Prerequisites for Creating a Connection

Prerequisites for Creating a Connection

You must satisfy the following prerequisites to create a connection with the Azure Active Directory Adapter:

Register an Application

Register an application in the Microsoft Entra admin center, and obtain the tenant ID and client ID.

  1. Log in to the Microsoft Entra admin center (Azure AD).
  2. Navigate to Identity, then Applications, and then to App registrations.
  3. Click New Registrations.
  4. Enter a name for the application, and select a supported account type.
  5. Optionally, under Redirect URI, enter the redirect URI in the following format:
    https://OIC_instance_URL/icsapis/agent/oauth/callback

    Note:

    A redirect URI is only required if you want to configure Authorization Code Credentials security policy for your Azure Active Directory connection.
  6. Click Register.
    The tenant ID and client ID are displayed.
  7. Copy the values for the tenant ID and client ID.
    You'll need to enter those values on the Connections page when you configure security for your Azure Active Directory Adapter connection in Oracle Integration. See Configure Connection Security.

Create a New Client Secret

Create a new client secret.

  1. Log in to the Microsoft Entra admin center.
  2. Navigate to Identity, then Applications, and then to App registrations.
  3. Select the application that you registered. See Register an Application.
  4. Click Certificates & secrets.
  5. Click Client secrets, and then click New client secret.
  6. Enter a description of the secret, and select a duration.
  7. Click Add.
    The client secret is displayed in the Value column.
  8. Copy the client secret from the Value column.
    You'll need to enter the client secret on the Connections page when you configure security for your Azure Active Directory Adapter connection in Oracle Integration. See Configure Connection Security.

Assign API Permissions

You must grant API permissions to the application that you created in the Microsoft Entra admin center (Azure AD).

  1. Log in to the Microsoft Entra admin center.
  2. Navigate to Identity, then Applications, and then to App registrations.
  3. Select the application that you registered. See Register an Application.
  4. Click API Permissions.
  5. Add the required permissions. See Microsoft Graph Permissions Reference.

Note:

You must have the mandated API permissions for the specific User, Group, Organization, and Application Business Object.

Refer to the following tables for the required permissions to create an Azure Active Directory Adapter connection.

Table 2-1 Permissions Required for Connections

Delegated (Work or School Account) Permissions Delegated (Personal Microsoft Account) Permissions Application Permissions
  • User.ReadBasic.All
  • User.Read.All
  • User.ReadWrite.All
  • Directory.Read.All
  • Directory.ReadWrite.All
 Not supported.
  • User.Read.All
  • User.ReadWrite.All
  • Directory.Read.All
  • Directory.ReadWrite.All

Table 2-2 Permissions Required for Invoke Actions

Business Object Action Delegated (Work or School Account) Permissions Delegated (Personal Microsoft Account) Permissions Application Permissions
User Create User
  • User.ReadWrite.All
  • Directory.ReadWriteAll
  • CustomSecAttributeAssignment.Read.All
  • CustomSecAttributeAssignment.ReadWrite.All
  • CustomSecAttributeDefinition.Read.All
  • CustomSecAttributeDefinition.ReadWrite.All
 Not supported.
  • User.ReadWrite.All
  • Directory.ReadWrite.All
  • CustomSecAttributeAssignment.Read.All
  • CustomSecAttributeAssignment.ReadWrite.All
  • CustomSecAttributeDefinition.Read.All
  • CustomSecAttributeDefinition.ReadWrite.All
Update User
  • User.ReadWrite
  • User.ManageIdentities.All
  • User.EnableDisableAccount.All
  • User.ReadWrite.All
  • Directory.ReadWrite.All
  • CustomSecAttributeAssignment.Read.All
  • CustomSecAttributeAssignment.ReadWrite.All
  • CustomSecAttributeDefinition.Read.All
  • CustomSecAttributeDefinition.ReadWrite.All
 User.ReadWrite
  • User.ManageIdentities.All
  • User.EnableDisableAccount.All
  • User.ReadWrite.All
  • Directory.ReadWrite.All
  • CustomSecAttributeAssignment.Read.All
  • CustomSecAttributeAssignment.ReadWrite.All
  • CustomSecAttributeDefinition.Read.All
  • CustomSecAttributeDefinition.ReadWrite.All
Get a User
  • User.Read
  • User.ReadWrite
  • User.ReadBasic.All
  • User.Read.All
  • User.ReadWrite.All
  • Directory.Read.All
  • Directory.ReadWrite.All
  • CustomSecAttributeAssignment.Read.All
  • CustomSecAttributeAssignment.ReadWrite.All
  • CustomSecAttributeDefinition.Read.All
  • CustomSecAttributeDefinition.ReadWrite.All
  • User.Read
  • User.ReadWrite
  • User.Read.All
  • User.ReadWrite.All
  • Directory.Read.All
  • Directory.ReadWrite.All
  • CustomSecAttributeAssignment.Read.All
  • CustomSecAttributeAssignment.ReadWrite.All
  • CustomSecAttributeDefinition.Read.All
  • CustomSecAttributeDefinition.ReadWrite.All
List Users
  • User.ReadBasic.All
  • User.Read.All
  • User.ReadWrite.All
  • Directory.Read.All
  • Directory.ReadWrite.All
  • CustomSecAttributeAssignment.Read.All
  • CustomSecAttributeAssignment.ReadWrite.All
  • CustomSecAttributeDefinition.Read.All
  • CustomSecAttributeDefinition.ReadWrite.All
 Not supported.
  • User.Read.All
  • User.ReadWrite.All
  • Directory.Read.All
  • Directory.ReadWrite.All
  • CustomSecAttributeAssignment.Read.All
  • CustomSecAttributeAssignment.ReadWrite.All
  • CustomSecAttributeDefinition.Read.All
  • CustomSecAttributeDefinition.ReadWrite.All
Delete a User User.ReadWrite.All Not supported. User.ReadWrite.All

List License Details
  • LicenseAssignment.Read.All
  • Directory.Read.All
  • Directory.ReadWrite.All
  • User.Read
  • User.Read.All
  • User.ReadWrite.All
 User.Read Not supported.
Assign and Remove User License
  • LicenseAssignment.ReadWrite.All
  • Directory.ReadWrite.All
  • User.ReadWrite.All
 Not supported.
  • LicenseAssignment.ReadWrite.All
  • Directory.ReadWrite.All
  • User.ReadWrite.All
List Manager
  • User.Read.All
  • Directory.Read.All
  • Directory.ReadWrite.All
  • User.ReadWrite.All
 Not supported. Not supported.

Get Member Objects User
  • User.Read
  • User.Read.All
  • Directory.Read.All
  • User.ReadWrite.All
  • Directory.ReadWrite.All
 Not supported.
  • User.Read.All
  • Directory.Read.All
  • User.ReadWrite.All
  • DirectoryReadWrite.All
Get Member Objects Group
  • GroupMember.Read.All
  • Group.Read.All
  • Directory.Read.All
  • Group.ReadWrite.All
  • Directory.ReadWrite.All
 Not supported.
  • GroupMember.Read.All
  • Group.Read.All
  • Directory.Read.All
  • Group.ReadWrite.All
  • Directory.ReadWrite.All
Create Invitation
  • User.Invite.All
  • Directory.ReadWrite.All
  • User.ReadWrite.All
 Not supported.
  • User.Invite.All
  • Directory.ReadWrite.All
  • User.ReadWrite.All

Assign Manager
  • User.ReadWrite.All
  • Directory.ReadWrite.All
 Not supported.
  • User.ReadWrite.All
  • Directory.ReadWrite.All

Remove Manager
  • User.ReadWrite.All
  • Directory.ReadWrite.All
 Not supported.
  • User.ReadWrite.All
  • Directory.ReadWrite.All
List Direct Reports
  • User.Read
  • User.ReadBasic.All
  • Directory.ReadWrite.All
  • Directory.Read.All
  • User.ReadWrite.All
  • User.Read.All
 Not supported.
  • User.Read.All
  • User.ReadWrite.All
  • Directory.Read.All
  • Directory.ReadWrite.All
Get Management Chain by ID
  • User.Read.All
  • Directory.Read.All
  • Directory.ReadWrite.All
  • User.ReadWrite.All
 Not supported. Not supported.
Groups Create Group
  • Group.ReadWrite.All
  • Directory.ReadWrite.All
 Not supported.
  • Group.Create
  • Directory.ReadWrite.All
  • Group.ReadWrite.All

List Groups
  • GroupMember.Read.All
  • Group.ReadWrite.All
  • Directory.Read.All
  • Directory.ReadWrite.All
  • Group.Read.All
 Not supported.
  • GroupMember.Read.All
  • Directory.Read.All
  • Directory.ReadWrite.All
  • Group.Read.All
  • Group.ReadWrite.All
Get Group
  • GroupMember.Read.All
  • Group.ReadWrite.All
  • Directory.Read.All
  • Directory.ReadWrite.All
  • Group.Read.All
 Not supported.
  • GroupMember.Read.All
  • Group.ReadWrite.All
  • Directory.Read.All
  • Directory.ReadWrite.All
  • Group.Read.All

List Group Members
  • GroupMember.Read.All
  • Directory.Read.All
  • Group.Read.All
  • Group.ReadWrite.All
  • GroupMember.ReadWrite.All
 Not supported.
  • GroupMember.Read.All
  • Directory.Read.All
  • Group.Read.All
  • Group.ReadWrite.All
  • GroupMember.ReadWrite.All

Update Group
  • Group.ReadWrite.All
  • Directory.ReadWrite.All
 Not supported.
  • Group.ReadWrite.All
  • Directory.ReadWrite.All
Delete Group Group.ReadWrite.All Not supported. Group.ReadWrite.All
Add Members GroupMember.ReadWrite.All Not supported. GroupMember.ReadWrite.All

Remove Member
  • GroupMember.ReadWrite.All
  • Directory.ReadWrite.All
  • Group.ReadWrite.All

Not supported.
  • GroupMember.ReadWrite.All
  • Directory.ReadWrite.All
  • Group.ReadWrite.All
Organization Get organization
  • DeviceManagementServiceConfig.Read.All
  • DeviceManagementServiceConfig.ReadWrite.All
  • DeviceManagementConfiguration.Read.All
  • DeviceManagementConfiguration.ReadWrite.All

Not supported.
  • DeviceManagementServiceConfig.Read.All
  • DeviceManagementServiceConfig.ReadWrite.All
  • DeviceManagementConfiguration.Read.All
  • DeviceManagementConfiguration.ReadWrite.All
Application

List Applications
  • Application.Read.All
  • Application.ReadWrite.All
  • Directory.ReadWrite.All
  • Directory.Read.All
  • Application.Read.All and User.Read
  • Application.ReadWrite.All and User.Read
  • Application.Read.All
  • Application.ReadWrite.OwnedBy
  • Application.ReadWrite.All
  • Directory.Read.All

Table 2-3 Permissions Required for Trigger Resources

Resource Delegated (Work or School Account) Permissions Delegated (Personal Microsoft Account) Permissions Application Permissions
User User.Read.All User.Read.All User.Read.All
Group Group.Read.All Not supported Group.Read.All