In this article, you will find information about how to synchronize the Azure Active Directory Groups with the HEIMDAL Dashboard. This operation enables you to assign any of the endpoints from your environment to a HEIMDAL Dashboard Group Policy that is linked to an Azure Active Directory Group (Security group type). To do that, you need to make sure that the SAML 2.0 Login feature is enabled and linked to your Azure Active Directory Tenant ID and that the Azure Active Directory Groups are synchronized with the HEIMDAL Dashboard.
1. Enabling SAML 2.0 Login
2. Creating the HEIMDAL Security Dashboard Sync application in Azure
3. Synchronizing the Azure Active Directory Groups
Enabling SAML 2.0 Login
In order to synchronize the Azure Active Directory Groups, you need to make sure that the SAML 2.0 Login feature is enabled and linked to your Azure Active Directory Tenant ID. If SAML 2.0 Login hasn't been enabled yet, follow the instructions described in the following article to enable SAML 2.0 Login: https://support.heimdalsecurity.com/hc/en-us/articles/360019971018-SAML-2-0-Login
Creating the HEIMDAL Security Dashboard Sync application in Azure
HEIMDAL fetches the Azure Active Directory Groups (Security group type) and membership through an Azure application that leverages the Microsoft Group API. The HEIMDAL Security Dashboard Sync application can be installed/configured with 2 methods: automatically, by granting the application consent from the HEIMDAL Dashboard, or manually, by creating the application in Azure (allowing you to manage the permissions you grant in the Microsoft Graph.
A. Automatically installing the Heimdal Security Dashboard Sync enterprise application
1. Log in to the HEIMDAL Dashboard using your credentials or the Azure login functionality.
2. Go to the Guide section and click the Customer Settings tab.
3. In the Azure AD Sync setup, click on Grant application consent.
4. You will be prompted to log in with your Microsoft credentials (in case you initially logged in with the regular login method):
5. Press Accept to grant permission to the Heimdal Security Dashboard Sync.
6. The HEIMDAL Dashboard will read all the Azure Active Directory Groups found under your Tenant ID through the Heimdal Security Dashboard Sync enterprise application that gets created in Azure.
B. Manually creating the Heimdal Security Dashboard Sync enterprise application
This option has been developed to allow you to choose what permissions are granted to the enterprise application that feeds information into the HEIMDAL Dashboard. The requirement for this functionality to work are Device.Read.All, Group.Read.All, User.Read.All, and GroupMember.Read.All permissions that will allow the application to read information about groups, devices, and users within the Azure AD tenant. To configure it, follow the steps below:
1. Open the Azure Portal and log in with your Microsoft Administrator user account.
2. Once logged in, in Azure Active Directory click on App registration.
3. Click on New registration at the top.
4. Provide the App details and click Register:
a. Name - enter a name for your application;
b. Supporter account types - select Accounts in this organization directory only (Single tenant);
5. After registering, you will be redirected to the application's Overview page.
6. Go to API permissions on the left-side menu (under Manage). By default, the application will be granted the User.Read permission. This one can be deleted. It has the Delegate type that will require user authentication to work. In this case, it will not be needed. The next thing to do is to click Add a permission, select Microsoft Graph, and then click on Application permissions.
7. In the Select permissions search box, search for Device.Read.All, Group.Read.All, User.Read.All, and GroupMember.Read.All and click on the Add permissions button. The permissions should look like this:
8. Press Grant admin consent for [Your company] and then Yes for the consent confirmation. This will change the Status from Not granted for ... to Granted for ... .
9. In the left-side menu, under Manage -> Certificates & secrets, you have the Client secrets tab. Click on New client secret and provide a Description, an Expiration date and press Add.
10. Make sure you copy the value of Client Secret immediately as it will be hidden after leaving the page. This value will be used for the application's authentication. Remember that Client secrets have an expiration date and they need to be renewed periodically (depending on the expiration date you have set).
11. Review all the settings and configurations for your application. Ensure that all required permissions have been granted.
12. In the HEIMDAL Dashboard, go to Guide -> Customer settings -> Login setup -> Azure Login, and add the Client ID (you can find it on the Overview page of the newly-created application), and the Secret Value. Press the Update button to validate the new application.
Synchronizing the Azure Active Directory Groups
1. To assign HEIMDAL Dashboard Group Policies based on linked Azure AD Groups, you just need to go to the Endpoint Settings, click on a Group Policy, and from the General tab, you can select an Azure AD Group that should be linked to it in the Specific Azure AD Groups dropdown menu (type in at least 4 characters to see the matching Azure AD Groups being displayed):
The selected Azure AD Group(s) should now be linked to the HEIMDAL Group Policy and this means that the users/devices that are members of the selected specified Azure Active Directory Group(s), will get assigned the current HEIMDAL Dashboard Group Policy.
IMPORTANT
The Azure Active Directory Groups are automatically synchronized every 24 hours, so if a change is performed on an Azure AD Group or a new user is being added/removed to/from an Azure Active Directory Group, it will take 24 hours until the update will propagate.
HEIMDAL supports Security group types only. Distribution or Microsoft 365 group types are NOT supported.
Although RESELLERS can impersonate and add/edit the Azure Active Directory Tenant IDs on behalf of their ENTERPRISE Customers, they CANNOT set up Azure Active Directory Groups on behalf of their ENTERPRISE Customers.