In this article, you will find information about how to synchronize the Azure Active Directory Groups and Users with the HEIMDAL Dashboard. This operation enables you to assign any of the endpoints from your environment to a HEIMDAL Dashboard Group Policy that is linked to an Azure Active Directory Group. To do that, you need to make sure that the SAML 2.0 Login feature is enabled and linked to your Azure Active Directory Tenant ID and that the Azure Active Directory Groups and Users are synchronized with the HEIMDAL Dashboard.
1. Enabling SAML 2.0 Login
2. Creating the HEIMDAL Security Dashboard Sync application in Azure
3. Synchronizing the Azure Active Directory Groups and Users
Enabling SAML 2.0 Login
In order to synchronize the Azure Active Directory Groups and Users, you need to make sure that the SAML 2.0 Login feature is enabled and linked to your Azure Active Directory Tenant ID. If SAML 2.0 Login hasn't been enabled yet, follow the instructions described in the following article to enable SAML 2.0 Login: https://support.heimdalsecurity.com/hc/en-us/articles/360019971018-SAML-2-0-Login
Creating the HEIMDAL Security Dashboard Sync application in Azure
HEIMDAL fetches the Azure Active Directory groups and membership through an Azure application that leverages the Microsoft Group API. The HEIMDAL Security Dashboard Sync application can be installed/configured with 2 methods: automatically, by granting the application consent from the HEIMDAL Dashboard, or manually, by creating the application in Azure (allowing you to manage the permissions you grant in the Microsoft Graph.
A. Automatically installing the Heimdal Security Dashboard Sync enterprise application
1. Log in to the HEIMDAL Dashboard using your HEIMDAL Dashboard credentials or the Azure Login functionality (this needs to be the user account that is assigned to an Enterprise customer, not a Reseller account).
2. Go to the Guide section and click on the Customer Settings Tab.
3. Click on Grant application consent.
4. You will be prompted to log in with your Microsoft credentials (in case you initially logged in with the regular login method):
5. Press Accept to grant permission to the Heimdal Security Dashboard Sync.
6. Synchronize the Azure Active Directory Groups and Users with the HEIMDAL Dashboard by pressing the Sync Users button:
7. The HEIMDAL Dashboard will read all the Azure Active Directory Groups found under your Tenant ID:
B. Manually creating the Heimdal Security Dashboard Sync enterprise application
The enterprise application will use the Device.Read.All, Group.Read.All, User.Read.All, and GroupMember.Read.All permissions, which will allow the application to read information about devices, groups, and users within the Azure AD tenant.
1. Open the Azure Portal and log in with your Microsoft Administrator user account.
2. Once logged in, in Azure Active Directory click on App registration.
3. Click on New registration at the top.
4. Provide the App details and click Register:
a. Name - enter a name for your application;
b. Supporter account types - select Accounts in this organization directory only (Single tenant);
5. After registering, you will be redirected to the application's Overview page. By default, the application will be granted the User.Read permission. This one can be deleted. It has the Delegate type that will require user authentication to work. In this case, it will not be needed.
6. Go to API permissions on the left-side menu (under Manage), click Add a permission, select Microsoft Graph, and then click on Application permissions.
7. In the Select permissions search box, search for Device.Read.All, Group.Read.All, User.Read.All, and GroupMember.Read.All and click on the Add permissions button. The permissions should look like this:
8. Press Grant admin consent for [Your company] and then Yes for the consent confirmation. This will change the Status from Not granted for ... to Granted for ... .
9. In the left-side menu, under Manage -> Certificates & secrets, you have the Client secrets tab. Click on New client secret and provide a Description, an Expiration date and press Add.
10. Make sure you copy the value of Client Secret immediately as it will be hidden after leaving the page. This value will be used for the application's authentication.
11. Review all the settings and configurations for your application. Ensure that all required permissions have been granted.
12. In the HEIMDAL Dashboard, go to Guide -> Azure AD & SAML Setup, and add the Tenant ID, the Client ID, and the Secret Value. Press the Update button to validate the new application.
Synchronizing the Azure Active Directory Groups and Users
1. From the dropdown below, select what Azure Active Directory Groups will be synchronized with the HEIMDAL Dashboard (type in at least 4 characters to see the groups being displayed) and hit the Update button:
2. The selected Azure AD Groups can now be linked to any HEIMDAL group policy by accessing the Endpoints Settings -> General tab, where you can define a Specific Azure Groups that allows you to bind the current GP assigning to an Azure Active Directory Group or multiple Azure Active Directory Groups (Microsoft 365 Groups, Distribution Groups, Mail-enabled Security Groups, Security Groups). The users/devices that are members of the specified Azure Active Directory Group(s), will get the current Heimdal Group Policy;
IMPORTANT
The Azure Active Directory Groups and Users are automatically synchronized every 4 hours, so if a change is performed on an Azure AD Group or a new user is being added/removed to/from an Azure Active Directory Group, it will take 4 hours until the update will propagate.
Although RESELLERS can impersonate and add/edit the Azure Active Directory Tenant IDs on behalf of their ENTERPRISE Customers, they CANNOT synchronize Azure Active Directory Groups and Users on behalf of their ENTERPRISE Customers.