Integrations
Integrations
Breadcrumbs

Azure Entra ID

Introduction

This plugin is used in coordination with the storage technology plugins connected to Entra ID to provision the groups that represent the DSAs, and additionally manages the memberships that represent user acceptance of the DSAs.

Integration model

Active access permission governance

In general, the DSAs (Data Sharing Agreements) managed in Anjana Data Platform are represented in Entra ID as groups. The signatories of each DSA are managed as members of the corresponding group, so that group membership reflects the effective access to the data governed by the agreement.

The groups created by Anjana Data Platform follow this naming convention:

<configurable prefix>_<logical DSA name>_v<DSA version number>

Where:

  • <configurable prefix>: prefix defined by the organization to identify groups managed by Anjana Data. It is configured in the plugin YAML.

  • <logical DSA name>: functional name of the agreement as it appears in the Anjana Data Platform Portal.

  • v<DSA version number>: version number of the DSA, which allows distinguishing between active and historical versions.

This convention ensures traceability, operational clarity, and controlled coexistence of different versions of the same agreement within Entra ID.

Object editing

The plugins connected to Entra ID allow managing the activation or deactivation of non-native entities; for this purpose, this plugin needs to retrieve the information of the required groups.

Required credentials

It is necessary to register an application in Entra ID and generate the required client ID and secret so that the plugin can authenticate and acquire the necessary permissions for each functionality.

Active governance

The actions performed by this plugin are the following:

  • Create groups: Groups will be created to represent DSAs that transition to approved status. For this, the registered application must have the “Group.Create” permission to be able to create the groups.

  • Read users: Reading user fields is required to perform membership. For this, the application requires the “User.Read” permission.

  • Add/Remove users from groups: In the groups created by the plugin, users will be added and removed (the plugin does not create or delete users from the Active Directory) based on adherences and unadherences to the DSA. For this, the application requires the “User.Read” permission to locate users and “GroupMember.ReadWrite.All” to modify the group members with the located users.

  • Delete groups: The plugin will delete those groups representing DSAs that automatically transition to expired states in Anjana. For this, the application requires the “Group.ReadWrite.All” permission to be able to delete groups.

att_1_for_171999508.png
att_3_for_171999508.png

Object editing

The actions performed by this plugin are the following:

Read groups: A request will be made to read the data of the groups representing DSAs. For this, the registered application must have the “Group.Read.All” permission to be able to read the groups.

⚠️ Azure Limitations

The maximum number of users in a group is 100. This means that a DSA governing objects in Azure cannot have more than 100 adhered people (including owners); beyond 100, active governance cannot be applied.

The DSA name (including the configurable prefix) must not contain the following characters ‘@’, ‘(’, ‘)’, ‘\’, ‘[’, ‘]’, ‘;’, ‘:’, ‘<’, ‘>’ nor blank spaces, and must not exceed 64 characters (including the suffix with the DSA version added by the plugin). This limitation only applies if the DSA does not have the physical name field filled in and the group is expected to be created automatically.