Microsoft Azure AD/ Entra ID - An identity and access management solution

Description

The Azure AD / Entra ID connector automatically uploads employee changes to the Active Directory.

Solutions involved: User file
Type of integration: API
Integration direction: Lucca → Microsoft Entra ID
Integration frequency: Each time an employee profile is created or edited (including when an employee leaves)
Integration setup: Self-service

Note : “Microsoft Entra ID" is the new name of the solution that was formerly known as "Azure Active Directory".

Synchronized data

When an employee profile is created or edited

When an employee profile is created or modified, the following information is sent to Microsoft Entra ID

  • Name.
  • First Name.
  • Business email address.
  • Department, which corresponds to "service" in Microsoft Entra ID.
  • Job title, which corresponds to "position" in Microsoft Entra ID.
  • Manager, which corresponds to "Manager" in Microsoft Entra ID.

Please be aware that the professional e-mail address entered in Lucca must include the “domain name(s)” required by Microsoft Entra ID.

To help you with this task, you can use Lucca's tool to automatically generate professional email addresses.

When an employee leaves

When a contract end date is entered for an employee in Lucca, and it is not followed by a new contract, the employee is deactivated at 00:00 D+1 (Paris time zone) on their contract end date in Microsoft Entra ID. For example, if an employee's contract ends on 19/10/2023 in Lucca, their account will be deactivated on 20/10/2023 at 00:00 UTC+02:00.

Installation

1. Microsoft Entra ID: Recover the tenant ID for your account

Log in to your Microsoft Entra ID account, i.e. your test space in the case of tests, otherwise your production space, to find your tenant ID.

2. Lucca: Install the connector

The person carrying out this operation must have the following administrator permissions: "Application Management" and "Integration Administration".

Cogwheel Applications

From the Lucca application management page, add the Microsoft Entra ID application and follow the instructions.

During installation, you will be asked to enter the Tenant ID of your Microsoft Entra ID

Finally, click on the "Continue setup in Microsoft Entra ID" button or enter the following URL in your browser: 

https://[nom-instance].ilucca.net/integrations/azure-active-directory/deploy/start

Please note that "[instance-name]" is the name of your Lucca instance.

You should be redirected to a Microsoft login page. Log in to your Microsoft Entra IDaccount as an administrator. This corresponds to the "tenant ID" you entered during connector setup in Lucca.

Make sure you check the box giving consent for your organization's account, then click on accept.

3. Microsoft Entra ID: Setting up your Microsoft Entra ID

Please note: the page’s appearance may vary depending on which version of Microsoft Entra ID you are using.

In "All applications", select the "Lucca" or "LuccaBot" application (Application ID: 53628f6a-ac66-4fde-8945-d639c8da4c0d).

Then click on "Permissions" and "Grant Admin consent for [instance name]".

4. Lucca: Monitor flows between Lucca and Microsoft Entra ID in your Lucca space.

The application management page in your Lucca space also provides an interface for monitoring the integration logs of your installed connectors.

To see this, go to the "Integration logs" section. If you cannot access it, it's because you don’t have "Integration administration" permission. Please contact your administrator or our support team.

Email notifications

Cogwheel Applications Azure Active Directory

From the connector settings interface, it is possible to enter e-mail addresses that will be notified when certain events are started by the connector:

  • When an employee profile is created in the AD, an email is sent that contains a link to set up the employee's password in the AD, as well as a link to access the employee's HR file in Lucca.
  • If the connector is unable to create an employee profile in the AD, an e-mail is sent that contains a link so that you can create an employee profile manually in the AD, as well as a link that gives you access to the employee's HR file in Lucca.
  • When an employee leaves and their profile is deactivated, a simple notification email is sent.
  • When the connector fails to deactivate an employee who has left, a notification email is sent. Usually, the reason for this failure is that the employee has already been deactivated in the AD.

FAQ / Troubleshooting

I see "Authorization_RequestDenied" errors in the logs

Please refer to step three of the installation process described above ("Grant Admin consent for Lucca").

The connector has created a duplicate in Microsoft Entra ID

The employee’s Microsoft Entra ID login is retrieved during the first synchronization of the two systems (which may be either a creation or a modification). During this first synchronization, the employee's identification key is their professional email address. Thereafter, it will be the employee's login.

As a result, the connector may create a duplicate: 

  1. The employee already has a profile in Microsoft Entra ID.
  2. They also already have a profile in Lucca, but it has never been synchronized with Microsoft Entra ID (the connector has just been installed).
  3. The employee’s professional email address has changed.
  4. The connector tries to identify the employee in Microsoft Entra ID using their professional email address but unsuccessfully.
  5. The employee is therefore created in Microsoft Entra ID, and their login is retrieved and used to identify them from now on.

Of course, this problem should very rarely occur.

 

Page content

Was this article helpful?
0 out of 0 found this helpful