Understanding the Integration between EIC and Dynamics 365
-
- Last UpdatedMay 08, 2023
- 11 Minutes read
You must create an integration between EIC and the collaboration platform hosted by the target application to perform the import, provisioning, and deprovisioning tasks. The following components are involved in the integration:
Connected Application is the target application for which EIC manages the identity repository.
Security System represents the connection between EIC and the target application.
-
It comprises of an endpoint, which is the target application for which EIC manages the identity repository. For more information about creating a security system,
-
It provides application instance abstraction from connectivity including high-level metadata.
You can select one connection for importing data from the target application and another connection for provisioning data to the target application.
Endpoint is an instance of an application within the context of a security system.
-
It is the target application or application from where the connector imports the data and performs provisioning or deprovisioning of identity objects such as users, accounts, and entitlements.
-
It is mandatory to create an endpoint after creating the security system.
You can associate a single security system with multiple endpoints if the deployment involves modelling of multiple isolated virtual applications (based on sets of specific entitlements according to certain categories) within a single application instance.
Connector is a software component that enables communication between EIC and the target application through the Open Data Protocol (OData).
It provides a simplified integration mechanism where you only need to create a connection with minimal connectivity information for your target application. For example, to create a connection, select the D365 connection type for importing data, the REST_Dynamics365 (REST) connection type for performing provisioning and de-provisioning tasks, and specify Base URL, Tenant ID, Login URL, Client ID, and Client Secret to connect it.
Connector Architecture
The connector integrates with Dynamics 365 via the OData Protocol. The following diagram illustrates the connector architecture and communication with the target application.
-
EIC connects with Azure AD using the Dynamics 365 connector and requests an access token.
-
The Azure AD provides the access token to EIC via the Dynamics 365 connector.
-
The connector uses the access token to authenticate to the Dynamics 365 F&O application (ODATA request). Data from the Dynamics 365 F&O application (ODATA response) is returned to EIC.
-
Data from the Dynamics 365 F&O application (ODATA response) is returned to EIC. For more details about OAuth 2.0 on the Microsoft identity platform, see the Microsoft documentation web site.
-
User accounts and access information is imported from the Dynamics 365 F&O application to EIC.
-
(Optional) Account management operation (provisioning) is performed from EIC to the Dynamics 365 F&O application.
Data Model
The following table provides details about the mapping of data-types and objects between the Dynamics 365 F&O application and EIC.
Saviynt Object | Dynamics 365 F&O Object |
---|---|
User |
Workers (Employees and Contractors) |
Accounts |
SystemUsers |
Entitlement |
Roles, Duties, Privileges, Organizations, and Permissions |
Terms Used in this Document
The following terms are used in this document:
Terms | Description |
---|---|
User |
Workers/employees/contractors objects in the Dynamics 365 F&O environment. |
Role |
Group of duties required for a job function. |
Privilege |
Access required to do a job. |
Duty |
Group of related privileges required for a job function. |
Permission |
Group of base objects and required permissions. |
Configuring a Connection
You must perform the following tasks in sequence to integrate EIC with the target application:
-
Register the Dynamics 365 F&O connector application in the Azure environment
-
Create a connection
-
Define the connection and reconciliation properties.
-
Create a security system.
-
Create an endpoint for the security system.
-
-
Import users, account, and other objects
-
Run the User Import job to import users.
-
Run the Data Import job to import accounts.
-
Run the Data Import job to import access related objects.
-
-
(Optional) Provision/de-provision accounts and entitlements to users
-
Create a request.
-
Approve the request.
-
Run the provisioning job.
-
Registering the Connector in the Azure Environment
You must register the Dynamics 365 F&O connector as a client application in the Azure environment to obtain the client ID and client secret for authenticating to the Dynamics 365 F&O application. Perform the following steps to register an application and provide the required permissions in the Azure Portal:
-
Login into Azure Portal https://portal.azure.com/ with Azure Admin credentials to access the Azure AD directory associated with Azure ID Tenant.
-
Click Azure Active Directory>App registrations>New registration to register a new application.
-
Enter the user-facing display name of the application in the Name field.
-
Select Accounts in this organizational directory only (your enterprise directory [example: Saviynt.com]) under the Supported account types field.
-
Click Register to register the new application.
-
Click View API Permissions to view the configured permissions.
-
Click Add a permission > APIs my organization uses and select ConnectorFullAccess application API permission. The user must be a global administrator in the Azure ID tenant and have the System administrator role in the Azure Finance and Operations application.
-
Click Add Permissions to add the selected permission. You can now access the AccessDynamics Connector Service APIs.
-
Click System administration located on the left navigation pane and navigate to Workspaces>Setup > Azure Active Directory applications to view the added Azure active directory applications client IDs.
-
Select New to add a new active directory application.
-
Fill in the following fields for the new record:
-
Enter the application ID that you have registered in Azure AD in the Client ID field.
-
Enter a name for the application in the Name field.
-
Select an appropriate service account user ID in the User ID field. You must provide a dedicated service account that has the correct permissions for the operations that must be performed.
-
-
Click Save.
Creating a Connection
You must create two separate connections to perform reconciliation (D365 connection type) and provisioning operations. While the connection parameters for authenticating to Azure AD are common for both connections, the provisioning connection (REST_Dynamics365 (REST) connection type needs you to specify additional parameters for REST connectivity to the target application.
The Connection Template displays the connection parameters in two categories such as Basic Config and Advanced Config. The Basic Config category displays the minimum set of parameters required to establish a connection. The Advanced Config category displays the advanced parameters. When you define and save the values for the parameters in Basic Config, those values are automatically populated in the Advanced Config page for the parameters where they are referred. To modify any of the values for advanced parameters, click Advanced Config.
To create a connection, perform the following steps:
-
Log in to EIC.
-
Click ADMIN > Identity Repository > Connections > Create Connection.
-
Specify the values for the following fields and click Save & Test Connection. Ensure that all mandatory parameters are specified.
Parameters for Establishing a Connection
The following parameters are required for establishing a connection:
Do not populate the parameters that are not listed in the below table.
Parameter | Description |
---|---|
Connection Name |
Provide a name for the connection. |
Connection Description |
Provide a description for the connection. |
Connection Type |
Select a Connection Type based on the operation you want the connector to perform:
|
Base URL |
Provide the Base URL for the application. It will differ based on your access URL. For example: |
TENANT_ID |
Provide the tenant ID. Example: xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx |
LOGIN_URL |
Provide the Microsoft authentication URL. |
CLIENT_ID |
Specify the Client ID for authenticating to Azure AD and for generating the access token. The Client ID is generated while creating a new connected app for the connector. For more information, see Registering the Connector in the Azure Environment. Example: xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx |
CLIENT_SECRET |
Specify the secret of the Client ID for authenticating to Azure AD and for generating the access token. The CLIENT_SECRET is generated while creating a new Connected app for the connector. For more information, see Registering the Connector in the Azure Environment. |
Scope |
Specify this parameter if you want to invoke Microsoft Graph 2.0 APIs to enforce the least privilege model for the connector on Dynamics 365 Finance and Operations objects. Syntax: https://<tenant_url>/.default If you do not specify a value for the parameter, Microsoft Graph 1.0 APIs are used. |
Specifying Parameters for Reconciliation Operations
After defining the connection parameters, specify the following parameters for performing reconciliation:
Parameter | Description |
---|---|
USER_FILTER |
Specify the particular set of users to import. The options are:
Note
|
USER_IMPORT_MAPPING |
Specify the mapping of users to import into EIC in the following format: Note
The DimensionDisplayValue attribute contains information about the Business Unit (OrgUnit) and Cost Cente configured in Microsoft Dynamics 365. Before specifying the user import mapping, configure the DimensionDisplayValue format. For more information, see Dynamics 365 Finance and Operations in Integration Prerequisites. |
ACCOUNT_IMPORT_MAPPING |
Specify the mapping of accounts to import into EIC in the following format: |
ORGANIZATION_FILTER |
Specify the filter to use as search criteria for organizations managed by the target application. By default, the connector searches the following organizations: LegalEntities, OperatingUnits, Departments, BusinessUnits, and CostCenters. |
STATUS_THRESHOLD_CONFIG |
Specify the account attribute mapped with the account status and the values to be considered for imported accounts in the STATUS_THRESHOLD_CONFIG parameter. You can also specify the threshold limit enforced in full account import to prevent bulk update of missing accounts due to API errors, processing errors, or misconfiguration of import parameters such as status or account filters. The status of missing accounts are updated as inactive or deleted (SUSPENDED FROM IMPORT SERVICE) if the count is within the threshold limit. This is not a mandatory parameter. To define this parameter, use a format similar to the following: The attributes supported in STATUS_THRESHOLD_CONFIG are described below:
Note
From Release Note
If you do not want to perform an account threshold check, specify accountThresholdValue as zero or a negative value, for example or .
|
Specifying Parameters for Provisioning Operations
After defining the connection parameters, specify the following parameters for performing provisioning and de-provisioning operations via the REST connection:
Parameters | Description |
---|---|
CreateAccountJSON |
Specify this parameter for creating a new account in EIC by mapping the request action and response for Create Account tasks in the following format: |
UpdateAccountJSON |
Specify this parameter for updating an existing account in EIC in the following format: |
EnableAccountJSON |
Specify this parameter for enabling a disabled account on the target application. The connector uses the values specified for this parameter to check the attributes associated with the disabled account before enabling it. Specify this parameter in the following format: |
DisableAccountJSON |
Specify this parameter for disabling an account on the target application and then updating that status in EIC. The connector uses the values specified for this parameter to check the attributes associated with the account before disabling it. |
AddAccessJSON |
Specify this parameter to add access to an account in the following format: |
RemoveAccessJSON |
Specify this parameter if you want to remove access to an account in the following format: |
RemoveAccountJSON |
Specify this parameter if you want to remove the account in the following format: |
The connector uses default values for importing users or accounts unless the mapping details to perform a filtered import are specified.
Creating a Security System
Creating an Endpoint for the Security System
Video: Improved Status and Threshold Functionality