Knowledge Partner
Knowledge Partner
658 views

Azure API permissions

Hello

What kind of permissions do I need to grant for the Azure AD User and
Permissions collectors?

Currently I've granted this:


Azure Active Directory Graph
Directory.Read.All
User.Read

Microsoft Graph
Directory.Read.All


When testing the collection I get this error:

[SEVERE] 2018-11-19 16:35:34
com.netiq.iac.persistence.dcs.dce.thread.TestDataCollectionServiceThread
call - [IG-DTP] Encountered unexpected error: Failed in collecting data
from DaaS -Error Response: Command failure: Type: find+chunked: [Command
failure: Type: find+chunked: [Error collecting using search class: User]]




If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.
0 Likes
7 Replies
Micro Focus Expert
Micro Focus Expert

Re: Azure API permissions

On 11/19/18 10:47 AM, alekz wrote:
> Hello
>
> What kind of permissions do I need to grant for the Azure AD User and
> Permissions collectors?
>
> Currently I've granted this:
>
>
> Azure Active Directory Graph
>  Directory.Read.All
>  User.Read
>
> Microsoft Graph
>  Directory.Read.All
>
>
> When testing the collection I get this error:
>
> [SEVERE] 2018-11-19 16:35:34
> com.netiq.iac.persistence.dcs.dce.thread.TestDataCollectionServiceThread
> call - [IG-DTP] Encountered unexpected error: Failed in collecting data
> from DaaS -Error Response: Command failure: Type: find+chunked: [Command
> failure: Type: find+chunked: [Error collecting using search class: User]]
>
>
>
>
> If you find this post helpful and are logged into the web interface,
> show your appreciation and click on the star below.

Greetings,

1) What is the exact version of ID Gov that you are using?
2) What is the exact version of the Template(s) you are using?

--
Sincerely,
Steven Williams
Principal Enterprise Architect
Micro Focus
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Azure API permissions

On 11/19/18 11:22 AM, Steven Williams wrote:
> On 11/19/18 10:47 AM, alekz wrote:
>> Hello
>>
>> What kind of permissions do I need to grant for the Azure AD User and
>> Permissions collectors?
>>
>> Currently I've granted this:
>>
>>
>> Azure Active Directory Graph
>>   Directory.Read.All
>>   User.Read
>>
>> Microsoft Graph
>>   Directory.Read.All
>>
>>
>> When testing the collection I get this error:
>>
>> [SEVERE] 2018-11-19 16:35:34
>> com.netiq.iac.persistence.dcs.dce.thread.TestDataCollectionServiceThread
>> call - [IG-DTP] Encountered unexpected error: Failed in collecting
>> data from DaaS -Error Response: Command failure: Type: find+chunked:
>> [Command failure: Type: find+chunked: [Error collecting using search
>> class: User]]
>>
>>
>>
>>
>> If you find this post helpful and are logged into the web interface,
>> show your appreciation and click on the star below.

> Greetings,
>
> 1) What is the exact version of ID Gov that you are using?
> 2) What is the exact version of the Template(s) you are using?
>

Greetings,

Please double check that you can browse your Azure domain with the graph
explorer with the account you are specifying in the collectors

https://developer.microsoft.com/en-us/graph/graph-explorer


--
Sincerely,
Steven Williams
Principal Enterprise Architect
Micro Focus
0 Likes
Knowledge Partner
Knowledge Partner

Re: Azure API permissions

On 2018-11-19 17:27, Steven Williams wrote:
> On 11/19/18 11:22 AM, Steven Williams wrote:
>> On 11/19/18 10:47 AM, alekz wrote:
>>> Hello
>>>
>>> What kind of permissions do I need to grant for the Azure AD User and
>>> Permissions collectors?
>>>
>>> Currently I've granted this:
>>>
>>>
>>> Azure Active Directory Graph
>>>   Directory.Read.All
>>>   User.Read
>>>
>>> Microsoft Graph
>>>   Directory.Read.All
>>>
>>>
>>> When testing the collection I get this error:
>>>
>>> [SEVERE] 2018-11-19 16:35:34
>>> com.netiq.iac.persistence.dcs.dce.thread.TestDataCollectionServiceThread
>>> call - [IG-DTP] Encountered unexpected error: Failed in collecting
>>> data from DaaS -Error Response: Command failure: Type: find+chunked:
>>> [Command failure: Type: find+chunked: [Error collecting using search
>>> class: User]]
>>>
>>>
>>>
>>>
>>> If you find this post helpful and are logged into the web interface,
>>> show your appreciation and click on the star below.

>> Greetings,
>>
>> 1) What is the exact version of ID Gov that you are using?
>> 2) What is the exact version of the Template(s) you are using?
>>

> Greetings,
>
> Please double check that you can browse your Azure domain with the graph
> explorer with the account you are specifying in the collectors
>
> https://developer.microsoft.com/en-us/graph/graph-explorer
>
>

I specified a client id and client secret that I got from the
application I created in the Azure Portal in App registrations, I can't
login with that into the graph explorer.

--
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Azure API permissions

On 2018-11-19 17:22, Steven Williams wrote:
> On 11/19/18 10:47 AM, alekz wrote:
>> Hello
>>
>> What kind of permissions do I need to grant for the Azure AD User and
>> Permissions collectors?
>>
>> Currently I've granted this:
>>
>>
>> Azure Active Directory Graph
>>   Directory.Read.All
>>   User.Read
>>
>> Microsoft Graph
>>   Directory.Read.All
>>
>>
>> When testing the collection I get this error:
>>
>> [SEVERE] 2018-11-19 16:35:34
>> com.netiq.iac.persistence.dcs.dce.thread.TestDataCollectionServiceThread
>> call - [IG-DTP] Encountered unexpected error: Failed in collecting
>> data from DaaS -Error Response: Command failure: Type: find+chunked:
>> [Command failure: Type: find+chunked: [Error collecting using search
>> class: User]]
>>
>>
>>
>>
>> If you find this post helpful and are logged into the web interface,
>> show your appreciation and click on the star below.

> Greetings,
>
> 1) What is the exact version of ID Gov that you are using?
> 2) What is the exact version of the Template(s) you are using?
>

1)
Identity Governance client version 3.0.1 was built on Fri March 9 2018
4:59 PM from revision 25950
Identity Governance server version 3.0.1 was built on Fri March 9 2018
6:43 PM from revision 25952

2) Version 3.0.0

--
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Azure API permissions

On 11/19/18 11:42 AM, alekz wrote:
> On 2018-11-19 17:22, Steven Williams wrote:
>> On 11/19/18 10:47 AM, alekz wrote:
>>> Hello
>>>
>>> What kind of permissions do I need to grant for the Azure AD User and
>>> Permissions collectors?
>>>
>>> Currently I've granted this:
>>>
>>>
>>> Azure Active Directory Graph
>>>   Directory.Read.All
>>>   User.Read
>>>
>>> Microsoft Graph
>>>   Directory.Read.All
>>>
>>>
>>> When testing the collection I get this error:
>>>
>>> [SEVERE] 2018-11-19 16:35:34
>>> com.netiq.iac.persistence.dcs.dce.thread.TestDataCollectionServiceThread
>>> call - [IG-DTP] Encountered unexpected error: Failed in collecting
>>> data from DaaS -Error Response: Command failure: Type: find+chunked:
>>> [Command failure: Type: find+chunked: [Error collecting using search
>>> class: User]]
>>>
>>>
>>>
>>>
>>> If you find this post helpful and are logged into the web interface,
>>> show your appreciation and click on the star below.

>> Greetings,
>>
>> 1) What is the exact version of ID Gov that you are using?
>> 2) What is the exact version of the Template(s) you are using?
>>

> 1)
>  Identity Governance client version 3.0.1 was built on Fri March 9 2018
> 4:59 PM from revision 25950
> Identity Governance server version 3.0.1 was built on Fri March 9 2018
> 6:43 PM from revision 25952
>
> 2) Version 3.0.0
>

Greetings,

We use the Azure Active Directory Graph API so the tenant must first
enable that API for their site. Once enabled, the API requires the
following 2 permissions.

- Directory.Read.All
- User.Read


It is also necessary to generate an OAuth v2 client (and secret) for API
access.



--
Sincerely,
Steven Williams
Principal Enterprise Architect
Micro Focus
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Azure API permissions

On 11/27/18 10:38 AM, Steven Williams wrote:
> On 11/19/18 11:42 AM, alekz wrote:
>> On 2018-11-19 17:22, Steven Williams wrote:
>>> On 11/19/18 10:47 AM, alekz wrote:
>>>> Hello
>>>>
>>>> What kind of permissions do I need to grant for the Azure AD User
>>>> and Permissions collectors?
>>>>
>>>> Currently I've granted this:
>>>>
>>>>
>>>> Azure Active Directory Graph
>>>>   Directory.Read.All
>>>>   User.Read
>>>>
>>>> Microsoft Graph
>>>>   Directory.Read.All
>>>>
>>>>
>>>> When testing the collection I get this error:
>>>>
>>>> [SEVERE] 2018-11-19 16:35:34
>>>> com.netiq.iac.persistence.dcs.dce.thread.TestDataCollectionServiceThread
>>>> call - [IG-DTP] Encountered unexpected error: Failed in collecting
>>>> data from DaaS -Error Response: Command failure: Type: find+chunked:
>>>> [Command failure: Type: find+chunked: [Error collecting using search
>>>> class: User]]
>>>>
>>>>
>>>>
>>>>
>>>> If you find this post helpful and are logged into the web interface,
>>>> show your appreciation and click on the star below.
>>> Greetings,
>>>
>>> 1) What is the exact version of ID Gov that you are using?
>>> 2) What is the exact version of the Template(s) you are using?
>>>

>> 1)
>>   Identity Governance client version 3.0.1 was built on Fri March 9
>> 2018 4:59 PM from revision 25950
>> Identity Governance server version 3.0.1 was built on Fri March 9 2018
>> 6:43 PM from revision 25952
>>
>> 2) Version 3.0.0
>>

> Greetings,
>
> We use the Azure Active Directory Graph API so the tenant must first
> enable that API for their site. Once enabled, the API requires the
> following 2 permissions.
>
> - Directory.Read.All
> - User.Read
>
>
> It is also necessary to generate an OAuth v2 client (and secret) for API
> access.
>
>
>

Greetings,
I have asked the Doc team to update our public doc accordingly.

--
Sincerely,
Steven Williams
Principal Enterprise Architect
Micro Focus
0 Likes
Knowledge Partner
Knowledge Partner

Re: Azure API permissions

On 2018-11-27 16:38, Steven Williams wrote:
> On 11/27/18 10:38 AM, Steven Williams wrote:
>> On 11/19/18 11:42 AM, alekz wrote:
>>> On 2018-11-19 17:22, Steven Williams wrote:
>>>> On 11/19/18 10:47 AM, alekz wrote:
>>>>> Hello
>>>>>
>>>>> What kind of permissions do I need to grant for the Azure AD User
>>>>> and Permissions collectors?
>>>>>
>>>>> Currently I've granted this:
>>>>>
>>>>>
>>>>> Azure Active Directory Graph
>>>>>   Directory.Read.All
>>>>>   User.Read
>>>>>
>>>>> Microsoft Graph
>>>>>   Directory.Read.All
>>>>>
>>>>>
>>>>> When testing the collection I get this error:
>>>>>
>>>>> [SEVERE] 2018-11-19 16:35:34
>>>>> com.netiq.iac.persistence.dcs.dce.thread.TestDataCollectionServiceThread
>>>>> call - [IG-DTP] Encountered unexpected error: Failed in collecting
>>>>> data from DaaS -Error Response: Command failure: Type:
>>>>> find+chunked: [Command failure: Type: find+chunked: [Error
>>>>> collecting using search class: User]]
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> If you find this post helpful and are logged into the web interface,
>>>>> show your appreciation and click on the star below.
>>>> Greetings,
>>>>
>>>> 1) What is the exact version of ID Gov that you are using?
>>>> 2) What is the exact version of the Template(s) you are using?
>>>>
>>> 1)
>>>   Identity Governance client version 3.0.1 was built on Fri March 9
>>> 2018 4:59 PM from revision 25950
>>> Identity Governance server version 3.0.1 was built on Fri March 9
>>> 2018 6:43 PM from revision 25952
>>>
>>> 2) Version 3.0.0
>>>

>> Greetings,
>>
>> We use the Azure Active Directory Graph API so the tenant must first
>> enable that API for their site. Once enabled, the API requires the
>> following 2 permissions.
>>
>> - Directory.Read.All
>> - User.Read
>>
>>
>> It is also necessary to generate an OAuth v2 client (and secret) for
>> API access.
>>
>>
>>

> Greetings,
>    I have asked the Doc team to update our public doc accordingly.
>

Thanks Steven, got it working now 🙂

--
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.