The Community is now in read-only mode to prepare for the launch of the new Flexera Community. During this time, you will be unable to register, log in, or access customer resources. Click here for more information.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
dwampach1
By Moderator Moderator
Moderator

On May 3, 2022, the SaaS Management Microsoft Azure and Azure Client Credentials integrations will migrate from Microsoft Azure AD API to Microsoft Graph API. The Azure AD Graph API is now deprecated. Starting June 30, 2022, support ends for Azure AD Graph. Apps using Azure AD Graph after June 30, 2022 will no longer receive responses from the Azure AD Graph endpoint. The following details will help you prepare for the Microsoft Graph API migration. 

Action Required for New SaaS Management Integrations with Azure and Azure Client Credentials 

You must grant permissions for Microsoft Graph API instead of Azure AD Graph API. Refer to the future API endpoints below. 

Azure and Azure Client Credentials API Endpoints 

Below are the future Microsoft Graph API endpoints. 

HR Roster 

https://graph.microsoft.com/vl.0/users  

Application Discovery 

https://graph.microsoft.com/vl.0/servicePrincipals  

SSO Application Access 

https://graph.microsoft.com/vl.0/auditLogs/signIns  

SSO Application Roster 

https://graph.microsoft.com/vl.0/users/<UseriD>/appRoleAssignments  

Actions Required for Existing SaaS Management Integrations with Azure and Azure Client Credentials 

Due to SaaS Management's migration from Microsoft Azure AD APIs to Microsoft Graph APIs, existing Azure and Azure Client Credentials integrations will fail due to a 401 Unauthorized Error. 

 Actions for Existing Azure Integrations 

  • Once the Azure integration tasks start failing, you must reauthorize the integration.
  • For the Microsoft Graph APIs, an Offline_access permission is also necessary for the refresh token generation. 

Complete the following action to prevent this error for Existing Azure Client Credentials Integrations 

Update the existing permissions to the required Microsoft Graph API permissions: 

  • Auditlog.Read.All 
  • Directory.Read.All

IMPORTANT: The Azure integration with SaaS Management will fail if consent is not given to both the AuditLog.Read.All and the Directory.Read.All permissions. For details, refer to the Microsoft List signIns documentation section.

More information on new features and enhancements can be found in What's New in Flexera One.

(8) Comments
bharath_malli
By
Level 3

@dwampach1 : We are using Azure Client credentials;   

Do we actually need "Auditlog.Read.All" ?

or in other words, if we only provide "Directory.Read.All", what is the impact to SaaS manager 

 

Thanks in Advance 

Bharath Mallipeddy

SAP SE

JohnSorensenDK
By Moderator Moderator
Moderator

Hi Bharath,

The integration will fail if you don't give it the "Auditlog.Read.All" permission, please refer to Microsoft's documentation: https://docs.microsoft.com/en-us/graph/api/signin-list?view=graph-rest-1.0&tabs=http 

Thanks,

John Sorensen

chirag_sharma2
By
Level 7

Hi, 

We are only using IT Asset Management but our SSO is Connected with Azure, is it going to impact us as well?

JohnSorensenDK
By Moderator Moderator
Moderator

@chirag_sharma2 

Please could you elaborate a bit further on the context here, i.e. are you referring to

  • the use of Azure AD as an SSO data source for Flexera SaaS mgt?
  • the use of Azure AD as an identity provider for Flexera One (SSO) authentication?
  • or are you referring to using Azure AD internally as a single sign-on solution to login to your Intranet?

Thanks,

John Sorensen

spencer_clark
By
Level 4

Currently, my company has not purchased any Saas products (though looking at it).

We do use SSO to login to our ITAM product and we use Azure.

I'm guessing that means we need to adjust our endpoint as well?  Asking because I'm not sure.

 

Spencer

chirag_sharma2
By
Level 7

Hi @JohnSorensenDK 

The use of Azure AD as an identity provider for Flexera One (SSO) authentication?

I am with @spencer_clark 

We are also not using SaaS manager of Flexera

But, we do use Azure SSO as an identifier to login to our ITAM product via FLexera one. 

So please confirm if we need to make any changes in our identifer configurations? 

JohnSorensenDK
By Moderator Moderator
Moderator

I don't think that Microsoft is going to change/deprovision any of the end-points related to use of Azure AD as identity provider for SSO:Capture.PNG

Thanks,

John Sorensen

spencer_clark
By
Level 4

Thanks