Microsoft Entra ID Integration (Data Mapping)
Introduction
Integrating TrustWorks with Microsoft Azure Active Directory provides your privacy team with a comprehensive list of applications used within your organisation. Leveraging TrustWorks' advanced Data Mapping capabilities, you can streamline privacy assessments and efficiently manage data subject requests while ensuring full compliance with data protection regulations.
Setting up the Integration
- Navigate to
Settings > Integrations. - Click the
+ New Integrationbutton.
- Select “Microsoft Azure”, give your integration a descriptive name.
- Select the Authentication method -
OAuth 2.0. - Select where will we list users from (Application Owners, Authorised Users, ID Tokens Logs). You can select multiple.
- Click the
Connect with Microsoft Azurebutton.
- Log in to the Azure account with the Administrator privileges that you wish to use.
- Grant permissions to TrustWorks.
+ Savethe Integration Settings in TrustWorks.
- Verify the Visibility of Microsoft Azure applications/tokens in the
Data Mapping > Staging Area.
🚪 Requested Permissions
Application.Read.All: With this permission TrustWorks can retrieve the names of all applications used in the Active Directory.
User.ReadBasic.All: With this permission for each application, TrustWorks can retrieve the associated application owner email (if there is an owner).
Directory.Read.All: Allows TrustWorks to retrieve members of a group, ensuring that all relevant users are included in the data mapping.
Administrator Consent in Azure Active Directory
Azure Active Directory (Azure AD) users can be assigned multiples roles. For the purpose of integrating with TrustWorks, two specific roles are pivotal:
- Application Administrator: This role allows users to manage all aspects of app registration and enterprise app configuration.
- Global Administrator (Admin): This is the top-level role, granting users access to all administrative features in Azure AD.
If a user is assigned either of these roles, they possess the authority to grant permissions to TrustWorks.
Note: If your organisation utilises Azure's Privileged Identity Management (PIM), you might need to specify a 'scope type' when assigning these roles. In such cases, always choose the 'Directory' scope.
When the authorisation flow requires the admin approve screen, there are three approaches to giving TrustWorks admin consent.
Admin User Consent
An admin can grant TrustWorks (QueryLayer) access to the list of application names. This is done by selecting the “Consent on behalf of your organisation” option.
Non-Admin User Consent
Users without admin privileges will be presented with the “Need admin approval” screen. This indicates that they lack the necessary permissions to grant access.
User-Requested Consent
In situations where neither the organisation-wide consent is provided by an admin nor the user has the required privileges, Azure AD allows for configuring admin consent requests. However, this feature must be activated by the Azure AD admin. During this process, users will be prompted to provide a justification for their request, which the admin can subsequently review and approve or deny.
When the user is trying to authorise consent they will see a field to justify the request.
Conclusion
Successfully integrating TrustWorks with Microsoft Azure Active Directory not only enhances the efficiency of your privacy team but also fortifies your organisation's data management and compliance processes. By following the steps outlined in this guide, you can seamlessly establish this integration and unlock a suite of advanced data mapping and management capabilities. As always, it's crucial to ensure that the right permissions are in place and that users are aware of their roles and responsibilities in the process. Should you encounter any challenges or have further questions, the TrustWorks support team is always here to assist. Together, we can ensure a more transparent and compliant data environment for your organisation.