Importing Users from Microsoft Entra
To integrate Microsoft Entra with UniFi Identity, please create an application for UniFi Identity in the Microsoft Entra admin center first. This application is dedicated to directory use only, granting the necessary permissions and featuring independent permission control.
Requirements
- You have an Azure account with an active subscription. Create an account for free.
- Your Azure account role must be at least a Cloud Application Administrator.
- You have set up a tenant by following Microsoft Entra's Quickstart: Set up a tenant.
Create an Application for UniFi Identity
- Sign in to the Microsoft Entra admin center with the role of at least a Cloud Application Administrator.
- If you have access to multiple tenants, go to Settings > Directories + subscriptions in the upper-right menu to switch to the tenant where you want to register the application.
- Go to Identity > Applications > App registrations and select New registration.
- Enter a name for the application.
- Go to Supported account types and select Accounts in this organizational directory only.
- Go to Redirect URI (optional) and set the platform to Web. A redirect URI is where the Microsoft identity platform redirects the user's client and sends security tokens after authentication.
- Click Register.
- When registration finishes, the Microsoft Entra admin center displays the app registration's Overview page. Copy the Application (client) ID as you'll need it when setting up Entra ID in UniFi Identity.
- Continue to configure API permissions.
Configure API Permissions
- Go to Identity > Applications > App registrations > All applications and select the application you just created.
- Go to Manage > API permissions and click Add a permission.
- Select Microsoft Graph.
- Click Application permissions.
- Select the following API permissions: User.Read.All and Directory.Read.All. Then click Add permissions. You can also use the filter for a quick search.
- Click Grant admin consent for… and click Yes when prompted Grant admin consent confirmation.
- Continue to add a client secret.
Add a Client Secret
- Go to Identity > Applications > App registrations > All applications and select the application you just created.
- Go to Manage > Certificates & secrets > Client secrets and click New client secret.
- Add a description for your client's secret and select an expiration or set a custom lifetime. Note that the client's secret lifetime cannot exceed two years (24 months). Click Add.
- Copy the client secret's Value for later use when setting up Entra ID in UniFi Identity. This value will not be shown again after you leave this page.
Integrate Microsoft Entra ID with UniFi Identity
- Go to your UniFi Identity and follow the instructions here to integrate Microsoft Entra ID with Identity.
- If Specific Groups are selected for Sync Group when configuring directory settings in Identity, only the members in the corresponding groups in Entra ID will be synced to Identity. You can find the Entra ID's group members in Identity > Groups > All groups > select your group > Manage > Members.