Overview
Torii integrates with Azure Active Directory and syncs:
-
User list
-
3rd party application list
-
3rd party permissions
-
Usage Data
Prerequisites
Accounts & permissions
-
You are required to have an Administrator role
-
For Torii to pull sign-in info from Azure AD, it requires you to have a Premium 1 license (P1).
Without this license, Torii will not be able to retrieve the SaaS applications connected to your Azure Active Directory information -
The user who connects Azure AD to Torii should have a P1 license. That should cost around $6/month
Scopes
- To connect Torii with minimum Read permissions:
- auditlog.read.all
- directory.read.all
- user.read
- user.read.all
- user.readbasic.all
- Additionally, to enable Azure AD actions, Torii requires:
- Group.ReadWrite.All
- User.ReadWrite.All
Prerequisites Technical instructions
-
Create a new Service Account in Azure
-
Go to Users to assign Administrative Roles to the service
-
Select Assigned roles
-
Click on Add assignments to add the roles
-
Read permissions - To connect Torii with minimum Read permissions, Azure requires the following roles: Application Administrator, Global reader, Teams administrator
-
Get usage permissions - to allow Torii to get and show usage, you will have to enable one of the following roles:
-
Global Administrator
-
Global Reader
-
Reports Reader
-
Security Administrator
-
Security Operator
-
Security Reader
-
-
Full read and take actions permissions - To provide Torii full permissions that will enable you to have a comprehensive user and usage view, select the Global administrator role
Connect Azure AD integration to Torii
-
Go to the Integrations page and select the Azure AD tile
-
Connect to Azure AD
-
In Connect Azure AD select the permission type (Read or Read and Take action)
-
Click Connect
Purchasing Azure AD P1 license
-
Sign in to the Microsoft consumer portal (https://portal.office.com/AdminPortal) and navigate to Billing -> Purchase services.
-
Look for the “Azure Active Directory Premium P1” license. Purchase one license, and assign it to the relevant user (I can assume that would be you).
Please notice that you only need to purchase one license, which should be assigned to the user connecting Azure to Torii.
Q&A
Q: Which Azure Active Directory groups will be shown in Torii?
A: The "Microsoft 365" and "Security" groups are the only group types that will be shown due to limitation with the Microsoft Graph API.