Getting startedCommunityAppfarm Create

Synchronizing Microsoft Entra ID Roles to Appfarm Create

This guide outlines the process of synchronizing user roles from Microsoft Entra ID (formerly Azure Active Directory) to Appfarm Create. By following these steps, you can ensure that user permissions are consistently managed and automatically updated within your Appfarm applications based on your organization's established directory groups. Prerequisites Before you begin, ensure you have the following:

  • Administrator access to your Microsoft Entra ID tenant.

  • Permissions to create and manage applications within Microsoft Entra ID.

  • Administrator access to your Appfarm Create environment.

  • Familiarity with creating and managing roles, services, and data sources in Appfarm Create.

Step 1: Create Roles in Appfarm Create

For each Microsoft Entra ID user group you wish to mirror, you must first create a corresponding role in Appfarm Create.

  1. Navigate to the Roles section in Appfarm Create.

  2. Click the Create Custom Role button.

  3. Enter a name for the role that clearly corresponds to the Microsoft Entra ID group (e.g., "Sales Team," "Project Managers").

  4. Navigate to the Permissions section in Appfarm Create and give the newly created role the permissions it needs.

  5. Repeat this process for all user groups you intend to sync.

Step 2: Create a New Service

A service in Appfarm Create will contain the logic for fetching data from Microsoft Entra ID and updating user roles.

  1. Navigate to the Services section in Appfarm Create.

  2. Click the New Service button.

  3. Give the service a descriptive name, such as "Azure Role Sync."

  4. Click Create Service.

  5. A default Service endpoint will be created for you. Give this a suitable Name and Readable ID

Step 3: Add Roles as an Enum Data Source in the Service

To easily reference your Appfarm roles within the service, add them as an enumerated (enum) data source.

  1. Within your newly created service, navigate to the Data tab.

  2. Click the next to the + icon and select Enum.

  3. From the list of available enums, select Roles. This will make your Appfarm roles available for selection in your service logic.

Step 4: Fetch Users and Roles via Microsoft Graph API

In this step, you will configure the service to communicate with the Microsoft Graph API to retrieve user and group information from your Microsoft Entra ID.

  1. In your service, create a new action. Make sure to connect the action to the Process Action on the Service endpoint you set up in step 2.

  2. Add a Web Request action node.

  3. Configure the Web Request to call the Microsoft Graph API. You will need to make authenticated requests. This typically involves setting up an application registration in Microsoft Entra ID and using OAuth 2.0 client credentials flow. Read the separae guide here. Store your client ID, client secret, and tenant ID securely as Secrets.

  4. Fetch Users: Use the appropriate Graph API endpoint to get all users you want to sync. For example: GET https://graph.microsoft.com/v1.0/users.

  5. Fetch Group Members: For each relevant Azure group, you need to get its members. A common approach is to use the memberOf endpoint for each user or query the members of each specific group. For example: GET https://graph.microsoft.com/v1.0/groups/{group-id}/members.

  6. Store Fetched Users: Create a runtime-only data source within your service to store the user data retrieved from the Graph API. This will typically be an object class that mirrors the structure of the user data you need (e.g., UserPrincipalName, ID).

Step 5: Iterate and Assign Roles

Now, you will iterate through the fetched users and assign the corresponding Appfarm role based on their Microsoft Entra ID group memberships.

  1. Add a Foreach action node to your service, and set the data source to the runtime-only user data source created in the previous step.

  2. Inside the iteration, for each user, you will need to determine their group memberships.

5.1. Conditional Role Assignment

For each Microsoft Entra ID role you are syncing, add an If action node.

  1. Set the condition of the If node to check if the current user in the iteration is a member of a specific Microsoft Entra ID group. You will typically match the group name or ID.

  2. Inside the If block, add a Set Selection action node. Configure it to select the corresponding role from your Roles enum data source.

5.2. Create or Update User Account

  1. After the If blocks, add a Create User Account action node.

  2. Data-bind the user's properties (e.g., username/email) from the runtime-only data source.

  3. Data-bind the Role Memberships to the Selected Object of your Roles enum data source.

  4. Crucially, tick the "Accept existing user" checkbox. This ensures that if the user already exists in Appfarm, their roles will be updated without creating a duplicate account.

Step 6: Schedule the Service

To ensure roles are kept in sync automatically, schedule the service to run at a regular interval.

  1. Navigate to the Schedules section in Appfarm Create.

  2. Click the + icon.

  3. Give the schedule a name, such as "Nightly Azure Role Sync."

  4. Select the Service and the specific Endpoint you created for the role synchronization.

  5. Define the frequency using a cron expression. For example, to run the sync every night at 2 AM, you would use 0 2 * * *.

  6. Enable the schedule.

By following these steps, you have successfully configured an automated process to synchronize user roles from Microsoft Entra ID to Appfarm Create, ensuring a consistent and manageable permission structure across your applications.

PreviousRetrieve access token from Microsoft Entra IDNextWorkflow automation

Last updated

Was this helpful?