Connector for Microsoft Entra ID (Azure AD)

This documentation references external sources. Nexthink does not have control over the accuracy of third-party documentation, nor any external updates or changes that might create inconsistencies with the information presented on this page. Please report any errors or inconsistencies to Nexthink Support.

The connector for Microsoft Entra ID (formerly named Azure AD) allows you to import user information from Entra ID. Schedule the feature to run automatically and communicate with the Azure application according to the configuration of the Azure portal.

Prerequisites

  1. Set up Microsoft Entra ID Connect if you have Hybrid Azure AD joined devices. Refer to the Microsoft tool to identify the state of your devices.

  2. Register a new application in your Azure portal.

    • During the registration process, ensure you select the Single tenant option.

    • For the Redirect URI, use the drop-down list to select Web.

    • When asked for application permissions, select User.Read.All.

Check Microsoft documentation on how to install and configure Microsoft Entra ID Connect.

Configuring the Nexthink web interface

To set up an Entra ID connector using the Nexthink web interface:

  1. Access Administration > Inbound connectors from the main menu.

  2. Choose the Entra ID (Azure AD) option from the Inbound connectors page.

  3. Click on the New connector button in the top-right corner of the page.

  4. Fill in the fields under the General tab following the in-product documentation in the right-side menu of the Nexthink web interface.

You can configure more than one Entra ID connector with different settings.

Field Mapping

After configuring the General Tab from the selected Entra ID connector page, map Nexthink user fields with their corresponding Entra ID properties:

  1. Click the Field mapping tab from the selected Entra ID connector page.

  2. Type in the exact name of the desired Entra ID property in the text input field under Common.

  3. In addition, Add custom field mapping to quickly map Entra ID properties using expandable drop-downs with suggested items: created user-type custom fields and Entra ID properties.

    • You can still type in any Entra ID property not suggested by the expandable drop-down.

Field mapping table

The table below is an example of mapping common Nexthink fields and Entra ID properties by typing the property names directly in the Nexthink web interface. Consider the following:

  • Entra ID property names are case-sensitive.

  • Text input boxes for Entra ID properties let you control field mapping. For instance, you can have the Distinguished name field populated with the employeeId property.

Nexthink Field
Entra ID Field
Description

Distinguished name

onPremisesDistinguishedName

Employee's name as displayed in the address book

Name

userPrincipalName

Employee's user principal name

Full name

displayName

Employee's name as displayed in the address book

Email

mail

Employee's email address

Department

department

Name of the employee’s department

Job title

jobTitle

Employee's job title

Location/Office

officeLocation

Name of the employee’s office location

Locality name/City

city

Office location - city

Country code

postalCode

Office location - postal code

Organizational unit name

streetAddress

Office location - street address

If you use the Enrichment API to enrich AD fields—Distinguished name, Email, or others—ensure you do not map the same fields here to avoid overridden values.

Mapping extended properties

Entra ID allows you to extend data using Microsoft Graph extensions and map extended properties with the Entra ID connector. The Nexthink field allows you to map existing data within the Microsoft Graph object using extensions.

There are 4 types of extensions:

Extension Attributes

The table below shows an example of how to map existing data from extension attributes using the onPremisesExtensionAttributes property.

Microsoft Graph Example
Nexthink Field
Result

"onPremisesExtensionAttributes": {

"extensionAttribute1": "value1"

....

"extensionAttribute15": "value15"

}

onPremisesExtensionAttributes.extensionAttribute3

value3

Microsoft Entra ID supports up to 15 extension attributes.

The connector for Microsoft Entra ID also supports accessing specific values for any kind of structured or complex property. For example, retrieving the costCenter of the employeeOrgData property or retrieving a given disabledPlans from the assignedLicenses property.

Microsoft Graph Example
Nexthink Field
Result

"employeeOrgData": {

"division": "valueDiv",

"costCenter": "valueCost"

}

employeeOrgData.costCenter

valueCost

"assignedLicenses": [

{

"disabledPlans": [],

"skuId": "a403..."

},

{

"disabledPlans": [

"57a0...",

"3634..."

],

"skuId": "bc94..."

}

]

assignedLicenses[1].disabledPlans[0]

57a0...

Directory Extensions

For Directory extensions, use the following naming convention:

Format -> extension_<client_id>_<name>

When defining the mapping, specify the extension name and client_id .

The table below shows examples of how to retrieve existing data in the directory extensions.

Microsoft Graph Example
Nexthink Field
Result

"extension_d99f..._arrayDirExt": [

"value1",

"value2"

]

extension_d99f..._arrayDirExt[1]

value2

"extension_d99f..._stringDirExt": "test_value"

extension_d99f..._stringDirExt

test_value

Schema Extensions

For Schema extensions, use the following naming convention:

  • Format -> ext<8_random_alphanumeric_chars>_<name>

  • If the company owns a domain: Format -> <domain_name>_<name>

The examples below show how to map existing data in the schema extension.

Microsoft Graph Example
Nexthink Field
Result

"extoi9fq37m_userInfoSchemaExt": {

"workAnniversary": "2024-01-11T07:44:28Z",

"feetSize": 42 }

extoi9fq37m_userInfoSchemaExt.workAnniversary

2024-01-11T07:44:28Z

"mydomain_userInfoSchemaExt": {

"workAnniversary": "2024-01-11T07:44:28Z",

"feetSize": 42

}

mydomain_userInfoSchemaExt.feetSize

42

Open Extensions

Schema extension names do not follow any naming convention. When defining them, add openExtension before the extension ID.

The example below shows how to map existing data in the open extension.

Microsoft Graph Example
Nexthink Field
Result

"extensions": [

{

"hairColor": "blond",

"feetSize": 42,

"isRemoteWorker": true,

"id": "personalDetailsOpenExt"

}

]

openExtension.personalDetailsOpenExt.hairColor

blond

For all previous extensions—extension attributes, directory, schema, or open extensions— the full extension object can be retrieved using extension names without adding any specific key or element to the mapping.

For instance, the example below shows how to retrieve the full personalDetailsOpenExt open extension object.

Microsoft Graph Example
Nexthink Field
Result

"extensions": [

{

"hairColor": "blond",

"feetSize": 42,

"isRemoteWorker": true,

"id": "personalDetailsOpenExt"

}

]

openExtension.personalDetailsOpenExt

{

"hairColor": "blond",

"feetSize": 42,

"isRemoteWorker": true,

"id": "personalDetailsOpenExt"

}

F.A.Q.

What is the connector for Entra ID used for?
  1. To enrich Nexthink user data from Entra ID in order to enhance user visualization.

  2. To enrich Nexthink user data in order to identify users for other import connectors:

    • Connector for Microsoft Teams for hybrid configurations using the SID value

    • Connector for Zoom using the email value

How do we troubleshoot the connector for Entra ID?

Currently, the only way to troubleshoot issues with the connector for Entra ID is to reach out to Nexthink support.

Can I map any property from Entra ID?

As long as the property exists in Entra ID, it can be mapped in Nexthink Infinity. If you leave the Nexthink field blank, it will not be enriched, and a dash ( - ) appears in the NQL query results.

Can I apply transformations to the imported fields from Entra ID?

All fields are transformed into strings by default, therefore the system cannot apply transformations at this point.

Are there any fields that cannot be mapped?

There are two Entra ID properties imported into Nexthink user fields whose mapping cannot be modified. These properties are onPremisesSecurityIdentifier and id.

Since the system uses these fields for identification purposes on connectors for Microsoft Teams and Zoom, users are not allowed to map them to other properties in Entra ID.

What if I need to retroactively remove email addresses (or any other field) because of GDPR?

To retroactively remove mapped email addresses (or any other field) add [deleteMe] in the corresponding Entra ID field box and save the connector.

Last updated