The info on this page applies to Grouper v4 and above.
For Azure provisioning in Grouper versions before Grouper 2.6, see this page.
Grouper versioning information is here.


  • Movie:  Grouper provisioning framework Azure demo (v2.6.15):
  • Config ( from version 2.6.15).  Note, you should configure this in the provisioning configuration wizard.

    grouper.azureConnector.myAzure.clientId = 7e590d54-d6af-4b07-b2aXXXXXXX
    grouper.azureConnector.myAzure.clientSecret = *******
    grouper.azureConnector.myAzure.graphEndpoint =
    grouper.azureConnector.myAzure.graphVersion = beta
    grouper.azureConnector.myAzure.loginEndpoint =
    grouper.azureConnector.myAzure.resource =
    grouper.azureConnector.myAzure.resourceEndpoint =
    grouper.azureConnector.myAzure.tenantId = 5e7fa4df-8d24-4c33-bdaXXXXXXXXXXX
    changeLog.consumer.provisioner_incremental_azureProvisioner.class = edu.internet2.middleware.grouper.changeLog.esb.consumer.EsbConsumer
    changeLog.consumer.provisioner_incremental_azureProvisioner.provisionerConfigId = azureProvisioner
    changeLog.consumer.provisioner_incremental_azureProvisioner.publisher.class =
    changeLog.consumer.provisioner_incremental_azureProvisioner.publisher.debug = false
    changeLog.consumer.provisioner_incremental_azureProvisioner.quartzCron = 0 * * * * ?
    otherJob.provisioner_full_azureProvisioner.class =
    otherJob.provisioner_full_azureProvisioner.provisionerConfigId = azureProvisioner
    otherJob.provisioner_full_azureProvisioner.quartzCron = 0 36 6 * * ?
    provisioner.azureProvisioner.addDisabledFullSyncDaemon = true
    provisioner.azureProvisioner.addDisabledIncrementalSyncDaemon = true
    provisioner.azureProvisioner.azureExternalSystemConfigId = myAzure
    provisioner.azureProvisioner.azureGroupType = true
    provisioner.azureProvisioner.class =
    provisioner.azureProvisioner.entityAttributeValueCache0entityAttribute = id
    provisioner.azureProvisioner.entityAttributeValueCache0has = true
    provisioner.azureProvisioner.entityAttributeValueCache0source = target
    provisioner.azureProvisioner.entityAttributeValueCache0type = entityAttribute
    provisioner.azureProvisioner.entityAttributeValueCacheHas = true
    provisioner.azureProvisioner.entityMatchingAttribute0name = userPrincipalName
    provisioner.azureProvisioner.entityMatchingAttributeCount = 1
    provisioner.azureProvisioner.groupAttributeValueCache0groupAttribute = id
    provisioner.azureProvisioner.groupAttributeValueCache0has = true
    provisioner.azureProvisioner.groupAttributeValueCache0source = target
    provisioner.azureProvisioner.groupAttributeValueCache0type = groupAttribute
    provisioner.azureProvisioner.groupAttributeValueCacheHas = true
    provisioner.azureProvisioner.groupMatchingAttribute0name = displayName
    provisioner.azureProvisioner.groupMatchingAttributeCount = 1
    provisioner.azureProvisioner.hasTargetEntityLink = true
    provisioner.azureProvisioner.hasTargetGroupLink = true
    provisioner.azureProvisioner.logAllObjectsVerbose = true
    provisioner.azureProvisioner.logCommandsAlways = true
    provisioner.azureProvisioner.numberOfEntityAttributes = 2
    provisioner.azureProvisioner.numberOfGroupAttributes = 3
    provisioner.azureProvisioner.operateOnGrouperEntities = true
    provisioner.azureProvisioner.operateOnGrouperGroups = true
    provisioner.azureProvisioner.operateOnGrouperMemberships = true
    provisioner.azureProvisioner.provisioningType = membershipObjects
    provisioner.azureProvisioner.selectAllEntities = true
    provisioner.azureProvisioner.showAdvanced = true
    provisioner.azureProvisioner.startWith = this is start with read only
    provisioner.azureProvisioner.subjectSourcesToProvision = jdbc = id = userPrincipalName
    provisioner.azureProvisioner.targetEntityAttribute.1.translateExpression = ${ grouperProvisioningEntity.subjectId + '' }
    provisioner.azureProvisioner.targetEntityAttribute.1.translateExpressionType = translationScript
    provisioner.azureProvisioner.targetGroupAttribute.0.insert = false = id
    provisioner.azureProvisioner.targetGroupAttribute.0.showAdvancedAttribute = true
    provisioner.azureProvisioner.targetGroupAttribute.0.showAttributeCrud = true
    provisioner.azureProvisioner.targetGroupAttribute.0.update = false = displayName
    provisioner.azureProvisioner.targetGroupAttribute.1.translateExpressionType = grouperProvisioningGroupField
    provisioner.azureProvisioner.targetGroupAttribute.1.translateFromGrouperProvisioningGroupField = extension = mailNickname
    provisioner.azureProvisioner.targetGroupAttribute.2.translateExpressionType = grouperProvisioningGroupField
    provisioner.azureProvisioner.targetGroupAttribute.2.translateFromGrouperProvisioningGroupField = extension

External system for local testing

grouper.azureConnector.myAzure.clientId = 51e6dc4f-a85d-41c7-9569-8ac1b3159801
grouper.azureConnector.myAzure.clientSecret = *******
grouper.azureConnector.myAzure.graphEndpoint =
grouper.azureConnector.myAzure.graphVersion = beta
grouper.azureConnector.myAzure.groupLookupAttribute = displayName
grouper.azureConnector.myAzure.groupLookupValueFormat = ${group.getName()}
grouper.azureConnector.myAzure.loginEndpoint =
grouper.azureConnector.myAzure.resource =
grouper.azureConnector.myAzure.resourceEndpoint =
grouper.azureConnector.myAzure.tenantId = 455754be-3a2b-40c9-acef-c425a92d7276

Provisioning fields and attributes

idfielduuid from Azure
displayNamefieldgroup name in Azure

Azure group types


Grouper development team testing

Set this in (or set env var: GROUPER_MOCK_SERVICES=true) = true

test config

grouper.azureConnector.azureTest.clientId = fd805xxxxdfb
grouper.azureConnector.azureTest.clientSecret = *******
grouper.azureConnector.azureTest.graphEndpoint =
grouper.azureConnector.azureTest.graphVersion = v1.0
grouper.azureConnector.azureTest.loginEndpoint = http://localhost:8400/grouper/mockServices/azure/auth/
grouper.azureConnector.azureTest.resource =
grouper.azureConnector.azureTest.resourceEndpoint = http://localhost:8400/grouper/mockServices/azure/
grouper.azureConnector.azureTest.tenantId = 6c4dxxx0d

Set up Azure

  1. Sign up with Azure
  2. On the left menu, go to Azure Active Directory
  3. Create a new app registration
    1. Select: Who can use this app: Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)
  4. After the app is registered, click on API Permissions and give Microsoft graph access
    1. Give full permissions for Directory, Group, User, and GroupMember
    2. Grant admin consent for default directory
    3. Check with the token, should see
    4. Permissions look like this.  Note you can clamp down these permissions as needed

    5. From basic testing, if using read-only entities, the following Admin consent permissions seems to work (should not need any User consent grants):

    6. For even tight permissions, see below for setting the Grouper service account as the owner for new groups
  5. On the left, under Certificates and Secrets, create a new secret
  6. When testing using Postman, you will only need the secret value to get access token which will be used to call the graph API
  7. To get an access token, make a POST call to (id is the directory tenant id)
  8. Under form data send these four key values. client_id = clientId, scope =, client_secret = clientSecret, grant_type=client_credentials
    1. Content-type: application/x-www-form-urlencoded
    2. Post body looks like this:


    3. Configure external system in = aea2eb2a-bc4f-4ae5-a315-38XXXXX = ewC8Q~yXXXXX = = beta = = = = 5e7fa4df-8d24XXXXXXX

  9. The client id is the Application (client) ID next to Directory tenant id on the Overview page of the app.
  10. The response from the above POST call will give you an access token in the body which we will use to access graph APIs like
  11. For the above request, send Authorization header with value Bearer <access token>

Add Microsoft certificate for graph apis

  1. Go to in your browser and download the certificate by clicking on the padlock sign in the address bar.
  2. Find out the path to the security directory inside the jre. e.g. /Library/Java/JavaVirtualMachines/jdk1.8.0_65.jdk/Contents/Home/jre/lib/security
  3. From the terminal run "sudo keytool -import -alias microsoft.graph -keystore cacerts -file ~/

  4. For the password enter: changeit

Setting the Grouper service account as the owner of new groups (to reduce Azure privileges) v4.2.0+

If the service account Grouper uses for Graph API calls can be set as the owner of a managed group, the Azure application no longer needs the privileges to update all groups and memberships. It only needs the Group.Create privilege to create a new group, Group.Read.All to find groups to match with Grouper, and User.Read.All to resolve target entities. While there is an option in the Azure provisioner to set the groupOwner attribute with one or more entities, the ability to add non-users (i.e. service accounts) is only available  v4.2.0.

The "groupOwners" attribute is normally expected to be a Grouper subject ID or identifier used for search/match to resolve to an Azure object URL. But this lookup always uses the /users api endpoint, which means the service account can't be added this way. Since v4.2.0, an already-resolved URL can be entered in this field, and this URL can be either for a user or a service account. There are two ways to specify the account.



where {id} is the "Object ID" for the object in the Enterprise Applications page (it's not the App registrations page, but you can get to it from there by clicking "Managed application in local directory"). The {appId} is the application ID, also called the client ID, and is easier to find, being on the Enterprise applications page, the App registrations page, and various other pages when you look at the service account details. The appId is also the "Client ID" value in the external system configuration for Azure.

Azure Enterprise application properties

  • No labels