See the supported connectors for Application Integration.

Azure AD trigger

The Azure AD trigger is a Connector Event trigger that lets you invoke an integration based on the Azure AD events that you've subscribed to in your Azure AD connection.

Before you begin

If you plan to create or configure a new connection for the Azure AD trigger, make sure that you have the following IAM role on the project:

  • Connector Admin (roles/connectors.admin)

    • For information about granting roles, see Manage access.

Grant the following IAM roles to the service account that you want to use for the Azure AD trigger:

  • Application Integration Invoker (roles/integrations.integrationInvoker)

    • For information about granting roles to a service account, see Manage access to service accounts.

Add the Azure AD trigger

To add a Azure AD trigger to your integration, perform the following steps:

  1. In the Google Cloud console, go to the Application Integration page.

    Go to Application Integration

  2. In the navigation menu, click Integrations

    The Integrations List page appears listing all the integrations available in the Google Cloud project.

  3. Select an existing integration or click Create integration to create a new one.

    If you are creating a new integration:

    1. Enter a name and description in the Create Integration pane.
    2. Select a region for the integration.
    3. Select a service account for the integration. You can change or update the service account details of an integration any time from the Integration summary pane in the integration toolbar.
    4. Click Create.

    This opens the integration in the integration editor.

  4. In the integration editor navigation bar, click Triggers to view the list of available triggers.
  5. Click and place the Azure AD trigger element in the integration editor.

    6. To configure the Azure AD trigger, you can either use an existing Azure AD connection available in Integration Connectors, or create a new Azure AD connection using the inline connection creation option.

Configure Azure AD trigger using an existing connection

You can configure the Azure AD trigger using an existing Azure AD connection in Integration Connectors. Note that the Azure AD trigger is an Connector Event trigger, therefore you can only use an Azure AD connection with event subscription enabled to configure the trigger.

For information about how to configure a Azure AD trigger using a new Azure AD connection, See Configure Azure AD trigger using a new connection

To configure a Azure AD trigger using an existing Azure AD connection, perform the following steps:

  1. Click the Azure AD trigger element in the integration editor to open the trigger configuration pane.
  2. Click Configure trigger.
  3. Provide the following configuration details in the Connector Event Trigger Editor page:
    1. Region: Select the region of your Azure AD connection.
    2. Connection: Select the Azure AD connection that you want to use.

      Application Integration only displays those Azure AD connections that are active and have an event subscription enabled.

    3. Event subscription type: Select the type of event subscription that triggers the integration. For information about the supported event subscription types for this trigger, see Supported event subscription types.
    4. Service Account: Select a service account with the required IAM roles for the Azure AD trigger.
  4. Click Done to complete the trigger configuration and close the page.

Configure Azure AD trigger using a new connection

To configure the Azure AD trigger using a new Azure AD connection, perform the following steps:

  1. Click the Azure AD trigger element in the integration editor to open the trigger configuration pane.
  2. Click Configure trigger.
  3. Skip the Region field.
  4. Click Connection and select the Create Connection option from the drop-down menu.
  5. Complete the following steps in the Create Connection pane:
    1. In the Location step, choose the location for the new Azure AD connection:
      1. Region: Select a region from the drop-down list.
      2. Click Next.
    2. In the Connection Details step, provide details about the new Azure AD connection:
      1. Connector version: Choose an available version of the Azure AD connector from the drop-down list.
      2. Connection Name: Enter a name for the Azure AD connection.
      3. (Optional) Description: Enter a description for the connection.
      4. (Optional) Enable Cloud Logging: Select this checkbox to store all log data of the connection.
      5. Service Account: Select a service account with the required IAM roles for the Azure AD connection.
      6. Enable event subscription: Select to create and enable a new event subscription for the Azure AD connection. You can either enable only event subscriptions or also include connection entities, operations, and actions.
      7. (Optional) Expand Advanced settings to configure the connection node settings.

        For more information about the connection node settings for Azure AD, see the Azure AD connection documentation.

      8. (Optional) Click + Add label to add a label to the connection in the form of a key-value pair.
      9. Click Next.
    3. In the Destinations step, provide the Azure AD instance details:
      1. Destination Type: Select Host address.
      2. Host: Enter the hostname or IP address of your Azure AD instance.
      3. Click Next.
    4. In the Authentication step, provide the authentication details for the Azure AD instance:
      1. Select your desired authentication type and enter the relevant details.

        To understand how to configure these authentication types, see Configure authentication.

      2. Click Next.
    5. In the Event subscription details step, provide details of the Azure AD instance where the event subscriptions will be created.
      1. Client ID: The client ID used for requesting access tokens.
      2. Client secret: The client secret used for requesting access tokens.
      3. Secret version: Select a secret version.
      4. Client state: The Secret Manager Secret containing the client state. This is used for change notifications authentication.
      5. Azure Tenant: The Microsoft Online tenant being used to access data. If you don't specify a tenant, your default tenant is used.
      6. Optionally, select Enable data enrichment if you want additional information to be appended to the backend system's response.

        The additional information is specific to the entity for which you have configured the event. For more information, see Data enrichment in event notifications.

    6. Select Enable private connectivity for secured connectivity between your backend application and your connection. If you select this option, you must perform additional configuration steps after creating the connection. For more information, see Private connectivity for event subscription.
    7. Enter the dead-letter configuration. If you configure dead-letter, the connection writes the unprocessed events to the specified Pub/Sub topic. Enter the following details:
      1. Dead-letter project ID: The Google Cloud project ID where you have configured the dead-letter Pub/Sub topic.
      2. Dead-letter topic: The Pub/Sub topic where you want to write the details of the unprocessed event.
    8. If you want to use a proxy to connect to your backend (for event subscription), enter the following details:
      1. Proxy SSL Type: The SSL type to use when connecting to the proxy server. Select any of the following authentication types:
        • Always: The connection is always SSL enabled for event subscription.
        • Never: The connection is not SSL enabled for event subscription.
      2. Proxy Auth Scheme: Select the authentication type to authenticate with the proxy server. The following authentication types are supported:
        • Basic: Basic HTTP authentication.
      3. Proxy User: Enter the user name to be used to authenticate with the proxy server.
      4. Proxy Password: Select the Secret Manager secret of the user's password.
      5. Secret version: Select the secret version.
      6. In the Proxy Server section, enter details of the proxy server.
        1. Click + Add destination, and then select the Destination Type as Host address.
        2. Enter the proxy server's hostname or IP address, and the proxy server's port number.
    9. Click Next.
  6. Review: Review the provided Azure AD connection details.
  7. Click Create to complete creating a new Azure AD connection.
  8. Event type ID: Select the type of event subscription that triggers the integration. For information about the supported event subscription types for this trigger, see Supported event subscription types.
  9. Click Done and close the page.

Trigger output

The Azure AD trigger takes a couple of minutes to complete the event subscription configuration. You can view the status of your event subscription in the trigger configuration pane under Event Subscription details.

The Azure AD trigger indicates the status of an event subscription using the following states:

  • Creating: Indicates that the trigger is subscribing to the event subscription.
  • Active: Indicates that the trigger is successfully subscribed to an event subscription.
  • Error: Indicates that the there is an issue with the configured event subscription.

In addition to the event subscription status, the Event Subscription details section also displays other details such as connection region, connection name, event subscription name, and more.

Trigger output variable

For each event, the Azure AD trigger generates a ConnectorEventPayload output variable which you can use in your downstream tasks. The output variable is in JSON format containing the output Azure AD payload schema.

Example 1: Output payload for the Azure AD event: User updated

  {
    "type": "object",
    "properties": {
      "changeType": {
        "type": "string"
      },
      "clientState": {
        "type": "string"
      },
      "resource": {
        "type": "string"
      },
      "resourceData": {
        "type": "object",
        "properties": {}
      },
      "subscriptionExpirationDateTime": {
        "type": "string"
      },
      "subscriptionId": {
        "type": "string"
      },
      "tenantId": {
        "type": "string"
      }
    }
  }

Example 2: Data enriched output payload for the Azure AD event: User updated

    {
      "type": "object",
      "properties": {
        "changeType": {
          "type": "string"
        },
        "clientState": {
          "type": "string"
        },
        "context-data": {
          "type": "object",
          "properties": {}
        },
        "resource": {
          "type": "string"
        },
        "resourceData": {
          "type": "object",
          "properties": {}
        },
        "subscriptionExpirationDateTime": {
          "type": "string"
        },
        "subscriptionId": {
          "type": "string"
        },
        "tenantId": {
          "type": "string"
        }
      }
    }

The context-data field contains enriched data about the entity.

View event subscriptions

To view and manage all the event subscriptions associated with a connection in Integration Connectors, do the following:

  1. Go to Integration Connectors > Connections page.

    Go to the Connections page

  2. Click the connection for which you want to view the subscriptions.
  3. Click the Event subscriptions tab.

    This displays all the event subscriptions for the connection.

Edit Azure AD trigger

You can edit a Azure AD trigger to change or update the connection configuration and event subscription details.

To edit an Azure AD trigger, perform the following steps:

  1. Click the Azure AD trigger element in the integration editor to open the trigger configuration pane.
  2. Click Configure Azure AD trigger.
  3. Do the following in the Connector Event Trigger Editor page:
    1. To retain the previously configured event subscription, click Retain, else click Delete.
    2. Update the connection configuration and event subscription details as desired.
    3. Click Done.

    4. You can view the updated connection and event subscription details in the trigger configuration pane under Event Subscription details.

Supported event subscription types

You can use the Azure AD trigger to invoke an integration for the following event subscription types:

Event subscription types Description
Userprofiles A user is added, deleted, updated or permanently deleted.
Users.updated A user is created, updated or soft-deleted. Creation and deletion of users triggers an updated event type.
Users.deleted A user is permanently deleted.

Quotas and limits

For information about quotas and limits, see Quotas and limits.

What's next