Cloud
Data Center 9.1
Versions

Configuring Microsoft Entra ID

Connecting to an LDAP Directory

On this page

In this section

Related content

  • No related content found

Still need help?

The Atlassian Community is here for you.

Ask the community

You can configure Microsoft Entra ID as a directory in Confluence. All changes to your users, groups, and memberships will be synced between Microsoft Entra ID and Confluence periodically, or whenever you request it. You'll be able to view information about your users directly in Confluence by using the User browser and Group browser.

On this page:

Before you begin

Before you configure your Microsoft Entra ID, you should know about the following restrictions:

  • In Microsoft Entra ID, you can have multiple groups with the same name (displayName) but this isn't supported in Confluence and results in a failing synchronization. Make sure you change your Microsoft Entra ID group names to unique ones.

  • Confluence doesn't support multi-factor authentication. You'll need to disable it for your users in Microsoft Entra ID, or they won't be able to log in to Confluence or any integrated applications. 

  • If you need to make any changes to your users, make them directly in Microsoft Entra ID. You can't edit your Microsoft Entra ID users in Confluence.

Configuring Microsoft Entra ID

To configure Microsoft Entra ID, you’ll need to create two applications in your Microsoft Azure portal, and then use them to add Microsoft Entra ID to Confluence.

1. In Microsoft Entra ID web application:

Tell me more

1. Create a web application to allow Confluence to communicate with Microsoft Entra ID:

  1. Log in to your Microsoft Azure portal.

  2. Go to Microsoft Entra ID, then select App registrations.

  3. Create a new application registration with the following details:

    • Application type: Web (Option is available under Redirect URI sub-section)

    • Sign-on URL: <Confluence's base URL>

      Where can I find my Confluence's URL?

      In Confluence, go to the Administration menu , then select General configuration, and check the value of Server Base URL.

After the application is created, note down the Application (client) ID assigned to it. You will need it later on to configure the integration in Confluence.

2. Configure permissions for the web application to allow Confluence to read data from Microsoft Entra ID:

  1. In your web application, select API permissions.

  2. In the API permissions section, select Add a permission.

  3. Under Microsoft APIs, select Microsoft Graph, and then select Application permissions for the type of permissions required for this application.

  4. Add the following permission from:

    • Directory.Read.All

  5. Select Add permissions and then, under Grant consent section, select Grant admin consent.

  6. Select Yes and confirm.

3. Create a key for the web application. Confluence will use this key to authenticate to Microsoft Entra ID:

  1. Select your web application.

  2. In the Certificates & secrets section, select New client secret.

  3. Choose a description and an expiry date for your key, then save it. 

    Keep in mind that when the key expires and you don't replace it, Confluence won't be able to communicate with Microsoft Entra ID.

  4. Copy and store the key value.

    You won't be able to view it after navigating away from the key settings.

2. In Microsoft Entra ID native application:

Tell me more

4. Create a native application that will be used by Confluence to validate user credentials:

  1. Go to App registrations, and create a new application registration with the following details:

    • Type: Native (Option is available under Redirect URI sub-section)

    • Redirect URL: <Confluence's base URL>

Note down the Application ID assigned to it. You will need it later on to configure the integration in Confluence.

5. Configure permissions for the native application to allow Confluence to validate user credentials:

  1. Select your native application, and then API Permissions

  2. Under Grant consent section, select Grant admin consent.

  3. Select Yes and confirm.

6. Configure manifest for the native application to allow Confluence to validate user credentials:

  1. Select your native application, and then Manifest.

  2. In the manifest editor, set the allowPublicClient property to true.

  3. In the bar above the manifest editor, select Save.

7. Get the Tenant ID to configure the integration in Confluence:

  1. Go to the main Microsoft Entra ID blade.

  2. Select Properties
    Note down the Directory ID - this is the Tenant ID you will need later on to configure the integration in Confluence.

3. Steps in Confluence:

Tell me more

8. Add Microsoft Entra ID to Confluence:

  1. From the Administartion menu , select General configuration, and then User directories.

  2. Select Add directory, then select Microsoft Entra ID.

  3. Fill out the required fields.
    You will need to specify the Tenant ID, Web application ID, Web application key and Native application ID that you received when you configured Microsoft Entra ID.

  4. If you're integrating with an Microsoft Entra ID region that uses alternative API URLs (for example Azure Germany), you can pick the region from the Region dropdown.
    If your region isn't listed, you can pick Custom, and enter the appropriate API URLs manually.

  5. (optional) In the Group filtering section, instead of adding the whole user directory to Confluence, you can choose specific groups from Microsoft Entra ID. Only members of these groups will be added to Confluence. 

  6. (optional) Modify the default synchronization settings to match your needs.

    If you check Enable group filtering and Enable nested groups checkboxes, the Synchronize group memberships when logging setting is automatically set to Never and can't be changed.

  7. (optional) Select Test connection to verify if the data you entered is correct.

You've added your Microsoft Entra ID to Confluence. You should now see a brief summary of your directory and details about the synchronization.

In some cases, the synchronization might be failing at first because the new permission wasn't yet propagated in Microsoft Entra ID. Just wait a few minutes, the problem will fix itself.

Confluence will automatically pull data from Microsoft Entra ID. If that doesn't happen, you can select Synchronize now. Once the synchronization is complete, you can check your users and groups from Microsoft Entra ID by going to Users or Groups in the Confluence administration.

Field mapping

The following tables show how fields in Microsoft Entra ID are mapped to those in Confluence. We're comparing Microsoft Entra ID's API fields with Confluence's UI fields.

Users

Microsoft Entra ID

Confluence

userPrincipalName

Username

displayName

Display name

givenName

First name

familyName

Last name

accountEnabled

Active

id

External ID

Mail

E-mail address

Groups

Microsoft Entra ID

Confluence

displayName

Name

description

Description

id

External ID

Last modified on Oct 3, 2024

Was this helpful?

Yes
No
Provide feedback about this article

In this section

Related content

  • No related content found
Powered by Confluence and Scroll Viewport.