Prerequisites for Azure AD (Entra) Connect

Here are the prerequisites steps that need to be completed before configuring the Azure AD (Entra) Connect app:

To complete Steps 1 & 2 above, you will need have a Jira Service Management role of either Assets Administrator or Assets Manager.  

To complete Step 3 above, you will need to have either Application Administrator or Application Developer role in your Azure Active Directory. Additionally, either a Global Administrator or a Privileged Role Administrator will be required.  

 

Step 1: Choose or Create an Object Schema in Assets to hold the Azure AD (Entra) information

This will hold the data imported from Azure AD. If you have an existing Object Schema type that is used to store device inventory or other configuration items, you may want to consider using that Object Schema.  

When you configure the Azure AD Connect app, an Object Type for the Azure data will be created in the Object Schema.  

If you do not have an existing Object Schema that could be used to store Azure AD information, we recommend creating an Object Schema type for storing device or Configuration Item data imported from Intune or other systems.  

Here's an example of creating an Object Schema called "AAD-Imports" that will be configured to contain the Object Type for Intune Device information.  

 

Go to the Asset and Configuration Management page and click on the Create Schema button sign at the top of the schema list.  

image-20240118-220837.png

 

Select create a blank schema.

image-20240118-220943.png

 

Enter the name and other details of the Object Schema ('AAD-Imports' in this example) and hit Create Schema.

 

After these two steps, your new Object Schema will be added to the Assets list:  

 

For additional information on creating Object Schemas, visit the "Working with Object Schemas" page in the Jira Service Management Support site.  

 

Step 2: Configure the target Object Schema by creating an Import structure and generating a token 

An Import Token is needed when configuring the Intune Connect app. To get this Token, navigate to the Configuration page of the target Object Schema.  

 

On the Object Schema's configuration page, click on the Import Tab and then click on the Create Import button.

Select "External Import" from the list of Import Types 

 

Give the import structure a name and click the Create Import button

 

Once the new import configuration is created, click on the action menu for the newly created Import and select the "Generate new token".  

 

Copy the generated token and store in a safe location. This token will be needed when configuring the app. 

 

 

Step 3: Create and configure an App Registration in Azure Active Directory that will have access to the Intune API

 

To import data from Azure AD, the app requires access to Microsoft's Graph API. An Application Registration needs to be created and configured within your Azure Active Directory that provides the necessary credentials and permissions for the Azure AD (Entra) Connect app to retrieve the device information from the Graph API. 

 

To create the application registration, follow the instructions on this page: Quickstart: Register an app in the Microsoft identity platform - Microsoft identity platform .  Here are some details to adhere to while following these instructions: 

  • Keep all the default settings  

  • Leave the Redirect URL field blank 

  • No platform settings need to be configured 

  • When creating a Client Secret, set an expiration date that meets your organizational security policies (up to 24 months). This expiration date should subsequently be saved and tracked; prior to its expiration, a new Client Secret will need to be created, which should be used to update the Azure AD (Entra) Connect app configuration.  

  • Also, save the Client Secret so it can be copied upon creation and used in the upcoming Azure AD (Entra) Connect app configuration. This client secret will not be accessible later.  

 

After following these instructions, copy the generated Application (client) ID and the Directory (tenant) ID shown in the App Registration's Overview page. These two values will also be used when configuring the Azure AD (Entra) Connect App. 

 

Configuring Permissions in the Application Registration 

After creating the Application Registration and the Client Secret, add the following permission on the "API permissions" page of the registration:  

 

Steps:

Sub-step 1: Click on "Add a Permission" 

Sub-step 2: In the "Request API Permissions" panel, choose "Microsoft Graph" 

 

Sub-step 3: Click on "Application Permissions" 

Sub-step 4: Search for "users" and then select the User.Read.All permission, then click the Add Permissions button to complete the operation 

 

At this point, the permission will be listed, but show as "Not Granted" yet. 

Granting Admin Consent  

Admin Consent now needs to be granted to the application registration. This can only be done by a Global Administrator (or a user with the Privileged Role Management role) of your Azure Active Directory.  

The Global Administrator will need to bring up that Application Registration in the Azure Portal, go to the "API permissions" page, click on "Grant admin consent for <your domain name>" link, and then answer yes to the "Grant admin consent confirmation" pop-up.  

To confirm that admin consent has been granted, go back to the application registration's "API permissions" page. It should now show the status as Granted.  

Resulting information ready for use

After completing this prerequisite steps, you should have the following information ready for use when configuring the Azure AD (Entra) Connect app: 

  • The Import Token for the Object Schema in Jira Service Management 

  • From the Azure Application Registration: 

    • The Application (Client) ID 

    • The Directory (Tenant) ID 

    • The Client Secret generated  

 

Now you can proceed to configuring the Azure AD (Entra) Connect App within Jira Service Management.