Skip to main content

Identity Governance is available only with Teleport Enterprise. Start your free trial.

Start your free trial

Advanced Entra ID Integration Options

Report an Issue

This page lists advanced configuration options related to the Teleport Entra ID integration.

Group filters

By default, all the groups that exists in the Microsoft Entra ID directory gets imported to Teleport.

This import behavior can be controlled by using the group filters, which can include or exclude certain groups based on their matching group object ID or group display name.

Group filter can only be configured using tctl and the ability to configure it using Teleport Web UI is in the works.

Group filter precedence

  • If no filters are configured, all the groups are imported (default behavior).
  • If an include filter is defined, only the matching group is imported.
  • If a group is matched in both the include filter and exclude filter, exclude filter gets precedence.

Configure group filters during installation

Example to configure group filters during installation:

tctl plugins install entraid \    --name entra-id-default \    --auth-connector-name entra-id \    --default-owner=admin \    --no-access-graph \    --use-system-credentials \    --manual-setup \    --group-id 25f9c527-2314-414c-a75d-ef7efabcc99b \    --group-name "admin*" \    --exclude-group-id 080b50c3-1c98-4d8e-a54e-20143dbd4f99 \    --exclude-group-name "fin*"
  • --group-id: Include group matching the specified group ID. Multiple flags allowed.
  • --group-name: Include groups matching the specified group name regex. Multiple flags allowed.
  • --exclude-group-id. Exclude group matching the specified group ID. Multiple flags allowed.
  • --exclude-group-name. Exclude groups matching the specified group name regex. Multiple flags allowed.

Updating group filters

Group filters can be updated using group_filters flag, which is available in the sync_settings of the Teleport Entra ID plugin resource spec.

Reference configuration spec:

kind: plugin
metadata:
  name: entra-id
spec:
  Settings:
    entra_id:
      sync_settings:
        ... # other settings omitted for brevity
        group_filters:
        - id: 080b50c3-1c98-4d8e-a54e-20143dbd4f99
        - id: 45f9c527-2314-414c-a75d-ef7efabcc99b
        - id: 35f9c527-2314-414c-a75d-ef7efabcc99b
        - nameRegex: 'admin*'
        - excludeId: 080b50c52-1c98-4d8e-a54e-20143dbd4f99
        - excludeNameRegex: 'finance*'
version: v1

The plugin spec can be edited using the tctl edit plugins/entra-id command.

Access List owners

Access List owners have a permission to manage Access Lists in Teleport and are analogous to the Microsoft Entra ID group owners.

You can configure the source of Access List owners to control how the Teleport Entra ID plugin chooses owners for the Access Lists created for the Microsoft Entra ID groups.

The following options are supported:

  1. Source plugin: Use default owners configured in the plugin sync settings. This is the default option.
  2. Source entraid: Use Microsoft Entra ID group owners as Access List owners. Only the group owner of user type is supported. Service principals as group owners are not supported and will be filtered. Teleport may fall back to using plugin source on the following conditions:
    • Microsoft Entra ID group has zero configured owners.
    • Microsoft Entra ID group owner is not supported, resulting in a zero supported owners.
  3. Source plugin-and-entraid: Use both the plugin and entraid source to configure Access List owners.

Configuring source during installation

Example to configure the source of Access List owners during installation:

tctl plugins install entraid \    --name entra-id-default \    --auth-connector-name entra-id \    --default-owner admin \    --no-access-graph \    --use-system-credentials \    --manual-setup \    --access-list-owners-source entraid
  • --access-list-owners-source flag configures source for the Access List owners. Value can be plugin, entraid, or plugin-and-entraid.

Updating the source of Access List owners

You can update the source of the Access List owners using access_list_owners_source field, which is available in the sync_settings of the Teleport Entra ID plugin resource spec.

The access_list_owners_source field supports one of the following values:

  • Integer value 1 to configure "plugin" source.
  • Integer value 2 to configure "entraid" source.
  • Integer value 3 to configure "plugin-and-entraid" source.

You can use the tctl edit plugins/entra-id command to update the plugin spec. A reference to the plugin resource spec is provided below:

kind: plugin
metadata:
  name: entra-id
spec:
  Settings:
    entra_id:
      sync_settings:
        ... # other settings omitted for brevity
        access_list_owners_source: 3
version: v1