Recap of Post 1
Automating User and Group Sync from Keycloak to Azure AD
At the point in time writing this (05/2023) there is no easy or out-of-the-box way to sync users to Azure AD from a third party IdP. We could of course manually provision every user but who would possibly want that.
So we have to get creative and build something ourselves.
Now it is time to show you a possible way to automate the user provisioning in Azure.
Which SDK to use …
Microsoft provides PowerShell packages to interact with the Microsoft Graphs REST API, you can also interact with the Microsoft Graphs REST API via HTTP and there are several SDKs available to use for these kind of tasks.
I did not want to depend on installing a PowerShell. My tool of choice for these kind of tasks is python, so I tried to build something using the Microsoft Graph SDK for Python but it is still in “community preview” phase, the documentation was not meeting my requirements (05/2023) and they state that breaking changes might still be introduced to the SDK. So to be on the safe side, we’re using the Microsoft Graphs REST API via HTTP and build the needed logic and functions in python by ourselves.
My approach can be found on github.com/yeoldegrove/keycloak_to_azure.
Clone the repository to get started.
git clone https://github.com/yeoldegrove/keycloak_to_azure
What it does …
- The script loops a configurable map of groups.
- Each element in the map has a Keycloak and an Azure key value pair.
- The Keycloak and azure groups have to exist and are not created by the script.
- If a user is found in the Keycloak group:
- it is invited as a B2B guest user.
- it is updated so that the user is of the type Member (not Guest) and placed in the configured Azure group.
- If a member is removed from a Keycloak group it is also removed in it’s Azure equivalent.
Dependencies and Requirements
We need a few Python packages installed.
To interact with the Keycloak API: - python-keycloak package
The easiest way of installing these is:
pip install -r requirements.txt
To use the script you need to supply several environment variables and a config file.
To read the users and groups from Keycloak, you need a Keycloak user with these roles: -
Look at the Keycloak - Managing users documentation to get more information.
The user has to be passed to this script by setting these environment variables: -
Azure application credentials
To add users to Azure AD, you need an Azure app registration with these API permissions: -
Microsoft Graph -> User.* -
Microsoft Graph -> Group.* -
Microsoft Graph -> GroupMember.*
Look at the Quickstart: Register an application with the Microsoft identity platform documentation to get more information. Be sure to add a client secret.
The credentials have to be passed as these environment variables: -
AZURE_CLIENT_SECRET (max expiry is 24 month!!!)
The script has a self-explanatory config file.
cp keycloak_to_azure.config.yaml.example keycloak_to_azure.config.yaml and adapt the config to get started.
Please make sure that all the configured Keycloak and Azure groups already exist. The script will not take care of that.
Example configuration file:
❯ cat keycloak_to_azure.config.yaml.example logfile: keycloak_to_azure.log keycloak_url: https://auth.example.com/auth keycloak_realm: acme groups: - keycloak: group1 azure: acme-group-1 - keycloak: group2 azure: acme-group-2 - keycloak: group3 azure: acme-group-3
Running the Script
If you configured all the environment variables, the config file and the Keycloak and Azure groups are created, you can run the script.
It will now take care of syncing the configured groups and their users.
./keycloak_to_azure.py 2023-04-03 07:46:42,250 [INFO] start run 2023-04-03 07:46:42,250 [INFO] invited azure user: firstname.lastname@example.org 2023-04-03 07:46:42,250 [INFO] updated azure user: xxxx-xxxx-xxxx-xxxx-xxxx - Firstname1 Lastname1 2023-04-03 07:46:42,250 [INFO] added user to group: xxxx-xxxx-xxxx-xxxx-xxxx xxxx-xxxx-xxxx-xxxx-xxxx 2023-04-03 07:46:47,107 [INFO] end run
Congratulations! You just synced your users and groups from Keycloak to Azure.
Group permissions concept in Azure
On the Azure side, you now need to configure some reasonable permissions for your groups. Of course, the script won’t help you do this. You have to come up with a concept yourself.
Using a different email domain in Azure AD and Keycloak
Like B1 Systems, you might want to use a different email domain for users created in Azure AD than you use for your users in your Keycloak instance. This can have several reasons, e.g. you already have existing users in Azure AD (from the same email domain) that you do not want to touch or you have the problem that you cannot use SAML-Fed IdP federation with your verified domain.
A detailed blog entry with a solution for this problem might follow ;)