Azure Connector

  • Reference
  • 5min

Your Dynatrace environment can integrate with Microsoft Entra ID (formerly Azure Active Directory) in automation workflows. Azure Connector Azure Connector enables you to use prebuilt actions in Workflows Workflows to automate importing teams from Entra ID (based on various triggers) for defining entity ownership and other use cases in Dynatrace. Azure Connector connects to the Azure Cloud via the Microsoft Graph API.

Setup

External requests enable outbound network connections from your Dynatrace environment to external services. They allow you to control access to public endpoints from the AppEngine with app functions and functions in Dashboards, Notebooks, and Automations.

  1. Go to Settings and select General > Environment management, External Requests.

  2. Select New host pattern.

  3. Add the domain names.

  4. Select Add.

This way you can granularly control the web services your functions can connect to.

You need to add these domain names login.microsoftonline.com and graph.microsoft.com.

Workflows requires some permissions to run actions on your behalf. Actions that come bundled with the Connector require other permissions.

To fine-tune permissions granted to Workflows

  1. Go to Workflows Workflows and go to Settings > Authorization settings.
  2. Select the following permissions besides the general Workflows permission.
    • app-settings:objects:read

For more on general Workflows user permissions, see User permissions for workflows.

Configure your Microsoft Azure tenant to establish a connection with your Dynatrace environment.

  1. Open portal.azure.com to access your Microsoft Azure tenant.

  2. Navigate to App registrations to set up a new application.

    For the necessary setup steps, see Register a client application in Azure Active Directory.

  3. Grant your newly created Azure application the Group.Read.All permission.

    For more information, see API Permissions and Introduction to permissions and consent.

  4. After registering the app, create a new client secret. For details, see Certificates & secrets.

    • To create a client secret, make sure that you either have admin permissions or are part of the app owners.
    • Make sure you store the client secret Value (not the Secret ID) after creation for establishing the connection to your Dynatrace environment later.

Azure Connector requires a client secret from Microsoft Azure for authorization.

  1. Get the following credentials from your application registration in your Microsoft Azure tenant on portal.azure.com.
  2. Return to Dynatrace, go to Settings Settings > Dynatrace Apps > Microsoft Entra Identity Developer Connector.
  3. Select Add item and provide the following information.
    • Connection name: Needs to be unique. It will be listed and selectable in the connection field in Azure Connector.
    • Directory (tenant) ID
    • Application (client) ID
    • Type: Client secret
    • Client Secret: This is the Value of the client secret from the Set up Microsoft Azure for integration with Dynatrace section.
  4. Select Create.

Additional notes

  • To add connection settings, you need the following permissions.

    ALLOW settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "app:dynatrace.azure.connector:microsoft-entra-identity-developer-connection"

    For details, see Permissions and access.

  • Be aware that connections are shared and can be used by all users with app-settings read permissions.

Get groups from Entra ID in automation workflows

The get_groups action available in Workflows after you install Azure Connector provides a way to get structured user group information from Microsoft Entra ID.

  1. Go to Workflows Workflows and select Add Workflow in the upper-right corner of the page.

  2. In the side panel, select the trigger best suited to your needs.

  3. On the trigger node, select Add to browse available actions.

  4. In the Choose action side panel, search for Azure Connector and select Get groups.

  5. In the action Input, you can target specific groups in $filter if you wish to filter your results. Likewise, in $select, specify which fields you wish to get from Entra ID. The syntax is based on Entra ID API documentation.

    Important for importing Entra ID groups as ownership teams:

    • You always need to include id and displayName in $select; these fields are mapped to the imported ownership team's Team identifier and Team name, respectively.
    • We recommend that you always include the mailNickname parameter in get_groups. This field has unique values in Entra ID and is set as a unique, human-readable Supplementary Identifier for your imported ownership team within Dynatrace.
    • The Object Id from Entra ID, imported via the id parameter, is set as the unique Team identifier as well as the External ID of the imported ownership team.
    • The mail parameter is set as the Email of the imported ownership team.

    Get groups input fields

  6. Optionally, insert the Import teams action (provided by the Ownership app Ownership) to store Entra ID group information as ownership teams within Dynatrade Settings. You can then assign these imported teams as owners to any monitored entity in Dynatrace.

  7. To test your workflow, select Run.

Action result

The result of get_groups is a JSON array with each record consisting of a single user group. If $count is set to true when configuring the action, the Results panel shows a count of imported groups.

The directory_id displayed in the results is the Azure tenant ID.

The log of a successful run is shown below.

[INFO]    Successfully retrieved connection settings.
[INFO]    Successfully fetched authentication token.
[INFO]    Calling Entra-ID groups endpoint with the following query params: $filter=startswith(displayName, 'team-deco')&$select=id,displayName,description,mail,mailNickname&$count=true&$top=999
[INFO]    Successfully fetched Groups from Entra-ID.