Azure for Workflows
Your Dynatrace environment can integrate with Microsoft Entra ID (formerly Azure Active Directory) in automation workflows. Azure for Workflows enables you to use prebuilt actions in Workflows to automate importing teams from Entra ID (based on various triggers) for defining entity ownership and other use cases in Dynatrace. Azure for Workflows connects to the Azure Cloud via the Microsoft Graph API.
Set up Entra ID integration
Install Azure for Workflows
Allow Azure for Workflows outbound connections
Grant permissions to Workflows
Set up Microsoft Azure for integration with Dynatrace
Authorize connection to Microsoft Azure
Install Azure for Workflows
Install Azure for Workflows from Dynatrace Hub to use actions from this app in Workflows.
To install Azure for Workflows, you need the app-engine:apps:install
permission.
- In Dynatrace Hub , select Azure for Workflows.
- Select Install.
After you install Azure for Workflows, you need to perform some initial steps to set up the connection between the Azure Cloud and your Dynatrace environment.
Allow outbound connections
- Go to Settings > Preferences > Limit outbound connections.
- Select Add item and add the
login.microsoftonline.com
andgraph.microsoft.com
domain names. - Select Save changes.
This way, you can granularly control the web services to which your Dynatrace environment can connect.
Grant permissions to Workflows
Workflows requires some permissions to run actions on your behalf. Actions that come bundled with Azure for Workflows require other permissions.
To fine-tune permissions granted to Workflows
- Go to Workflows and go to Settings > Authorization settings.
- Select the following permissions besides the general Workflows permission.
app-settings:objects:read
For more on general Workflows user permissions, see User permissions for workflows.
Set up Microsoft Azure for integration with Dynatrace
Configure your Microsoft Azure tenant to establish a connection with your Dynatrace environment.
-
Open
portal.azure.com
to access your Microsoft Azure tenant. -
Navigate to App registrations to set up a new application.
For the necessary setup steps, see Register a client application in Azure Active Directory in Microsoft Azure documentation.
-
Grant your newly created Azure application the
Group.Read.All
permission.For more information, see API Permissions and Introduction to permissions and consent in Microsoft Azure documentation.
-
After registering the app, create a new client secret. For details, see Certificates & secrets in Microsoft Azure documentation.
- To create a client secret, make sure that you either have admin permissions or are part of the app owners.
- Make sure you store the client secret Value (not the Secret ID) after creation for establishing the connection to your Dynatrace environment later.
Authorize connection to Microsoft Azure
Azure for Workflows requires a client secret from Microsoft Azure for authorization.
- Get the following credentials from your application registration in your Microsoft Azure tenant on
portal.azure.com
.- Directory (tenant) ID: Available in the Overview menu
- Application (client) ID: Available in the Overview menu
- Client secret: The Value (not the Secret ID) of the client secret from the preceding Set up Microsoft Azure for integration with Dynatrace section
- Return to Dynatrace, go to Settings > Dynatrace Apps > Microsoft Entra Identity Developer Connector.
- Select Add item and provide the following information.
- Connection name: Needs to be unique. It will be listed and selectable in the connection field in Azure for Workflows.
- Directory (tenant) ID
- Application (client) ID
- Type:
Client secret
- Client Secret: This is the Value of the client secret from the Set up Microsoft Azure for integration with Dynatrace section.
- Save your changes.
Additional notes
-
To add connection settings, you need the following permissions.
ALLOW settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "app:dynatrace.azure.connector:microsoft-entra-identity-developer-connection"For details, see Permissions and access.
-
Be aware that connections are shared and can be used by all users with
app-settings
read permissions.
Get groups from Entra ID in automation workflows
The get_groups
action available in Workflows after you install Azure for Workflows provides a way to get structured user group information from Microsoft Entra ID.
-
Go to Workflows and select Workflow in the upper-right corner of the page.
-
In the side panel, select the trigger best suited to your needs.
-
On the trigger node, select to browse available actions.
-
In the Choose action side panel, search for Azure for Workflows and select Get groups.
-
In the action Input, you can target specific groups in $filter if you wish to filter your results. Likewise, in $select, specify which fields you wish to get from Entra ID. The syntax is based on Entra ID API documentation.
Important for importing Entra ID groups as ownership teams:
- You always need to include
id
anddisplayName
in$select
; these fields are mapped to the imported ownership team's Team identifier and Team name, respectively. - We recommend that you always include the
mailNickname
parameter inget_groups
. This field has unique values in Entra ID and is set as a unique, human-readable Supplementary Identifier for your imported ownership team within Dynatrace. - The Object Id from Entra ID, imported via the
id
parameter, is set as the unique Team identifier as well as the External ID of the imported ownership team. - The
mail
parameter is set as the Email of the imported ownership team.
- You always need to include
-
Optionally, insert the Import teams action (provided by the Ownership app ) to store Entra ID group information as ownership teams within Dynatrade Settings. You can then assign these imported teams as owners to any monitored entity in Dynatrace.
-
To test your workflow, select Run.
Action result
The result of get_groups
is a JSON array with each record consisting of a single user group. If $count is set to true
when configuring the action, the Results panel shows a count of imported groups.
The directory_id
displayed in the results is the Azure tenant ID.
The log of a successful run is shown below.
[INFO] Successfully retrieved connection settings.[INFO] Successfully fetched authentication token.[INFO] Calling Entra-ID groups endpoint with the following query params: $filter=startswith(displayName, 'team-deco')&$select=id,displayName,description,mail,mailNickname&$count=true&$top=999[INFO] Successfully fetched Groups from Entra-ID.