Azure for Workflows

Your Dynatrace environment can integrate with Microsoft Entra ID (formerly Azure Active Directory) in automation workflows. Azure for Workflows Azure for Workflows enables you to use prebuilt actions in Workflows Workflows to automate importing teams from Entra ID (based on various triggers) for defining entity ownership and other use cases in Dynatrace. Azure for Workflows connects to the Azure Cloud via the Microsoft Graph API.

Set up Entra ID integration

Step 1

Install Azure for Workflows

Step 2

Allow Azure for Workflows outbound connections

Step 3

Grant permissions to Workflows

Step 4

Set up Microsoft Azure for integration with Dynatrace

Step 5

Authorize connection to Microsoft Azure

Step 1 Install Azure for Workflows

Install Azure for Workflows Azure for Workflows from Dynatrace Hub to use actions from this app in Workflows.

To install Azure for Workflows, you need the app-engine:apps:install permission.

  1. In Dynatrace Hub Hub, select Azure for Workflows.
  2. Select Install.

After you install Azure for Workflows, you need to perform some initial steps to set up the connection between the Azure Cloud and your Dynatrace environment.

Step 2 Allow outbound connections

  1. Go to Settings and select Connections > Outbound and inbound > Limit outbound connections. This opens the Settings Classic page.
  2. Select Add item and add the login.microsoftonline.com and graph.microsoft.com domain names.
  3. Select Save changes.

This way, you can granularly control the web services to which your Dynatrace environment can connect.

Step 3 Grant permissions to Workflows

Workflows requires some permissions to run actions on your behalf. Actions that come bundled with Azure for Workflows require other permissions.

To fine-tune permissions granted to Workflows

  1. Go to Workflows Workflows and go to Settings > Authorization settings.
  2. Select the following permissions besides the general Workflows permission.
    • app-settings:objects:read

For more on general Workflows user permissions, see User permissions for workflows.

Step 4 Set up Microsoft Azure for integration with Dynatrace

Configure your Microsoft Azure tenant to establish a connection with your Dynatrace environment.

  1. Open portal.azure.com to access your Microsoft Azure tenant.

  2. Navigate to App registrations to set up a new application.

    For the necessary setup steps, see Register a client application in Azure Active Directory in Microsoft Azure documentation.

  3. Grant your newly created Azure application the Group.Read.All permission.

    For more information, see API Permissions and Introduction to permissions and consent in Microsoft Azure documentation.

  4. After registering the app, create a new client secret. For details, see Certificates & secrets in Microsoft Azure documentation.

    • To create a client secret, make sure that you either have admin permissions or are part of the app owners.
    • Make sure you store the client secret Value (not the Secret ID) after creation for establishing the connection to your Dynatrace environment later.

Step 5 Authorize connection to Microsoft Azure

Azure for Workflows requires a client secret from Microsoft Azure for authorization.

  1. Get the following credentials from your application registration in your Microsoft Azure tenant on portal.azure.com.
  2. Return to Dynatrace, go to Settings and select Connections > Connectors > Azure.
  3. Select Add Connection and provide the following information.
    • Connection name: Needs to be unique. It will be listed and selectable in the connection field in Azure for Workflows.
    • Directory (tenant) ID
    • Application (client) ID
    • Type: Client secret
    • Client Secret: This is the Value of the client secret from the Set up Microsoft Azure for integration with Dynatrace section.
  4. Select Create.

Additional notes

  • To add connection settings, you need the following permissions.

    ALLOW settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "app:dynatrace.azure.connector:microsoft-entra-identity-developer-connection"

    For details, see Permissions and access.

  • Be aware that connections are shared and can be used by all users with app-settings read permissions.

Get groups from Entra ID in automation workflows

The get_groups action available in Workflows after you install Azure for Workflows provides a way to get structured user group information from Microsoft Entra ID.

  1. Go to Workflows Workflows and select Add Workflow in the upper-right corner of the page.

  2. In the side panel, select the trigger best suited to your needs.

  3. On the trigger node, select Add to browse available actions.

  4. In the Choose action side panel, search for Azure for Workflows and select Get groups.

  5. In the action Input, you can target specific groups in $filter if you wish to filter your results. Likewise, in $select, specify which fields you wish to get from Entra ID. The syntax is based on Entra ID API documentation.

    Important for importing Entra ID groups as ownership teams:

    • You always need to include id and displayName in $select; these fields are mapped to the imported ownership team's Team identifier and Team name, respectively.
    • We recommend that you always include the mailNickname parameter in get_groups. This field has unique values in Entra ID and is set as a unique, human-readable Supplementary Identifier for your imported ownership team within Dynatrace.
    • The Object Id from Entra ID, imported via the id parameter, is set as the unique Team identifier as well as the External ID of the imported ownership team.
    • The mail parameter is set as the Email of the imported ownership team.

    Get groups input fields

  6. Optionally, insert the Import teams action (provided by the Ownership app Ownership) to store Entra ID group information as ownership teams within Dynatrade Settings. You can then assign these imported teams as owners to any monitored entity in Dynatrace.

  7. To test your workflow, select Run.

Action result

The result of get_groups is a JSON array with each record consisting of a single user group. If $count is set to true when configuring the action, the Results panel shows a count of imported groups.

The directory_id displayed in the results is the Azure tenant ID.

The log of a successful run is shown below.

[INFO]    Successfully retrieved connection settings.
[INFO]    Successfully fetched authentication token.
[INFO]    Calling Entra-ID groups endpoint with the following query params: $filter=startswith(displayName, 'team-deco')&$select=id,displayName,description,mail,mailNickname&$count=true&$top=999
[INFO]    Successfully fetched Groups from Entra-ID.