Azure Connector

Your Dynatrace environment can integrate with Microsoft Entra ID (formerly Azure Active Directory) in automation workflows. Azure Connector Azure enables you to use prebuilt actions in Workflows to automate importing teams from Entra ID (based on various triggers) for defining entity ownership and other use cases in Dynatrace. Azure Connector connects to the Azure Cloud via the Microsoft Graph API.

Set up Entra ID integration

Install Azure Connector

Allow Azure Connector outbound connections

Grant permissions to Workflows

Set up Microsoft Azure for integration with Dynatrace

Authorize connection to Microsoft Azure

Install azure Connector

To use Azure Connector actions in Workflows, first install Azure Connector from Dynatrace Hub.

To install Azure Connector, you need the app-engine:apps:install permission.

In Dynatrace Hub , search for Azure Connector .
Select Azure Connector > Install.

After you install Azure Connector, you need to perform some initial steps to set up the connection between the Azure Cloud and your Dynatrace environment.

Allow outbound connections

Open Settings and go to Preferences > Limit outbound connections.
Select Add item and add the login.microsoftonline.com and graph.microsoft.com domain names.
Select Save changes.

This way, you can granularly control the web services to which your Dynatrace environment can connect.

Grant permissions to Workflows

Workflows requires some permissions to run actions on your behalf. Actions that come bundled with Azure Connector require other permissions.

To fine-tune permissions granted to Workflows

Open Workflows and go to Settings > Authorization settings.
Make sure the following permissions are selected.
- Permissions needed for Workflows
  - app-engine:functions:run
- Permissions needed for Azure Connector workflow actions
  - app-settings:objects:read

Set up Microsoft Azure for integration with Dynatrace

Configure your Microsoft Azure tenant to establish a connection with your Dynatrace environment.

Open portal.azure.com to access your Microsoft Azure tenant.
Navigate to App registrations to set up a new application.

For the necessary setup steps, see Register a client application in Azure Active Directory in Microsoft Azure documentation.
Grant your newly created Azure application the Group.Read.All permission.

For more information, see API Permissions and Introduction to permissions and consent in Microsoft Azure documentation.
After registering the app, create a new client secret. For details, see Certificates & secrets in Microsoft Azure documentation.
- To create a client secret, make sure that you either have admin permissions or are part of the app owners.
- Make sure you store the client secret Value (not the Secret ID) after creation for establishing the connection to your Dynatrace environment later.

Authorize connection to Microsoft Azure

Azure Connector requires a client secret from Microsoft Azure for authorization.

Get the following credentials from your application registration in your Microsoft Azure tenant on portal.azure.com.
- Directory (tenant) ID: Available in the Overview menu
- Application (client) ID: Available in the Overview menu
- Client secret: The Value (not the Secret ID) of the client secret from the preceding Set up Microsoft Azure for integration with Dynatrace section
Return to Dynatrace, open Settings , and go to Dynatrace Apps > Microsoft Entra Identity Developer Connector.
Select Add item and provide the following information.
- Connection name: Needs to be unique. It will be listed and selectable in the connection field in Azure Connector.
- Directory (tenant) ID
- Application (client) ID
- Type: Client secret
- Client Secret: This is the Value of the client secret from the Set up Microsoft Azure for integration with Dynatrace section.
Save your changes.

Additional notes

To add connection settings, you need the following permissions.

1ALLOW settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "app:dynatrace.microsoft365.connector:connection"

For details, see Permissions and access.

Be aware that connections are shared and can be used by all users with app-settings read permissions.

Get groups from Entra ID in automation workflows

The get_groups action available in Workflows after you install Azure Connector provides a way to get structured user group information from Microsoft Entra ID.

Open Workflows and select Workflow in the upper-right corner of the page.
In the side panel, select the trigger best suited to your needs.
On the trigger node, select to browse available actions.
In the Choose action side panel, search for Azure Connector and select Get groups.
In the action Input, you can target specific groups in $filter if you wish to filter your results. Likewise, in $select, specify which fields you wish to get from Entra ID. The syntax is based on Entra ID API documentation.
If you use the import_teams action after the get_groups action in your workflow to add Entra ID groups to the list of ownership teams:
You always need to include id and displayName in get_groups; these fields are mapped to the imported ownership team's Team identifier and Team name, respectively.
We recommend that you always include the mailNickname parameter in get_groups. This field has unique values in Entra ID and is set as a unique, human-readable Supplementary Identifier for your imported ownership team within Dynatrace.
The Object Id from Entra ID, imported via the id parameter, is set as the unique Team identifier as well as the External ID of the imported ownership team.
The mail parameter is set as the Email of the imported ownership team.
Optionally, insert the Import teams action (provided by the Ownership app ) to store Entra ID group information as ownership teams within Dynatrade Settings. You can then assign these imported teams as owners to any monitored entity in Dynatrace.
To test your workflow, select Run.

Action result

The result of get_groups is a JSON array with each record consisting of a single user group. If $count is set to true when configuring the action, the Results panel shows a count of imported groups.

The directory_id displayed in the results is the Azure tenant ID.

The log of a successful run is shown below.

1[INFO]    Successfully retrieved connection settings.
2[INFO]    Successfully fetched authentication token.
3[INFO]    Calling Entra-ID groups endpoint with the following query params: $filter=startswith(displayName, 'team-deco')&$select=id,displayName,description,mail,mailNickname&$count=true&$top=999
4[INFO]    Successfully fetched Groups from Entra-ID.