docs/pages/identity-governance/integrations/entra-id/advanced-options.mdx
This page lists advanced configuration options related to the Teleport Entra ID integration.
By default, all the groups that exists in the Microsoft Entra ID directory gets imported to Teleport.
This import behavior can be controlled by using the group filters, which can include or exclude certain groups based on their matching group object ID or group display name.
Group filter can only be configured using tctl and the ability to configure it
using Teleport Web UI is in the works.
Example to configure group filters during installation:
$ tctl plugins install entraid \
--name entra-id-default \
--auth-connector-name entra-id \
--default-owner=admin \
--no-access-graph \
--use-system-credentials \
--manual-setup \
--group-id 25f9c527-2314-414c-a75d-ef7efabcc99b \
--group-name "admin*" \
--exclude-group-id 080b50c3-1c98-4d8e-a54e-20143dbd4f99 \
--exclude-group-name "fin*"
--group-id: Include group matching the specified group ID.
Multiple flags allowed.--group-name: Include groups matching the specified group name regex.
Multiple flags allowed.--exclude-group-id. Exclude group matching the specified group ID.
Multiple flags allowed.--exclude-group-name. Exclude groups matching the specified group name regex.
Multiple flags allowed.Group filters can be updated using group_filters flag, which is available in
the sync_settings of the Teleport Entra ID plugin resource spec.
Reference configuration spec:
kind: plugin
metadata:
name: entra-id
spec:
Settings:
entra_id:
sync_settings:
... # other settings omitted for brevity
group_filters:
- id: 080b50c3-1c98-4d8e-a54e-20143dbd4f99
- id: 45f9c527-2314-414c-a75d-ef7efabcc99b
- id: 35f9c527-2314-414c-a75d-ef7efabcc99b
- nameRegex: 'admin*'
- excludeId: 080b50c52-1c98-4d8e-a54e-20143dbd4f99
- excludeNameRegex: 'finance*'
version: v1
The plugin spec can be edited using the tctl edit plugins/entra-id command.
Access List owners have a permission to manage Access Lists in Teleport and are analogous to the Microsoft Entra ID group owners.
You can configure the source of Access List owners to control how the Teleport Entra ID plugin chooses owners for the Access Lists created for the Microsoft Entra ID groups.
The following options are supported:
plugin: Use default owners configured in the plugin sync settings.
This is the default option.entraid: Use Microsoft Entra ID group owners as Access List owners.
Only the group owner of user type is supported. Service principals as group owners
are not supported and will be filtered. Teleport may fall back to using
plugin source on the following conditions:
plugin-and-entraid: Use both the plugin and entraid source to
configure Access List owners.Example to configure the source of Access List owners during installation:
$ tctl plugins install entraid \
--name entra-id-default \
--auth-connector-name entra-id \
--default-owner admin \
--no-access-graph \
--use-system-credentials \
--manual-setup \
--access-list-owners-source entraid
--access-list-owners-source flag configures source for the Access List owners.
Value can be plugin, entraid, or plugin-and-entraid.You can update the source of the Access List owners using access_list_owners_source
field, which is available in the sync_settings of the Teleport Entra ID plugin
resource spec.
The access_list_owners_source field supports one of the following values:
1 to configure "plugin" source.2 to configure "entraid" source.3 to configure "plugin-and-entraid" source.You can use the tctl edit plugins/entra-id command to update the plugin spec.
A reference to the plugin resource spec is provided below:
kind: plugin
metadata:
name: entra-id
spec:
Settings:
entra_id:
sync_settings:
... # other settings omitted for brevity
access_list_owners_source: 3
version: v1