# Advanced Entra ID Integration Options This page lists advanced configuration options related to the Teleport Entra ID integration. ## Group filters By default, all the groups that exists in the Microsoft Entra ID directory gets imported to Teleport. This import behavior can be controlled by using the group filters, which can include or exclude certain groups based on their matching group object ID or group display name. Group filter can only be configured using `tctl` and the ability to configure it using Teleport Web UI is in the works. ### Group filter precedence - If no filters are configured, all the groups are imported (default behavior). - If an include filter is defined, only the matching group is imported. - If a group is matched in both the include filter and exclude filter, exclude filter gets precedence. ### Configure group filters during installation Example to configure group filters during installation: ``` $ tctl plugins install entraid \ --name entra-id-default \ --auth-connector-name entra-id \ --default-owner=admin \ --no-access-graph \ --use-system-credentials \ --manual-setup \ --group-id 25f9c527-2314-414c-a75d-ef7efabcc99b \ --group-name "admin*" \ --exclude-group-id 080b50c3-1c98-4d8e-a54e-20143dbd4f99 \ --exclude-group-name "fin*" ``` - `--group-id`: Include group matching the specified group ID. Multiple flags allowed. - `--group-name`: Include groups matching the specified group name regex. Multiple flags allowed. - `--exclude-group-id`. Exclude group matching the specified group ID. Multiple flags allowed. - `--exclude-group-name`. Exclude groups matching the specified group name regex. Multiple flags allowed. ### Updating group filters Group filters can be updated using `group_filters` flag, which is available in the `sync_settings` of the Teleport Entra ID plugin resource spec. Reference configuration spec: ``` kind: plugin metadata: name: entra-id spec: Settings: entra_id: sync_settings: ... # other settings omitted for brevity group_filters: - id: 080b50c3-1c98-4d8e-a54e-20143dbd4f99 - id: 45f9c527-2314-414c-a75d-ef7efabcc99b - id: 35f9c527-2314-414c-a75d-ef7efabcc99b - nameRegex: 'admin*' - excludeId: 080b50c52-1c98-4d8e-a54e-20143dbd4f99 - excludeNameRegex: 'finance*' version: v1 ``` The plugin spec can be edited using the `tctl edit plugins/entra-id` command. ## Access List owners Access List owners have a permission to manage Access Lists in Teleport and are analogous to the Microsoft Entra ID group owners. You can configure the source of Access List owners to control how the Teleport Entra ID plugin chooses owners for the Access Lists created for the Microsoft Entra ID groups. The following options are supported: 1. Source `plugin`: Use default owners configured in the plugin sync settings. This is the default option. 2. Source `entraid`: Use Microsoft Entra ID group owners as Access List owners. Only the group owner of user type is supported. Service principals as group owners are not supported and will be filtered. Teleport may fall back to using `plugin` source on the following conditions: - Microsoft Entra ID group has zero configured owners. - Microsoft Entra ID group owner is not supported, resulting in a zero supported owners. 3. Source `plugin-and-entraid`: Use both the `plugin` and `entraid` source to configure Access List owners. ### Configuring source during installation Example to configure the source of Access List owners during installation: ``` $ tctl plugins install entraid \ --name entra-id-default \ --auth-connector-name entra-id \ --default-owner admin \ --no-access-graph \ --use-system-credentials \ --manual-setup \ --access-list-owners-source entraid ``` - `--access-list-owners-source` flag configures source for the Access List owners. Value can be `plugin`, `entraid`, or `plugin-and-entraid`. ### Updating the source of Access List owners You can update the source of the Access List owners using `access_list_owners_source` field, which is available in the `sync_settings` of the Teleport Entra ID plugin resource spec. The `access_list_owners_source` field supports one of the following values: - Integer value `1` to configure "plugin" source. - Integer value `2` to configure "entraid" source. - Integer value `3` to configure "plugin-and-entraid" source. You can use the `tctl edit plugins/entra-id` command to update the plugin spec. A reference to the plugin resource spec is provided below: ``` kind: plugin metadata: name: entra-id spec: Settings: entra_id: sync_settings: ... # other settings omitted for brevity access_list_owners_source: 3 version: v1 ```