Azure AD Connector

Modified on Mon, 15 Apr 2024 at 09:54 AM

TABLE OF CONTENTS

Introduction
Further Support

Introduction

Azure Active Directory (Azure AD) is Microsoft's cloud-based identity and access management service. It serves as a centralized platform for managing and securing user identities and their access to various resources, applications, and services in the Microsoft Azure cloud ecosystem as well as other connected systems. Azure AD is designed to provide a secure and flexible identity management solution for cloud-centric and hybrid environments. It's widely used by organizations of all sizes to streamline access, enhance security, and improve user experiences across various applications and services.

ManagementStudio Azure AD connector requires an App to be created on the client’s Azure instance with the appropriate permissions and access rights. Please refer to this article on how to create the Azure App. The connector is used to pull in data from the Azure AD platform.

The Azure AD Connector consist of the following panels:

Azure AD Discovery Status
Import User Options
User Update Options
Import Device Options
Device Update Options
Application Update Options
Connection Options
Troubleshooting

An Administrator has the ability to toggle each of the panels OFF/ON

Azure AD Discovery Status

The table below provides information on the elements within this panel.

UI Element	Description
Run Azure AD Discovery Now	A button to allow an Admin to run the Azure AD discovery now.
Schedule Azure AD Discovery #1	Specify the times to run the Azure AD Discovery. Please refer to this article on how to create a scheduled task.
Schedule Azure AD Discovery #2	Specify the times to run the Azure AD Discovery. Please refer to this article on how to create a scheduled task.
Last Discovery Date	Displays the last time the Azure AD connector ran successfully.
Azure TenantId	Specify your Microsoft 365 Tenant ID. Refer to this article on how to find your Azure AD tenant ID.
App Client Id	Specify the unique Application ID assigned to your app by Azure AD when the app was registered. Refer to this article on how to find App Client ID.
Email logs To	List of email address to email a copy of the logs at the end of the sync. Use ; for multiple list of emails e.g. t@blog.com;T@managementstudio.co.uk.
Overall Progress	Displays the overall progress.
Current Task Progress	Displays the current task progress.
Import Log	Text box used to display the connector logs.

Import User Options

The table below provides information on the elements within this panel.

UI Element	Description
User Last Activity < X Days	Only import Users that have Azure Sign-In Activity in the last X days. Use '0' to import all Users.
Last Activity Date Type	Interactive Sign-Ins are performed by a User e.g. logging onto their PC. Non Interactive Sign-Ins are sign-ins that are performed by a client app or an OS component on behalf of a user.
Import User Types	Specify the User import type. Only import Users of the selected type(s).
Exclude Disabled User Accounts	Exclude Disabled User Accounts from the import.
User Groups to Examine	Specify the list of Azure AD groups to examine to import Users. Type: Security\|Distribution\|365 Group Name: AD Group Options: Nested Members\|Direct Members\|Exclude Members\|Ignore
Identity Issuer(s)	Specify the list of Identities a User needs to be a member of.
Exclude User Accounts (UPN Filter)	Specify explicitly the list of Users not to import. Use * as a wildcard to filter multiple accounts.
Only Include User Accounts (UPN Filter)	Specify explicitly the list of Users ONLY to be imported. Use * as a wildcard to filter multiple accounts.

User Update Options

The table below provides information on the elements within this panel.

UI Element	Description
Don't Update User if Locked in MS	This option will not update a User record that is locked in ManagementStudio. NB this is not related to a User locked in Azure AD.
When matching MS users to Azure users match on UPN, Email or Both	When an MS User is missing an Azure ID, the Zure connector will look up the MS user's UPN and email in Azure UPN field. This allows only the MS Users's UPN/Email to be used if required.
User Field Mappings	List of Azure AD fields to copy into ManagementStudio. Built in Azure AD User fields can be mapped to fields in ManagementStudio. By default ManagementStudio will create the most common mappings. When importing data from Azure AD, MS uses a simple convention: Target - This is a field in ManagementStudio, this can be a Detail Field, Custom Field or a Blueprint. MS Field - This is the path to the ManagementStudio field or name of the field used. Azure AD Field - This is the attribute of an Azure AD User object. Any AD attribute can be used as the AD field and ManagementStudio has some built in special mechanism for transforming the AD data.
Link Users to Devices via Azure Owner	Enable this option to use the Owner field in Azure to link a User to their Device.
Device Last Activity < X Days	Specify the number of days to limit the Devices the User can be linked too by recent login activity.
Filter to MDM Type	Limit the Devices the User can be linked to by how they are managed.

Import Device Options

The table below provides information on the elements within this panel.

UI Element	Description
Device Last Activity < X Days	Only import Devices that have Azure Sign-In Activity in the last X days. Use '0' to import all Devices.
Exclude Disabled Device Accounts	Exclude disabled Device accounts from the import.
Filter to MDM Type	Select the MDM device type to be imported. Untick all for no filter.
Filter to Device Type	Select the Device type to be imported. Untick all for no filter.
Filter to Join Type	Select the Azure Join type to be imported. Untick all for no filter.
Device Groups to Examine	Specify the list of Azure AD groups to examine to import Devices. Type: Security\|Distribution\|365 Group Name: AD Group Options: Nested Members\|Direct Members\|Exclude Members\|Ignore
Exclude Devices (Hostname Filter)	Specify explicitly the list of Devices not to import. Use * as a wildcard to filter multiple devices.
Only Include Devices (Hostname Filter)	Specify explicitly the list of Devices ONLY to be imported. Use * as a wildcard to filter multiple devices.

Device Update Options

The table below provides information on the elements within this panel.

UI Element	Description
Don't update Machine if locked in MS	This option will not update a Device record that is locked in ManagementStudio. NB this is not related to a Device locked in Azure AD.
Device Field Mappings	List of Azure AD device fields to copy into ManagementStudio. Built in Azure AD Device fields can be mapped to fields in ManagementStudio. By default ManagementStudio will create the most common mappings. When importing data from Azure AD, MS uses a simple convention: Target - This is a field in ManagementStudio, this can be a Detail Field, Custom Field or a Blueprint. MS Field - This is the path to the ManagementStudio field or name of the field used. Azure AD Field - This is the attribute of an Azure AD Device object. Any AD attribute can be used as the AD field and ManagementStudio has some built in special mechanism for transforming the AD data.

Application Update Options

The table below provides information on the elements within this panel.

UI Element	Description
Link Users to Apps via AD Groups	Link: Creates a User-App Links if the User is in ManagementStudio. Remove: Takes the App off the User if they are removed from the Azure AD group.
User Name Format	An option to display the format of the list of Users that are Linked from the Azure AD group.
Link Devices to Apps via AD Groups	Link: Creates a Device-App Links if the Device is in ManagementStudio. Remove: Takes the App off the Device if it is removed from the Azure AD group.
Device Name Format	An option to display the format of the list of Devices that are Linked from the Azure AD group.
Recurse Nested App Groups	Search down the Azure AD Tree of Sub-Groups for Users/Devices. This can be very slow and Ad intensive. It is recommended to only use if necessary.
Exclude By Process Status	Exclude Apps from the update/linking phase by ticking the Process Status you don't want to include Apps from.

Connection Options

The table below provides information on the elements within this panel.

UI Element	Description
Azure Account Username	Enter the Username to use to authenticate with the Azure AD.
Azure Account Password	Enter the Password to use to authenticate with the Azure AD.
Azure App Client Secret	Enter the App Client Secret that was created when the app was registered.
Azure App Client Secret Expiry	Enter the App Client Secret expiry date.
Use Proxy Server for Internet Access	Enable this option to connect to the internet via a proxy server.
Proxy Server Address (Leave Blank for auto detect	Specify proxy address.
Proxy Account Username	Enter the proxy account username. Leave Username/Password blank to use ManagementStudio service account
Proxy Account Password	Enter the proxy account password. Leave Username/Password blank to use ManagementStudio service account

Troubleshooting

The table below provides information on the elements within this panel.

UI Element	Description
Notes	Text field used to enter information about the project environment.
Verbose Logging	This option generates large files and should only be enabled for troubleshooting.
Log Headers	This option generates large files and should only be enabled for troubleshooting.
Log Payload	This option generates large files and should only be enabled for troubleshooting.
Online Help	Link to the Online solutions article.
Azure Page Size
Anonymise Data	Enable this option to only import bare minimum data to be able to create User-App-Device links. The SamAccount/Device name will be scrambled.

Azure Connection

To connect to an Azure instance fill in the TenantId of the Azure Instance, the Client Id of the Azure app, and either a user/pass or secret key.

Switch to Administration->Extensions->Connectors (1)
Click Add New Connector (2)
Select Azure AD (3)
Enter the name of the connector
Click OK

Enter your Azure TenantId (1) and App ClientId (2) within the Azure AD Discovery panel

Scroll down to the Connection options panel
You have the option of connect using an Azure Account Username and Azure Account password (1) OR
Using an Azure App Client Secret (2).
In the screenshot below, we are using the App Client secret

Click Save Changes
Toggle ON the required panels and specify the settings in each panel
Click Save Changes (1)
Click Run Azure AD Discovery (2)
Click Continue
Within a few minutes, click Reload (3)
You should now see the Import Log (4) being populated
To Schedule the Azure Ad connector to run at set intervals, please refer to this article for more information

Azure Keywords

Built-in Azure keywords of Users and Devices can be mapped to fields in ManagementStudio. By default, ManagementStudio will create the most common mappings for you.

Special Keywords

Special keywords are available only in ManagementStudio and generally apply some post-processing to Azure keywords.

User Special Keywords

User Special Keyword
Category	Keyword
AccountEnabled	[MS_AccountEnabledYN] Resolves to Yes or No [MS_AccountEnabledTF] Resolves to TRUE or FALSE [MS_AccountEnabledED] Resolves to Enabled or Disabled
MemberOf	[MS_MemberOfName] [MS_MemberOfId] [MS_MemberOfNameAndId]
Manager	[MS_ManagerName] [MS_ManagerUPN] [MS_ManagerNameAndUPN]
DirectReports	[MS_DirectReportsName] [MS_DirectReportsUPN] [MS_DirectReportsNameAndUPN]
Misc	[MS_IdentityIssuer]
LastActivity	[MS_LastActivityHighest] [MS_LastActivityInteractive] [MS_LastActivityNonInteractive]

Device Keywords

Device Keywords
Category	Keyword
AccountEnabled	[MS_AccountEnabledYN] Resolves to Yes or No [MS_AccountEnabledTF] Resolves to TRUE or FALSE [MS_AccountEnabledED] Resolves to Enabled or Disabled
MemberOf	[MS_MemberOfName] [MS_MemberOfId] [MS_MemberOfNameAndId]
Owner	[MS_OwnerName] [MS_OwnerId] [MS_OwnerUPN]
Dates	[MS_LastActivity]
Types	[MS_DeviceType] [MS_MdmType] [MS_JoinType]

Further Support

If you require further support, please visit ManagementStudio's Service Desk to search the knowledge base or create a new support ticket.