Azure AD Connector

Modified on Fri, 01 Sep 2023 at 07:24 PM

TABLE OF CONTENTS

Introduction

Azure Active Directory (Azure AD) is Microsoft's cloud-based identity and access management service. It serves as a centralized platform for managing and securing user identities and their access to various resources, applications, and services in the Microsoft Azure cloud ecosystem as well as other connected systems. Azure AD is designed to provide a secure and flexible identity management solution for cloud-centric and hybrid environments. It's widely used by organizations of all sizes to streamline access, enhance security, and improve user experiences across various applications and services.


ManagementStudio Azure AD connector requires an App to be created on the client’s Azure instance with the appropriate permissions and access rights. Please refer to this article on how to create the Azure App. The connector is used to pull in data from the Azure AD platform.

The Azure AD Connector consist of the following panels:


  • Azure AD Discovery Status
  • Import User Options
  • User Update Options
  • Import Device Options
  • Device Update Options
  • Application Update Options
  • Connection Options
  • Troubleshooting


An Administrator has the ability to toggle each of the panels OFF/ON


Azure AD Discovery Status

The table below provides information on the elements within this panel.


UI ElementDescription
Run Azure AD Discovery NowA button to allow an Admin to run the Azure AD discovery now.
Schedule Azure AD Discovery #1Specify the times to run the Azure AD Discovery. Please refer to this article on how to create a scheduled task.
Schedule Azure AD Discovery #2Specify the times to run the Azure AD Discovery. Please refer to this article on how to create a scheduled task.
Last Discovery DateDisplays the last time the Azure AD connector ran successfully.
Azure TenantIdSpecify your Microsoft 365 Tenant ID. Refer to this article on how to find your Azure AD tenant ID.
App Client IdSpecify the unique Application ID assigned to your app by Azure AD when the app was registered. Refer to this article on how to find App Client ID.
Email logs ToList of email address to email a copy of the logs at the end of the sync. Use ; for multiple list of emails e.g.  t@blog.com;T@managementstudio.co.uk.
Overall ProgressDisplays the overall progress.
Current Task ProgressDisplays the current task progress.
Import LogText box used to display the connector logs.




Import User Options

The table below provides information on the elements within this panel.


UI ElementDescription
User Last Activity < X DaysOnly import Users that have Azure Sign-In Activity in the last X days. Use '0' to import all Users.
Last Activity Date Type
  • Interactive Sign-Ins are performed by a User e.g. logging onto their PC.
  • Non Interactive Sign-Ins are sign-ins that are performed by a client app or an OS component on behalf of a user.
Import User TypesSpecify the User import type. Only import Users of the selected type(s).
Exclude Disabled User AccountsExclude Disabled User Accounts from the import.
User Groups to ExamineSpecify the list of Azure AD groups to examine to import Users. 
  • Type: Security|Distribution|365
  • Group Name: AD Group
  • Options: Nested Members|Direct Members|Exclude Members|Ignore
Identity Issuer(s)Specify the list of Identities a User needs to be a member of.
Exclude User Accounts (UPN Filter)Specify explicitly the list of Users not to import. Use * as a wildcard to filter multiple accounts.
Only Include User Accounts (UPN Filter)Specify explicitly the list of Users ONLY to be imported. Use * as a wildcard to filter multiple accounts.





User Update Options

The table below provides information on the elements within this panel.


UI ElementDescription
Don't Update User if Locked in MSThis option will not update a User record that is locked in ManagementStudio. NB this is not related to a User locked in Azure AD.
User Field MappingsList of Azure AD fields to copy into ManagementStudio. Built in Azure AD User fields can be mapped to fields in ManagementStudio. By default ManagementStudio will create the most common mappings. When importing data from Azure AD, MS uses a simple convention:
  • Target - This is a field in ManagementStudio, this can be a Detail Field, Custom Field or a Blueprint.
  • MS Field - This is the path to the ManagementStudio field or name of the field used.
  • Azure AD Field - This is the attribute of an Azure AD User object. Any AD attribute can be used as the AD field and ManagementStudio has some built in special mechanism for transforming the AD data.
Link Users to Devices via Azure OwnerEnable this option to use the Owner field in Azure to link a User to their Device.
Device Last Activity < X DaysSpecify the number of days to limit the Devices the User can be linked too by recent login activity.
Filter to MDM TypeLimit the Devices the User can be linked too by how they are managed.




Import Device Options

The table below provides information on the elements within this panel.


UI ElementDescription
Device Last Activity < X DaysOnly import Devices that have Azure Sign-In Activity in the last X days. Use '0' to import all Devices.
Exclude Disabled Device AccountsExclude disabled Device accounts from the import.
Filter to MDM TypeSelect the MDM device type to be imported. Untick all for no filter.
Filter to Device TypeSelect the Device type to be imported. Untick all for no filter.
Filter to Join TypeSelect the Azure Join type to be imported. Untick all for no filter.
Device Groups to ExamineSpecify the list of Azure AD groups to examine to import Devices.
  • Type: Security|Distribution|365
  • Group Name: AD Group
  • Options: Nested Members|Direct Members|Exclude Members|Ignore

Exclude Devices (Hostname Filter)Specify explicitly the list of Devices not to import. Use * as a wildcard to filter multiple devices.
Only Include Devices (Hostname Filter)Specify explicitly the list of Devices ONLY to be imported. Use * as a wildcard to filter multiple devices.




Device Update Options

The table below provides information on the elements within this panel.


UI ElementDescription
Don't update Machine if locked in MSThis option will not update a Device record that is locked in ManagementStudio. NB this is not related to a Device locked in Azure AD.
Device Field MappingsList of Azure AD device fields to copy into ManagementStudio. Built in Azure AD Device fields can be mapped to fields in ManagementStudio. By default ManagementStudio will create the most common mappings.
When importing data from Azure AD, MS uses a simple convention:
  • Target - This is a field in ManagementStudio, this can be a Detail Field, Custom Field or a Blueprint.
  • MS Field - This is the path to the ManagementStudio field or name of the field used.
  • Azure AD Field - This is the attribute of an Azure AD Device object. Any AD attribute can be used as the AD field and ManagementStudio has some built in special mechanism for transforming the AD data.



Application Update Options

The table below provides information on the elements within this panel.


UI ElementDescription
Link Users to Apps via AD Groups
  • Link: Creates a User-App Links if the User is in ManagementStudio.
  • Remove: Takes the App off the User if they are removed from the Azure AD group.
User Name FormatAn option to display the format of the list of Users that are Linked from the Azure AD group.
Link Devices to Apps via AD Groups
  • Link: Creates a Device-App Links if the Device is in ManagementStudio.
  • Remove: Takes the App off the Device if it is removed from the Azure AD group.

Device Name FormatAn option to display the format of the list of Devices that are Linked from the Azure AD group.
Recurse Nested App GroupsSearch down the Azure AD Tree of Sub-Groups for Users/Devices. This can be very slow and Ad intensive. It is recommended to only use if necessary.
Exclude By Process StatusExclude Apps from the update/linking phase by ticking the Process Status you don't want to include Apps from.



Connection Options

The table below provides information on the elements within this panel.


UI ElementDescription
Azure Account UsernameEnter the Username to use to authenticate with the Azure AD.
Azure Account PasswordEnter the Password to use to authenticate with the Azure AD.

Azure App Client SecretEnter the App Client Secret that was created when the app was registered.
Azure App Client Secret ExpiryEnter the App Client Secret expiry date.
Use Proxy Server for Internet AccessEnable this option to connect to the internet via a proxy server.
Proxy Server Address (Leave Blank for auto detectSpecify proxy address. 
Proxy Account UsernameEnter the proxy account username. Leave Username/Password blank to use ManagementStudio service account
Proxy Account PasswordEnter the proxy account password. Leave Username/Password blank to use ManagementStudio service account



Troubleshooting

The table below provides information on the elements within this panel.


UI ElementDescription
NotesText field used to enter information about the project environment.
Verbose LoggingThis option generates large files and should only be enabled for troubleshooting.
Log HeadersThis option generates large files and should only be enabled for troubleshooting.
Log PayloadThis option generates large files and should only be enabled for troubleshooting.
Online HelpLink to the Online solutions article.
Azure Page Size
Anonymise DataEnable this option to only import bare minimum data to be able to create User-App-Device links. The SamAccount/Device name will be scrambled.

Azure Connection

To connect to an Azure instance fill in the TenantId of the Azure Instance, the Client Id of the Azure app, and either a user/pass or secret key. 


  • Switch to Administration->Extensions->Connectors (1)
  • Click Add New Connector (2)
  • Select Azure AD (3)
  • Enter the name of the connector
  • Click OK

  • Enter your Azure TenantId (1) and App ClientId (2) within the Azure AD Discovery panel



  • Scroll down to the Connection options panel
  • You have the option of connect using an Azure Account Username and Azure Account password (1) OR
  • Using an Azure App Client Secret (2).
  • In the screenshot below, we are using the App Client secret


  • Click Save Changes
  • Toggle ON the required panels and specify the settings in each panel
  • Click Save Changes (1)
  • Click Run Azure AD Discovery (2)
  • Click Continue
  • Within a few minutes, click Reload (3)
  • You should now see the Import Log (4) being populated
  • To Schedule the Azure Ad connector to run at set intervals, please refer to this article for more information



Azure Keywords


Built-in Azure keywords of Users and Devices can be mapped to fields in ManagementStudio. By default, ManagementStudio will create the most common mappings for you.


Special Keywords

Special keywords are available only in ManagementStudio and generally apply some post-processing to Azure keywords. 


User Special Keywords


User Special Keyword
CategoryKeyword
AccountEnabled
  • [MS_AccountEnabledYN]
    • Resolves to Yes or No
  • [MS_AccountEnabledTF]
    • Resolves to TRUE or FALSE
  • [MS_AccountEnabledED]
    • Resolves to Enabled or Disabled

MemberOf
  • [MS_MemberOfName]
  • [MS_MemberOfId]
  • [MS_MemberOfNameAndId]

Manager
  • [MS_ManagerName]
  • [MS_ManagerUPN]
  • [MS_ManagerNameAndUPN]

DirectReports
  • [MS_DirectReportsName]
  • [MS_DirectReportsUPN]
  • [MS_DirectReportsNameAndUPN]

Misc
  • [MS_IdentityIssuer]

LastActivity
  • [MS_LastActivityHighest]
  • [MS_LastActivityInteractive]
  • [MS_LastActivityNonInteractive]



Device Keywords

Device Keywords
CategoryKeyword

AccountEnabled


  • [MS_AccountEnabledYN]
    • Resolves to Yes or No
  • [MS_AccountEnabledTF]
    • Resolves to TRUE or FALSE
  • [MS_AccountEnabledED]
    • Resolves to Enabled or Disabled

MemberOf


  • [MS_MemberOfName]
  • [MS_MemberOfId]
  • [MS_MemberOfNameAndId]

Owner   
  • [MS_OwnerName]
  • [MS_OwnerId]
  • [MS_OwnerUPN]

Dates   
  • [MS_LastActivity]
Types
  • [MS_DeviceType]
  • [MS_MdmType]
  • [MS_JoinType]






Further Support

If you require further support, please visit ManagementStudio's Service Desk to search the knowledge base or create a new support ticket.