TABLE OF CONTENTS
Introduction
Azure Active Directory (Azure AD) is Microsoft's cloud-based identity and access management service. It serves as a centralized platform for managing and securing user identities and their access to various resources, applications, and services in the Microsoft Azure cloud ecosystem as well as other connected systems. Azure AD is designed to provide a secure and flexible identity management solution for cloud-centric and hybrid environments. It's widely used by organizations of all sizes to streamline access, enhance security, and improve user experiences across various applications and services.
ManagementStudio Azure AD connector requires an App to be created on the client’s Azure instance with the appropriate permissions and access rights. Please refer to this article on how to create the Azure App. The connector is used to pull in data from the Azure AD platform.
The Azure AD Connector consist of the following panels:
- Azure AD Discovery Status
- Import User Options
- User Update Options
- Import Device Options
- Device Update Options
- Application Update Options
- Connection Options
- Troubleshooting
An Administrator has the ability to toggle each of the panels OFF/ON
Best Practice Guidelines
See here.
Azure AD Discovery Status
The table below provides information on the elements within this panel.
UI Element | Description |
Run Azure AD Discovery Now | A button to allow an Admin to run the Azure AD discovery now. |
Schedule Azure AD Discovery #1 | Specify the times to run the Azure AD Discovery. Please refer to this article on how to create a scheduled task. |
Schedule Azure AD Discovery #2 | Specify the times to run the Azure AD Discovery. Please refer to this article on how to create a scheduled task. |
Last Discovery Date | Displays the last time the Azure AD connector ran successfully. |
Azure TenantId | Specify your Microsoft 365 Tenant ID. Refer to this article on how to find your Azure AD tenant ID. |
App Client Id | Specify the unique Application ID assigned to your app by Azure AD when the app was registered. Refer to this article on how to find App Client ID. |
Email logs To | List of email address to email a copy of the logs at the end of the sync. Use ; for multiple list of emails e.g. [email protected];[email protected]. |
Overall Progress | Displays the overall progress. |
Current Task Progress | Displays the current task progress. |
Import Log | Text box used to display the connector logs. |
Import User Options
The table below provides information on the elements within this panel.
UI Element | Description |
User Last Activity < X Days | Only import Users that have Azure Sign-In Activity in the last X days. Use '0' to import all Users. |
Last Activity Date Type |
|
Import User Types | Specify the User import type. Only import Users of the selected type(s). |
Exclude Disabled User Accounts | Exclude Disabled User Accounts from the import. |
User Groups to Examine | Specify the list of Azure AD groups to examine to import Users.
|
Identity Issuer(s) | Specify the list of Identities a User needs to be a member of. |
Exclude User Accounts (UPN Filter) | Specify explicitly the list of Users not to import. Use * as a wildcard to filter multiple accounts. |
Only Include User Accounts (UPN Filter) | Specify explicitly the list of Users ONLY to be imported. Use * as a wildcard to filter multiple accounts. |
User Update Options
The table below provides information on the elements within this panel.
UI Element | Description |
Don't Update User if Locked in MS | This option will not update a User record that is locked in ManagementStudio. NB this is not related to a User locked in Azure AD. |
When matching MS users to Azure users match on UPN, Email or Both | When an MS User is missing an Azure ID, the Zure connector will look up the MS user's UPN and email in Azure UPN field. This allows only the MS Users's UPN/Email to be used if required. |
User Field Mappings | List of Azure AD fields to copy into ManagementStudio. Built in Azure AD User fields can be mapped to fields in ManagementStudio. By default ManagementStudio will create the most common mappings. When importing data from Azure AD, MS uses a simple convention:
|
Link Users to Devices via Azure Owner | Enable this option to use the Owner field in Azure to link a User to their Device. |
Device Last Activity < X Days | Specify the number of days to limit the Devices the User can be linked too by recent login activity. |
Filter to MDM Type | Limit the Devices the User can be linked to by how they are managed. |
Import Device Options
The table below provides information on the elements within this panel.
UI Element | Description |
Device Last Activity < X Days | Only import Devices that have Azure Sign-In Activity in the last X days. Use '0' to import all Devices. |
Exclude Disabled Device Accounts | Exclude disabled Device accounts from the import. |
Filter to MDM Type | Select the MDM device type to be imported. Untick all for no filter. |
Filter to Device Type | Select the Device type to be imported. Untick all for no filter. |
Filter to Join Type | Select the Azure Join type to be imported. Untick all for no filter. |
Device Groups to Examine | Specify the list of Azure AD groups to examine to import Devices.
|
Exclude Devices (Hostname Filter) | Specify explicitly the list of Devices not to import. Use * as a wildcard to filter multiple devices. |
Only Include Devices (Hostname Filter) | Specify explicitly the list of Devices ONLY to be imported. Use * as a wildcard to filter multiple devices. |
Device Update Options
The table below provides information on the elements within this panel.
UI Element | Description |
Don't update Machine if locked in MS | This option will not update a Device record that is locked in ManagementStudio. NB this is not related to a Device locked in Azure AD. |
Device Field Mappings | List of Azure AD device fields to copy into ManagementStudio. Built in Azure AD Device fields can be mapped to fields in ManagementStudio. By default ManagementStudio will create the most common mappings. When importing data from Azure AD, MS uses a simple convention:
|
Application Update Options
The table below provides information on the elements within this panel.
UI Element | Description |
Link Users to Apps via AD Groups |
|
User Name Format | An option to display the format of the list of Users that are Linked from the Azure AD group. |
Link Devices to Apps via AD Groups |
|
Device Name Format | An option to display the format of the list of Devices that are Linked from the Azure AD group. |
Recurse Nested App Groups | Search down the Azure AD Tree of Sub-Groups for Users/Devices. This can be very slow and Ad intensive. It is recommended to only use if necessary. |
Exclude By Process Status | Exclude Apps from the update/linking phase by ticking the Process Status you don't want to include Apps from. |
Connection Options
The table below provides information on the elements within this panel.
UI Element | Description |
Azure Account Username | Enter the Username to use to authenticate with the Azure AD. |
Azure Account Password | Enter the Password to use to authenticate with the Azure AD. |
Azure App Client Secret | Enter the App Client Secret that was created when the app was registered. |
Azure App Client Secret Expiry | Enter the App Client Secret expiry date. |
Use Proxy Server for Internet Access | Enable this option to connect to the internet via a proxy server. |
Proxy Server Address (Leave Blank for auto detect | Specify proxy address. |
Proxy Account Username | Enter the proxy account username. Leave Username/Password blank to use ManagementStudio service account |
Proxy Account Password | Enter the proxy account password. Leave Username/Password blank to use ManagementStudio service account |
Troubleshooting
The table below provides information on the elements within this panel.
UI Element | Description |
Notes | Text field used to enter information about the project environment. |
Verbose Logging | This option generates large files and should only be enabled for troubleshooting. |
Log Headers | This option generates large files and should only be enabled for troubleshooting. |
Log Payload | This option generates large files and should only be enabled for troubleshooting. |
Online Help | Link to the Online solutions article. |
Azure Page Size | |
Anonymise Data | Enable this option to only import bare minimum data to be able to create User-App-Device links. The SamAccount/Device name will be scrambled. |
Azure Connection
To connect to an Azure instance fill in the TenantId of the Azure Instance, the Client Id of the Azure app, and either a user/pass or secret key.
- Switch to Administration->Extensions->Connectors (1)
- Click Add New Connector (2)
- Select Azure AD (3)
- Enter the name of the connector
- Click OK
- Enter your Azure TenantId (1) and App ClientId (2) within the Azure AD Discovery panel
- Scroll down to the Connection options panel
- You have the option of connect using an Azure Account Username and Azure Account password (1) OR
- Using an Azure App Client Secret (2).
- In the screenshot below, we are using the App Client secret
- Click Save Changes
- Toggle ON the required panels and specify the settings in each panel
- Click Save Changes (1)
- Click Run Azure AD Discovery (2)
- Click Continue
- Within a few minutes, click Reload (3)
- You should now see the Import Log (4) being populated
- To Schedule the Azure Ad connector to run at set intervals, please refer to this article for more information
Azure Keywords
Built-in Azure keywords of Users and Devices can be mapped to fields in ManagementStudio. By default, ManagementStudio will create the most common mappings for you.
Special Keywords
Special keywords are available only in ManagementStudio and generally apply some post-processing to Azure keywords.
User Special Keywords
User Special Keyword | |
Category | Keyword |
AccountEnabled |
|
MemberOf |
|
Manager |
|
DirectReports |
|
Misc |
|
LastActivity |
|
Device Keywords
Device Keywords | |
Category | Keyword |
AccountEnabled |
|
MemberOf |
|
Owner |
|
Dates |
|
Types |
|
Further Support
If you require further support, please visit ManagementStudio's Service Desk to search the knowledge base or create a new support ticket.