Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            Azure AD Connector

            Modified on Mon, 12 Jan at 4:49 PM

            TABLE OF CONTENTS



            Azure AD Connector Overview

            The ManagementStudio Azure AD Connector enables the integration of Azure Active Directory (Azure AD) with ManagementStudio for centralised identity and access management. To use the connector, an Azure App must be registered in your Azure instance with the correct permissions. For instructions, see: How to create the Azure App.


            The Azure AD Connector contains configurable panels:

            • Azure AD Discovery Status
            • Import User Options
            • User Update Options
            • Import Device Options
            • Device Update Options
            • Import Enterprise Apps
            • Enterprise Apps Update Options
            • Import SharePoint Sites (As Apps)
            • SharePoint Sites Update Options
            • Link Apps via Group Membership
            • Connection Options
            • Troubleshooting


            Administrators can enable or disable each panel as required.

            Best Practice Guidelines

            Refer to Best Practice Guidelines for managing Azure AD integrations.

            Azure AD Discovery Status


            UI ElementDescription
            Run Azure AD Discovery NowRun an immediate Azure AD discovery.
            Schedule Azure AD Discovery #1
            Schedule Azure AD Discovery #2            		Schedule regular Azure AD discovery tasks. How to create a scheduled task.
            Last Discovery DateShows the date/time the last successful connector run occurred.
            Azure TenantIdEnter the Microsoft 365 Tenant ID. Find your Tenant ID.
            App Client IdEnter the Application ID from Azure AD App registration. Find your App Client ID.
            Email logs ToEmail addresses to receive log reports after sync. Separate multiple with ; (e.g. t@blog.com;T@managementstudio.co.uk).
            Overall ProgressDisplays sync progress overall.
            Current Task ProgressDetails progress of the current sync task.
            Import LogDisplays connector logs.




            Import User Options


            UI ElementDescription
            User Last Activity < X DaysOnly import users with Azure Sign-In Activity in the last X days. Use 0 to import all users.
            Last Activity Date TypeSelect sign-in activity type:
            - Interactive Sign-Ins: Direct user login
            - Non-Interactive Sign-Ins: Performed by apps or OS components
            Import User TypesSelect user types to import.
            Exclude Disabled User AccountsExclude disabled accounts from import.
            User Groups to ExamineList Azure AD groups for user import:
            - Type: Security, Distribution, 365
            - Group Name: AD group
            - Options: Nested Members, Direct Members, Exclude Members, Ignore
            Identity Issuer(s)Specify Identity Providers required for import.
            Exclude User Accounts (UPN Filter)Explicitly exclude users by UPN. One per line. Supports Regex:
            John (contains), ^John (starts with), John$ (ends with), ^John$ (exact)
            Only Include User Accounts (UPN Filter)Explicitly include only specified users. Supports same Regex as above.




            User Update Options


            UI ElementDescription
            Don't Update User if Locked in MSDo not update locked ManagementStudio user records. (Not related to Azure AD user lock status.)
            When matching MS users to Azure users match on UPN, Email or BothWhen Azure ID is missing, match using UPN and/or email.
            User Field MappingsMap Azure AD user fields to ManagementStudio fields (Detail, Custom, Blueprint). Common mappings are preconfigured; additional mappings may be set. Convention:
            - Target: ManagementStudio field
            - MS Field: Path or field name in ManagementStudio
            - Azure AD Field: Azure AD user attribute
            Link Users to Devices via Azure OwnerLink user to their device based on Azure Owner field.
            Device Last Activity < X DaysLimit devices linked to user by recent login activity (last X days).
            Filter to MDM TypeLimit devices linked by Mobile Device Management type.





            Import Device Options


            UI ElementDescription
            Device Last Activity < X DaysOnly import devices with Azure Sign-In Activity in the last X days. Use 0 for all.
            Exclude Disabled Device AccountsExclude disabled devices from import.
            Filter to MDM TypeFilter by MDM device type(s). Deselect all to remove filter.
            Filter to Device TypeFilter by device type(s). Deselect all to remove filter.
            Filter to Join TypeFilter by Azure Join type(s). Deselect all to remove filter.
            Device Groups to ExamineList Azure AD groups for device import:
            - Type: Security, Distribution, 365
            - Group Name: AD group
            - Options: Nested Members, Direct Members, Exclude Members, Ignore
            Exclude Devices (Hostname Filter)Exclude devices by hostname. Use * as wildcard. One per line.
            Only Include Devices (Hostname Filter)Only include specified devices by hostname. Use * as wildcard. One per line.




            Device Update Options

            UI ElementDescription
            Don't update Machine if locked in MSDo not update locked ManagementStudio device records. (Not related to Azure AD device lock status.)
            Device Field MappingsMap Azure AD device fields to ManagementStudio fields (Detail, Custom, Blueprint). Convention:
            - Target: ManagementStudio field
            - MS Field: Path or field name
            - Azure AD Field: Azure AD device attribute




            Import Enterprise Apps


            UI ElementDescription
            Import App TypesImport only applications of selected type(s):
            - Enterprise Apps
            - Microsoft Apps
            - Managed Identities
            Auto Accept New Ent. AppsDirectly add new apps to the Accepted queue (default is Pending).
            Exclude Disabled AppsExclude disabled applications from import.
            Postfix to Vendor NameAs there is no vendor field for Enterprise Apps, appends a chosen value after app type.
            Set Version ToApps lack a version field; this value will be used (defaults to N/A if blank).
            Exclude Applications by NameExclude apps via Regex rules (one per line).
            Only Include Applications by NameOnly import apps matching Regex rules (one per line).
            Add to BlueprintAdd all new apps to specified Blueprint.





            Enterprise Apps Update Options


            UI ElementDescription
            Import list of assigned Users & GroupsImport users and groups assigned to applications.
            Enable Sign-In CountingTrack active application use via sign-ins. Requires elevated Azure privileges; slow process.
            Look Back X DaysNumber of days to examine sign-in logs (recommended: 7 days).
            Max PagesMaximum sign-in log pages to fetch (recommended: 1 day).
            Convert Sign-ins to User-App LinksCreate links based on sign-in activity.
            Sign-In Count Processing TimeoutLimit time spent per run processing sign-in counts. Connector resumes on next run.
            Mapping RestrictionsAllow mapping even if: Deployment Unit is locked,
            or User/App/Device is locked/archived.




            Import SharePoint Sites (As Apps)


            UI ElementDescription
            Auto Accept New SitesAutomatically add new sites to the Accepted queue (default is Pending).

            Note: SharePoint API requires certificate authentication for site metadata retrieval.

            Note: MS Project Online metadata is only imported via Remote Agent Toolkit.
            Postfix to Vendor NameAppends value to 'SharePoint Site' as there is no vendor field.
            Set Version toSets version value for sites (defaults to N/A if blank).
            Exclude Sites by NameExclude sites via Regex rules (one per line).
            Only Include Sites by NameOnly import sites matching Regex rules (one per line).
            Add to BlueprintAdd all new SharePoint sites to specified Blueprint.




            SharePoint Sites Update Options


            UI ElementDescription
            Link sites to Users via 365 Group MembersLink sites to users based on 365 group membership.
            Link Sites to Users via Site MembersLink sites to users based on site member list.
            Link sites to Users via Site GroupsLink sites to users by site groups.
            Recurse Nested Groups (Slow)Recurse nested groups for member discovery. Note: Very slow and AD intensive.
            Add Site Owner as App Owner ContactSet site owner as application owner.
            Owner Contact TypeSpecify the owner contact type for the application.
            Group Processing TimeoutSelect processing timeout: 1, 2, 3, or 4 hours.
            Mapping RestrictionsAllow mapping even if:
            - Deployment Unit is locked
            - User/App/Device is locked or archived





            UI ElementDescription
            Link Users to Apps via AD Groups- Link: Create User-App link if user is present in ManagementStudio
            - Remove: Remove App if user leaves Azure AD group
            User Name FormatSpecifies the display format for user lists linked from AD group.
            Link Devices to Apps via AD Groups- Link: Create Device-App link if device is present in ManagementStudio
            - Remove: Remove App if device leaves Azure AD group
            Device Name FormatSpecifies display format for device lists linked from AD group.
            Recurse Nested App GroupsRecursively search Azure AD sub-groups for users/devices. Slow and AD intensive. Use only if necessary.
            Exclude By Process StatusExclude apps from update/linking phase based on selected process statuses.





            Connection Options


            UI ElementDescription
            Azure App Client SecretEnter the App Client Secret created during Azure App registration.
            Azure Certificate ThumbprintSpecify certificate thumbprint (for application certificate-based authentication).
            (Optional) Expiry Date ReminderOptionally enter the App Client Secret expiry date.
            Create Self-Signed CertAttempt to create a self-signed certificate for use with Azure. IIS service account profile must be loaded.
            Azure Account UsernameUsername for Azure AD authentication.
            Azure Account PasswordPassword for Azure AD authentication.
            Use Proxy Server for Internet AccessEnable to connect via a proxy server.
            Proxy Server AddressSpecify the proxy server address (leave blank for auto-detect).
            Proxy Account UsernameProxy authentication username. (Leave blank to use ManagementStudio service account.)
            Proxy Account PasswordProxy authentication password. (Leave blank to use ManagementStudio service account.)




            Troubleshooting


            UI ElementDescription
            NotesEnter project environment notes.
            Verbose LoggingEnable for detailed logs (large file sizes, use only for troubleshooting).
            Log HeadersEnable header logging for troubleshooting (large logs).
            Log PayloadEnable payload logging for troubleshooting (large logs).
            Online HelpLink to online Solutions article.
            Azure Page SizeConfigure the Azure API page size if required.
            Anonymise DataOnly import necessary data to create User-App-Device links. Scrambles SamAccount/device names.




            Adding a New Azure Connection

            • Navigate to AdministrationExtensionsConnectors (1).
            • Click Add New Connector(2).
            • Select Azure AD(3).
            • Enter a name for the connector and click OK.



            • Enter your Azure TenantId (1) and App ClientId (2) in the Azure AD Discovery panel.




            • Scroll to the Connection Options panel and choose your authentication method:
              • Use Azure Account Username and Azure Account Password (1) or
              • Use the Azure App Client Secret (2).
            • Click Save Changes.


            • Enable the required panels and configure each as needed.
            • Click Save Changes.
            • Click Run Azure AD Discovery.
            • Click Continue.
            • After a few minutes, click Reload.
            • Check the Import Log for status of the import.
            • To schedule the Azure AD Connector at set intervals, see: Scheduling Connectors.

            Azure Keywords

            ManagementStudio provides built-in mappings for common Azure AD user and device fields. These can be mapped directly during connector setup.

            Special Keywords

            ManagementStudio supports special keywords for Azure data post-processing. These may be used in field mappings.

            User Special Keywords


            CategoryKeyword(s)Description
            AccountEnabled[MS_AccountEnabledYN]Resolves to Yes or No
            [MS_AccountEnabledTF]Resolves to TRUE or FALSE
            [MS_AccountEnabledED]Resolves to Enabled or Disabled
            MemberOf[MS_MemberOfName]Group names
            [MS_MemberOfId]Group IDs
            [MS_MemberOfNameAndId]Group name and ID
            Manager[MS_ManagerName]Manager name
            [MS_ManagerUPN]Manager UPN
            [MS_ManagerNameAndUPN]Manager name and UPN
            DirectReports[MS_DirectReportsName]Direct reports’ names
            [MS_DirectReportsUPN]Direct reports’ UPNs
            [MS_DirectReportsNameAndUPN]Direct reports’ name and UPN
            Misc[MS_IdentityIssuer]Identity issuer
            LastActivity[MS_LastActivityHighest]Highest activity date
            [MS_LastActivityInteractive]Last interactive activity
            [MS_LastActivityNonInteractive]Last non-interactive activity



            Device Keywords


            CategoryKeyword(s)Description
            AccountEnabled[MS_AccountEnabledYN]Resolves to Yes or No
            [MS_AccountEnabledTF]Resolves to TRUE or FALSE
            [MS_AccountEnabledED]Resolves to Enabled or Disabled
            MemberOf[MS_MemberOfName]Group names
            [MS_MemberOfId]Group IDs
            [MS_MemberOfNameAndId]Group name and ID
            Owner[MS_OwnerName]Owner name
            [MS_OwnerId]Owner ID
            [MS_OwnerUPN]Owner UPN
            Dates[MS_LastActivity]Last activity date
            Types[MS_DeviceType]Device type
            [MS_MdmType]MDM Type
            [MS_JoinType]Join Type

            Further Support

            If additional assistance is required, visit the ManagementStudio Service Desk to search the knowledge base or submit a support ticket.

            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select at least one of the reasons
            CAPTCHA verification is required.

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0