Azure Active Directory Integration

Integrating Azure Active Directory (AD) with ADManager Plus offers a seamless solution for organizations to streamline user provisioning, authentication, and security management. Enabled by Azure AD Connect, this integration streamlines synchronization and eradicates manual data input, thereby improving efficiency and precision. However, encountering errors in Azure AD integration may require troubleshooting, involving adherence to best practices and a comprehensive understanding of the integration steps and requirements.

This guide to Azure AD integration provides invaluable insights into prerequisites and configuration, empowering organizations to optimize their Azure AD integration for maximum effectiveness and security.

Prerequisites for Microsoft 365 integration

Ensure the installation of the below-listed modules:

1. Microsoft .NET Framework 4.8 or later

   Refer to this link to determine the version of the .NET Framework installed on your computer. You can download .NET Framework 4 from here.

2. Windows PowerShell 5.1

   To determine the version of PowerShell installed, run the command $PSVersionTable from Windows PowerShell. If the version is below 5.1 or if PowerShell is not installed, download it from here.

3. MSOnline PowerShell for Azure Active Directory[(V1) 1.1.166.0]

   Run the PowerShell cmdlet Import-Module MSOnline from Windows PowerShell to determine whether this module is installed. The PowerShell cmdlet returns an error if the module is not installed and there will be no message to be displayed if the module is already installed. To install the module, open PowerShell as an administrator and enter the following cmdlet: Install-Module -Name MSOnline -RequiredVersion 1.1.166.0 -Force.

4. Administrative privileges

   The account must have Global Administrator (preferred) or user management administrator privileges in Microsoft 365.

5. Other requirements
   • Make sure your firewall settings allow access to these domains.
   • The 64-bit version of the product must be installed.

Steps for automatic Microsoft 365 tenant configuration in ADManager Plus

1. Navigate to the Domain/Tenant Settings > Microsoft 365 tab.
2. Click +Add New Tenant.
3. Click Configure using Microsoft 365 Login.
4. Select the required AD domains to be linked with this account. It is essential to link the on-premises domains with Microsoft 365 domains to apply OU-based restrictions.
5. Click Proceed in the dialog box that appears. You will be redirected to the Microsoft 365 login page, where you will be required to log in with the Global Administrator's credentials.
6. The Microsoft 365 login portal will list the permissions requested from your organization. Once you are informed about these permissions, click Accept.
7. Once the tenant configuration is successful, it will be listed in the Microsoft 365 window.

Note: If automatic configuration fails due to permission issues, the tenant must be configured manually.

Steps to manually configure a Microsoft 365 tenant

Prerequisite: A service user account with at least View-Only Organization Management, View-Only Audit Logs, and Service Administrator permissions.

Steps to create an Azure AD application

1. Sign in to the Azure AD portal using the credentials of a Global Administrator account.
2. Select Azure Active Directory from the left pane.
3. Select App registrations.
4. Click New registration.
5. Provide a Name for the ADManager Plus application to be created.
6. Select a supported account type based on your organizational needs.
7. Leave Redirect URI (optional) blank; you will configure it in the next few steps.
8. Click Register to complete the initial app registration.
9. You will now see the Overview page of the registered application.
10. Click Add a Redirect URI.
11. Click Add a platform under Platform configurations.
12. In the Configure platforms pop-up, click Web under Web applications.
13. In the Redirect URI field, enter http://localhost:port_number/webclient/VerifyUser. For example, http://localhost:8080/webclient/VerifyUser or https://192.345.679.345:8080/webclient/VerifyUser.
14. You can leave the Logout URL and Implicit grant fields empty. Click Configure.
15. On the Authentication page, under Redirect URIs, click Add URI.
16. Enter http://localhost:port_number/webclient/ GrantAccess as the Redirect URI. For example, http://localhost:8080/webclient/GrantAccess or https://192.345.679.345:8080/webclient/GrantAccess.
17. Similarly, using the Add URI option, add http://localhost:port_number/AADAppGrantSuccess.do and http://localhost:port_number/AADAuthCode.do as URIs as well.
18. Again click Add URI to add the below Redirect URIs in the subsequent rows. Please note that for users with ADManger Plus build 7200 or higher, Redirect URIs (b) and (c) are optional.
    • https://identitymanager.manageengine.com/api/public/v1/oauth/redirect
    • https://demo.o365managerplus.com/oauth/redirect
    • https://manageengine.com/microsoft-365-management-reporting/redirect.html

    

    Note:

    1. The Redirect URI must adhere to the following:
    • It must be fewer than 256 characters in length.
    • It should not contain wildcard characters.
    • It should not contain query strings.
    • It must start with HTTPS or http://localhost.
    • It must be a valid and unique URL.
    • For HTTP, the URI value is http://localhost:8080. If HTTP is used, the machine name or IP address cannot be used in the place of localhost.
    • For HTTPS, the URI value is https://192.345.679.345:8080 or https://testmachine:8080 (where <testmachine> is the hostname of the machine where ADManager Plus is installed).
    2. The Redirect URI format varies according to the connection type (HTTP or HTTPS) that has been configured in ADManager Plus.
    3. To find your machine's IP, open the Command Prompt, type ipconfig, and click enter. You can find your IPv4 address in the results shown.
19. Click Save.
20. Click Manifest from the left pane.
21. Look for the requiredResourceAccess array in the code.
22. Copy the contents of this file and paste the content as highlighted in the image below, then click Save. If you want to modify the permissions to be provided, skip this step and follow the steps mentioned in this guide.

    

    Note: Copy and paste content only from the open square bracket to the closed square bracket. Ensure that all punctuation marks are retained correctly. Once you have pasted the content in the file, it should look like the image below.

    

    Note:

    • If your tenant is being created in Azure Germany, copy the entire contents of this file and paste it into the section highlighted in the image above.
    • If your tenant is being created in Azure China, copy the entire contents of this file and paste it into the section highlighted in the image above.
23. Click Save.
24. Click API permissions from the left pane, and then click the Grant admin consent for <your_company_name> option listed under the Grant consent section. Grant the necessary permissions as required. The API permission and its scope are available in this table.



25. Click Yes in the pop-up that appears.
26. Click Certificates & secrets from the left pane.
27. Under the Client secrets section, click New client secret.
28. This section generates an app password for ADManager Plus. In the Description field of the pop-up, provide a name to identify the app to which the password belongs.
29. Choose when the password should expire.
30. Click Add.
31. Copy the string under Value and save it. This is the Application Secret Key, which you will require later.
32. Go to Certificates and click Upload certificate. Upload your application certificate as a .cer file.
33. If the user has an SSL certificate, it can be used here. Otherwise, click here for steps to create a self-signed certificate.

Note: Certificate-based authentication is used to contact Microsoft 365 securely and fetch data. During manual configuration, you will be asked to enter your application secret and upload the application certificate.



34. Now go to the Overview section in the left pane.
35. Copy the Application (client) ID and Object ID values and save them. You will need these values to configure your tenant in the ADManager Plus portal.

Steps to manually configure a Microsoft 365 tenant in ADManager Plus

1. Open the ADManager Plus portal.
2. Navigate to Domain/Tenant Settings > Microsoft 365.
3. Click + Add New Tenant.
4. Select Click here to configure a tenant with an already registered Azure AD application.
5. The below pop-up will appear.

   

6. Enter your Tenant Name. For example, test.onmicrosoft.com.
7. Paste the Application (client) ID and Application Object ID, which were saved earlier in step 35, in the respective fields.
8. Enter the Application Secret Key that was saved during step 31.
9. Upload a .pfx file of the certificate that has been uploaded in the Azure portal. Refer to step 33.
10. Enter your Certificate Password.
11. If you have an SSL certificate, you can upload it in the appropriate field.
12. Click Add Tenant. The tenant will be added in ADManager Plus. If you wish to modify the details in it, click Edit once the configuration is listed and proceed to make the changes.
13. Click Update once the necessary modifications are done. REST API access should now be enabled for the configured account.

Steps to update a service account in ADManager Plus

1. Now the service account must be configured. To do this, navigate to Domain/Tenant Settings > Microsoft 365 and click the edit option under the Actions column.
2. Click the edit icon found near Service Account Details.

   

3. Enter the credentials of the service account you need to configure in the respective fields.
4. Click Update, and close the pop-up window.

Steps to create a self-signed certificate

1. Run the following command in PowerShell:

   Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force -Scope process

2. Now, run the Create-selfsignedcertificate.ps1 script.
3. While running the script, you will be asked to add a common name for the certificate, start and end dates (yyyy-MM-dd) for the certificate's validity, and a private key to protect it.
4. Once you enter the values, the script will create a .pfx file (contains both public and private keys) in the bin folder.
5. The .pfx file needs to be uploaded to ADManager Plus, while the .cer file should be uploaded to the Azure portal of your application.

Integrating Azure AD with ADManager Plus streamlines administrative tasks by providing a unified platform to manage both AD and Azure AD environments. It offers robust management, reporting, and automation features, simplifying compliance monitoring and ensuring adherence to regulatory standards. Automated user provisioning ensures that user accounts are created, modified, or disabled according to predefined policies.