Azure AD integration

TechIDManager integrates with Azure AD to give MSPs the same ability to create a unique account for every tech on every tenant that they help manage. Each tech gets a account created automatically in Azure AD and that account gets the password rotated every 24 hours. Roles can be assigned to the created accounts based on the same grouping that works for On-Prem domain controllers. If you have any questions about how this works or would like more information, use the “Request Demo” button to schedule some time for a demo or Q&A session about TechIDManager. We love white glove installs and you can book installation assistance.

To install TechIDManager.AzureAD you need to have an active TechIDManager subscription,  and an Azure subscription that is capable of running a function with a consumption plan. These instructions assume you have TechIDManager setup and working. If you need help with that, contact support@ruffiansoftware.com. To update a TechIDManager.Azure  installation run the same script as installing and it will recognize the need to update.

  1. Install the Azure CLI from ( https://docs.microsoft.com/en-us/cli/azure/install-azure-cli)
    1. NOTE. You only have to do this step once on your machine, then you can install many TechIDManager.AzureAD
  2. Download the latest install script from https://ruffiansoftware.com/category/azureadreleases
    1. You will need to “Save As” if your browser open it as a text file.
  3. Start a PowerShell session
    1. Run the script downloaded in step 2.
    2. Answer the questions in the script.
    3. The script will prompt you to login to an Azure Tenant
      1. Login to the correct tenant with a “Global administrator account”
    4. When the script ends it will download a webpage, check the output for errors.
  4. Some common errors:
    1. If you get a “Decryption Error [WinError -2146893813]” or similar at the very start of the script.
      1. Exit the PowerShell window,
      2. Close all browser windows accessing azure stuff,
      3. On your computer delete the folder c:\Users\<YourUserName>\.azure
      4. Try the script again.
    2. If you get an error “About you don’t have permission to make a resource group in a subscription”.
      1. Make sure you are signed in with an account that is a Global Administrator
      2. Make sure you are an “Owner” of that subscription by looking in https://portal.azure.com under “Subscriptions” and “Roles”. If you are not, user the “+ Add” button on the roles screen to add yourself as an owner.
    3. If you get an error that there are no subscriptions
      1. Add a pay-as-you-go subscription to the tenant.
      2. Go to https://portal.azure.com
      3. Login to the tenant in question
      4. Click on “More Services”
      5. Click on “Subscriptions”
      6. Click on “Add”….finish the subscription setup.
      7. Try the script again.

Within an hour, an account should get created for each tech and their credentials should show up in their TechClient. To see/manage/access resources in a tenant, techs will need to self elevate their freshly created account (via these instructions https://docs.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin MAKE SURE TO SIGN OUT AND SIGN BACK IN), OR have roles granted by someone with existing access. It is our recommendation at this time that you self elevate. Granting rights on all resources automatically is something we are working on.

There are several options that can be set in the “configuration” for the AzureFunction to effect how TechIDManager.AzureAD runs. Most of these parallel the commandline options for the DomainService. In the Function Configuration set an “Application Setting” on the screen at the right.

  1. TechIDManager.ClientGUID – The same ClientGUID from everywhere and is set in the install script above.
  2. TechIDManager.DomainGuid – The unique to this Domain GUID and is set in the install script above.
  3. TechIDManager.RmmName – The RMM Name for this Domain that shows in the TechClient
  4. TechIDManager.FriendlyName – The Friendly Name for this Domain that shows in the TechClient
  5. TechIDManager.UserName – The same formatting for UserName as described for DomainService ( https://ruffiansoftware.com/username-feature-in-domainservice-piece-of-techidmanger )
  6. TechIDManager.DisplayName – The same formatting for DisplayName as described for DomainService ( https://ruffiansoftware.com/username-feature-in-domainservice-piece-of-techidmanger )
  7. TechIDManager.HourToRun – The hour (out of 0-23) time at which TechIDManager.AzureAD should run and change passwords. Since Azure consumption plans are based on UTC clock this should be 5 to run near midnight.
  8. TechIDManager.DomainName – The domain name to use when creating accounts, or looking for synced accounts. This will default to the “onmicrosoft.com” domain found in the tenant. If more than one “onmicrosoft.com” domain exists, you should specify one.
  9. TechIDManager.Hybrid- MUST BE SET IN A HYBRID SETUP.
    1. This can be set to “No” to ignore synced accounts and create and manage tech accounts directly in AzureAD.
    2. This can be set to “Yes” to only set roles on users that are found that match TechIDManager created users from hybrid domains that are running the TechIDManager DomainService on a DC that is ADSynced to Azure.
  10. TechIDManager.HybridDomainGuid – MUST BE SET IN A HYBRID SETUP if  TechIDManager.Hybrid is set to “Yes”
    1. Should be set to the DomainGuid of the domain that is being synced to this Azure Tenant. This DomainGuid can be found in the ManagementConsole by clicking on the gear icon in the Domains page or by running “DomainService.exe show” on the source DC.

These options can be set at anytime and will take effect the next time TechIDManager runs.