EntraID (Azure AD) Install Instructions

TechIDManager agent installs in EntraID (Azure AD) to give MSPs the same ability to create a unique account for every tech on every tenant that they help manage. Each tech gets an account created automatically in Azure AD and that account gets the password rotated every 24 hours. Roles can be assigned to the created accounts based on the same grouping and triplets that work for other agents. If you have any questions about how this works or would like more information, use the “Request Demo” button to schedule some time for a demo or Q&A session about TechIDManager. We love white glove installs and you can book installation assistance.

To install TechIDManager.EntraID you need to have an active TechIDManager subscription,  AND an Azure subscription that is capable of running an Azure function with a consumption plan. This is needed for a specific security reason. We, at Ruffian Software, do not have access to your clients’ tenants, and we don’t want it. We don’t ask for, or keep, OAuth tokens, Bearer tokens, or any other access to your clients’ tenants because those types of tokens have been stolen in too many recent hacks and they grant too much access. In order for TechIDManager to have the needed permission to create users and set passwords something must run with permission in the context of the tenant. The way we do this is with a function that runs in each clients’ tenant and executes on MS provided hardware in the context of the tenant. This requires a consumption plan that costs about $0.25 (yes 25 cents) each month to run in each tenant. The easiest plan to setup if your customer doesn’t already have one is a “Pay-As-You-Go” plan.  

These instructions assume you have TechIDManager setup and working.

To update a TechIDManager.EntraID installation run the same script as installing and it will recognize the need to update.

Step # What to do Expected Result
1 Install the Azure CLI on your computer from https://docs.microsoft.com/en-us/cli/azure/install-azure-cli

You only have to do this step once on your machine. If you are behind a proxy, make sure AzureCLI is setup to work behind the proxy.

Azure CLI installed on your computer.
2 Download the latest install script from https://ruffiansoftware.com/releases under TechIDManager.AzureAD.

You will need to “Save As” if your browser opens it as a text file.

Install PowerShell script saved on your computer
3 Start a PowerShell session. The session does NOT need to be a admin session. PowerShell session running
4 In the PowerShell session change directory to the directory where PowerShell file was downloaded.  
5

Run the script downloaded in step 2.

 .\Deploy_TechIDManager_Azure_version.ps1
Script running and asking you questions…
6 Answer the questions in the script.

See the configuration value descriptions below for more information.

The script will prompt you to login to an Azure Tenant. Login to the correct tenant with a “Global Administrator Account”

When asked about region find a region from this website (https://azuretracks.com/2021/04/current-azure-region-names-reference/). We have no affiliation with that site, it is just a good place to find Azure region names, because they are hard to find. 

When the script ends it will download a webpage, check the output for errors.

The script can take between 5 to 60 minutes to run once you answer the questions.

If you have any questions: support@techidmanager.com

TechIDManager.Azure agent installed and showing in Management Console
7 Within about an hour, an account should get created for each tech and their credentials should show up in their TechClient. To see/manage/access resources in a tenant, techs will need to self elevate their freshly created account (via these instructions https://docs.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin MAKE SURE TO SIGN OUT AND SIGN BACK IN), OR have roles granted by someone with existing access. It is our recommendation at this time that you self elevate. Granting rights on all resources automatically is something we are working on. Unique accounts for each tech created in this Azure AD tenant

There are several options that can be set in the “configuration” for the AzureFunction to effect how TechIDManager.AzureAD runs. Most of these parallel the command line options for the DomainService agent. In the Function Configuration set an “Application Setting” on the screen at the right.

  1. TechIDManager.ClientGUID – The same ClientGUID from everywhere and is set in the install script above.
  2. TechIDManager.DomainGuid – The unique to this domain GUID and is set in the install script above.
  3. TechIDManager.RmmName – The RMM name for this domain that shows in the TechClient
  4. TechIDManager.FriendlyName – The friendly name for this domain that shows in the TechClient
  5. TechIDManager.UserName – The same formatting for Username as described for DomainService ( https://ruffiansoftware.com/username-feature-in-domainservice-piece-of-techidmanger )
  6. TechIDManager.DisplayName – The same formatting for Display name as described for DomainService ( https://ruffiansoftware.com/username-feature-in-domainservice-piece-of-techidmanger )
  7. TechIDManager.HourToRun – The hour (out of 0-23) time at which TechIDManager.AzureAD should run and change passwords. Since Azure consumption plans are based on UTC clock this should be 5 to run near midnight on the east coast of the USA.
  8. TechIDManager.JustInTime – Enable Just-In-Time accounts on this agent.
    1. “Yes” for Just-In-Time accounts
    2. “No” for Managed accounts (default)
  9. TechIDManager.UsageLocation – Set the UsageLocation of the techs. 
  10. TechIDManager.DomainName – The domain name to use when creating accounts, or looking for synced accounts in a hybrid setup. This will default to the “onmicrosoft.com” domain found in the tenant. If more than one “onmicrosoft.com” domain exists, you should specify one.
  11. TechIDManager.Hybrid- Determine if TechIDManager should only use accounts created and managed by ADConnect or should created and manage accounts in AzureAD directly.
    1. This can be set to “No” to ignore the existence of synced accounts and create and manage tech accounts directly in AzureAD. Existing accounts with matching names are taken over by TechIDManager.
    2. This can be set to “Yes” to only set roles on users that are found that match TechIDManager created users from a hybrid domain that is running the TechIDManager DomainService on a DC that is synced to AzureAD. These users will be looked for with the Username from the HydridDomain and only with the DomainName configuration from above. It is up to ADConnect to create these users and sync the password from the DC.
  12. TechIDManager.HybridDomainGuid – Must be set if TechIDManager.Hybrid is set to “Yes” 
    1. Should be set to the DomainGuid of the DomainService running on the domain that is being synced to this Azure Tenant. This DomainGuid can be found in the Management Console by clicking on the gear icon in the Domains page or by running “DomainService.exe show” on the source DC.

These options can be set at anytime and will take effect the next time TechIDManager runs.

  1. Some common errors:
    1. If you get a “Decryption Error [WinError -2146893813]” or similar at the very start of the script.
      1. Exit the PowerShell window,
      2. Close all browser windows accessing azure stuff,
      3. On your computer delete the folder c:\Users\<YourUserName>\.azure
      4. Try the script again.
    2. If you get an error “About you don’t have permission to make a resource group in a subscription”.
      1. Make sure you are signed in with an account that is a Global Administrator
      2. Make sure you are an “Owner” of that subscription by looking in https://portal.azure.com under “Subscriptions” and “Roles”. If you are not, user the “+ Add” button on the roles screen to add yourself as an owner.
    3. If you get an error “(AuthorizationFailed) The client ‘live.com#???@????.com’ with object id ‘????’ does not have authorization to perform action ‘Microsoft.Web/sites/config/list/action’ over scope ‘/subscriptions/???..???/appsettings’ or the scope is invalid.
      1. Make sure you are an “Owner” of that subscription by looking in https://portal.azure.com under “Subscriptions” and “Roles”. If you are not, user the “+ Add” button on the roles screen to add yourself as an owner.
    4. If you get an error that there are no subscriptions
      1. Add a pay-as-you-go subscription to the tenant.
      2. Go to https://portal.azure.com
      3. Login to the tenant in question
      4. Click on “More Services”
      5. Click on “Subscriptions”
      6. Click on “Add”….finish the subscription setup.
      7. Try the script again.