Azure AD integration

TechIDManager integrates with Azure AD to give MSPs the same ability to create a unique account for every tech on every tenant that they help manage. Each tech gets a account created automatically in Azure AD and that account gets the password rotated every 24 hours. Roles can be assigned to the created accounts based on the same grouping that works for On-Prem domain controllers. If you have any questions about how this works or would like more information, use the “Request Demo” button to schedule some time for a demo or Q&A session about TechIDManager. We love white glove installs and you can book installation assistance.

To install TechIDManager.AzureAD you need to have an active TechIDManager subscription,  and an Azure subscription that is capable of running a function with a consumption plan. This is needed for a specific security reason. We, at Ruffian Software, do not have access to your clients’ tenants, and we don’t want it. We don’t ask for, or keep, OAuth tokens, Bearer tokens, or any other access to your clients’ tenants because those types of tokens have been stolen in too many recent hacks and they grant too much access. In order for TechIDManager to have the needed permission to create users and set passwords something must run with permission in the context of the tenant. The way we do this is with a function that runs in each clients’ tenant and executes on MS provided hardware in the context of the tenant. This requires a consumption plan that costs between $0.10 to $1.00 each month to run in each tenant.

These instructions assume you have TechIDManager setup and working. If you need help with that, contact To update a TechIDManager.Azure  installation run the same script as installing and it will recognize the need to update.

  1. Install the Azure CLI from (
    1. NOTE. You only have to do this step once on your machine, then you can install many TechIDManager.AzureAD
  2. Download the latest install script from
    1. You will need to “Save As” if your browser open it as a text file.
  3. Start a PowerShell session
    1. Run the script downloaded in step 2.
    2. Answer the questions in the script.
      1. See the configuration value descriptions below for more information.
      2. Or schedule installation assistance if you have any questions.
    3. The script will prompt you to login to an Azure Tenant
      1. Login to the correct tenant with a “Global administrator account”
    4. When the script ends it will download a webpage, check the output for errors.
  4. Some common errors:
    1. If you get a “Decryption Error [WinError -2146893813]” or similar at the very start of the script.
      1. Exit the PowerShell window,
      2. Close all browser windows accessing azure stuff,
      3. On your computer delete the folder c:\Users\<YourUserName>\.azure
      4. Try the script again.
    2. If you get an error “About you don’t have permission to make a resource group in a subscription”.
      1. Make sure you are signed in with an account that is a Global Administrator
      2. Make sure you are an “Owner” of that subscription by looking in under “Subscriptions” and “Roles”. If you are not, user the “+ Add” button on the roles screen to add yourself as an owner.
    3. If you get an error “(AuthorizationFailed) The client ‘’ with object id ‘????’ does not have authorization to perform action ‘Microsoft.Web/sites/config/list/action’ over scope ‘/subscriptions/???..???/appsettings’ or the scope is invalid.
      1. Make sure you are an “Owner” of that subscription by looking in under “Subscriptions” and “Roles”. If you are not, user the “+ Add” button on the roles screen to add yourself as an owner.
    4. If you get an error that there are no subscriptions
      1. Add a pay-as-you-go subscription to the tenant.
      2. Go to
      3. Login to the tenant in question
      4. Click on “More Services”
      5. Click on “Subscriptions”
      6. Click on “Add”….finish the subscription setup.
      7. Try the script again.

Within an hour, an account should get created for each tech and their credentials should show up in their TechClient. To see/manage/access resources in a tenant, techs will need to self elevate their freshly created account (via these instructions MAKE SURE TO SIGN OUT AND SIGN BACK IN), OR have roles granted by someone with existing access. It is our recommendation at this time that you self elevate. Granting rights on all resources automatically is something we are working on.

There are several options that can be set in the “configuration” for the AzureFunction to effect how TechIDManager.AzureAD runs. Most of these parallel the commandline options for the DomainService. In the Function Configuration set an “Application Setting” on the screen at the right.

  1. TechIDManager.ClientGUID – The same ClientGUID from everywhere and is set in the install script above.
  2. TechIDManager.DomainGuid – The unique to this Domain GUID and is set in the install script above.
  3. TechIDManager.RmmName – The RMM Name for this Domain that shows in the TechClient
  4. TechIDManager.FriendlyName – The Friendly Name for this Domain that shows in the TechClient
  5. TechIDManager.UserName – The same formatting for UserName as described for DomainService ( )
  6. TechIDManager.DisplayName – The same formatting for DisplayName as described for DomainService ( )
  7. TechIDManager.HourToRun – The hour (out of 0-23) time at which TechIDManager.AzureAD should run and change passwords. Since Azure consumption plans are based on UTC clock this should be 5 to run near midnight.
  8. TechIDManager.DomainName – The domain name to use when creating accounts, or looking for synced accounts. This will default to the “” domain found in the tenant. If more than one “” domain exists, you should specify one.
  9. TechIDManager.Hybrid- Determine if TechIDManager should only use accounts created and managed by ADConnect or should created and manage accounts in AzureAD directly.
    1. This can be set to “No” to ignore the existence of synced accounts and create and manage tech accounts directly in AzureAD. Existing accounts with matching names are taken over by TechIDManager.
    2. This can be set to “Yes” to only set roles on users that are found that match TechIDManager created users from a hybrid domain that is running the TechIDManager DomainService on a DC that is synced to AzureAD. These users will be looked for with the UserName from the HydridDomain and only with the DomainName configuration from above. It is up to ADConnect to create these users and sync the password from the DC.
  10. TechIDManager.HybridDomainGuid – Must be set if TechIDManager.Hybrid is set to “Yes” 
    1. Should be set to the DomainGuid of the DomainService running on the domain that is being synced to this Azure Tenant. This DomainGuid can be found in the ManagementConsole by clicking on the gear icon in the Domains page or by running “DomainService.exe show” on the source DC.

These options can be set at anytime and will take effect the next time TechIDManager runs.