The TechIDManager agent installs in EntraID (Azure AD) to provide MSPs with the same setup options available for all other TechIDManager agents.
It offers the same capabilities, including:
Automatic creation of unique accounts for every tech in every tenant they have access to in EntraID (Azure AD)
Daily password rotation (every 24 hours)
Role assignments tailored to each tech
Just-In-Time (JIT) or managed accounts
Roles for these accounts are assigned using the same grouping and triplet system that applies to other TechIDManager agents.
If you have questions or want to learn more, feel free to schedule a demo or Q&A session about TechIDManager. We also offer white glove installations, and you can book assistance for setup.
To install TechIDAgent.EntraID, you must have:
An active TechIDManager subscription, and
A single Azure subscription that can run an Azure Function with a consumption plan, all within one tenant (usually your MSP’s tenant).
This setup is required for a specific security reason. At Ruffian Software, we do not have access to your clients’ tenants—and we don’t want it. We never ask for or store OAuth tokens, Bearer tokens, GA passwords, or any other credentials for your clients’ tenants. These types of tokens have been compromised in too many recent attacks and grant too much access for any security vendor to hold responsibly.
For TechIDManager to create users and set passwords, something must run with permission inside the tenant’s context. We accomplish this by running a function in your MSP’s tenant that has enterprise app connections to each client tenant.
This code runs on Microsoft-provided hardware, in the context of the client tenant.
The Azure Function requires a consumption plan, which costs about $0.25 per month per tenant—yes, just 25 cents. If you don’t already have one, the easiest option to set up is a “Pay-As-You-Go” plan.
These instructions assume you have TechIDManager setup and working.
A little note on GCC/GCC-High. This works with GCC and GCC-High. The Base install must be on the same type of tenant as the Links.
To update a TechIDAgent.EntraID installation run the Base script just like the initial install and it will recognize the install to convert it to a Base install. You will then need to run the Link executable on your own tenant to make it be an agent.
Base Install: (do this once in the MSP tenant)
| Step | What to do | Expected Result |
|
4.3.1
|
Install the Azure CLI on your computer from https://docs.microsoft.com/en-us/cli/azure/install-azure-cli
You only have to do this step once on your machine. If you are behind a proxy, make sure AzureCLI is setup to work behind the proxy. |
Azure CLI installed on your computer. |
|
4.3.2
|
Download the latest install script from https://ruffiansoftware.com/releases under TechIDAgent.EntraID.
You will need to “Save As” if your browser opens it as a text file. |
Install PowerShell script saved on your computer |
|
4.3.3
|
Start a regular PowerShell windows. The session does NOT need to be an admin session. Don’t use PowerShell ISE, it will cause this script to not work. |
PowerShell session running |
|
4.3.4
|
In the PowerShell session change directory to the directory where PowerShell file was downloaded. | |
|
4.3.5
|
Run the script downloaded in step 2. .\Deploy_TechIDAgent_EntraID_version.ps1 If you are installing on a GCC tenant use -GCC |
Script running and asking you questions… |
|
4.3.6
|
Answer the questions in the script. If you have questions, support@techidmanager.com The script will prompt you to login to an Azure Tenant. Login to the tenant where you want to install the Base install with a “Global Administrator Account” When asked about region find a region from this website (https://azuretracks.com/2021/04/current-azure-region-names-reference/). We have no affiliation with that site, it is just a good place to find Azure region names, because they are hard to find. When the script ends it will download a webpage, check the output for errors. |
TechIDAgent.EntraID Base Agent installed and showing in TechIDPortal in the Client Options section. |
Link Install: (do this for each client tenant)
| Step | What to do | Expected Result |
|
4.3.7
|
Install the Azure CLI on your computer from https://docs.microsoft.com/en-us/cli/azure/install-azure-cli
You only have to do this step once on your machine. If you are behind a proxy, make sure AzureCLI is setup to work behind the proxy. This is probably already done during the Base install. |
Azure CLI installed on your computer. |
|
4.3.8
|
Download the latest Link install program from https://ruffiansoftware.com/releases under TechIDAgent.EntraID. | Install zip file saved on your computer |
|
4.3.9
|
Extract the zip file to a folder on your computer. | Directory with secondary install script in it. |
|
4.3.10
|
Start a PowerShell session. The session does NOT need to be an admin session. | PowerShell session running |
|
4.3.11
|
In the PowerShell session change directory to the directory where install executable was extracted. |
|
|
4.3.12
|
Run the executable from steps 3 .\TechIDAgent.EntraID.Installer.exe |
Program running and asking you questions… |
|
4.3.13
|
Answer the questions. See the configuration value descriptions below for more information. The script will prompt you to login to an Azure Tenant. Login to the correct tenant with a “Global Administrator Account” If you have any questions: support@techidmanager.com |
TechIDAgent.EntraID Linked agent installed and showing in TechIDPortal under Agents |
|
4.3.14
|
Within about an hour, an account should get created for each tech and their credentials should show up in their TechIDClient. To see/manage/access resources in a tenant, techs will need to self elevate their freshly created account (via these instructions https://docs.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin MAKE SURE TO SIGN OUT AND SIGN BACK IN), OR have roles granted by someone with existing access. It is our recommendation at this time that you self elevate. Granting rights on all resources automatically is something we are working on. |
Unique accounts for each tech created in this EntraID tenant |
Options that effect how TechIDAgent.EntraID runs are settable in the TechIDPortal. Most of these parallel the command line options for the TechIDAgent. In the Function Configuration set an “Application Setting” on the screen at the right.
- RmmName – The RMM name for this domain that shows in the TechIDClient
- FriendlyName – The friendly name for this domain that shows in the TechIDClient
- UserName – The same formatting for Username as described for TechIDAgent ( https://ruffiansoftware.com/username-feature-in-domainservice-piece-of-techidmanger )
- DisplayName – The same formatting for Display name as described for TechIDAgent ( https://ruffiansoftware.com/username-feature-in-domainservice-piece-of-techidmanger )
- HourToRun – The hour (out of 0-23) time at which TechIDAgent.EntraID should run and change passwords. Since Azure consumption plans are based on UTC clock this should be 5 to run near midnight on the east coast of the USA.
- JustInTime – Enable Just-In-Time accounts on this agent.
- “Yes” for Just-In-Time accounts
- “No” for Managed accounts (default)
- UsageLocation – Set the UsageLocation of the techs.
- DomainName – The domain name to use when creating accounts, or looking for synced accounts in a hybrid setup. This will default to the “onmicrosoft.com” domain found in the tenant. If more than one “onmicrosoft.com” domain exists, you should specify one.
- Hybrid- Determine if TechIDManager should only use accounts created and managed by ADConnect or should created and manage accounts in EntraID directly.
- This can be set to “No” to ignore the existence of synced accounts and create and manage tech accounts directly in EntraID. Existing accounts with matching names are taken over by TechIDManager.
- This can be set to “Yes” to only set roles on users that are found that match TechIDManager created users from a hybrid domain that is running the TechIDManager TechIDAgent on a DC that is synced to EntraID. These users will be looked for with the Username from the HydridDomain and only with the DomainName configuration from above. It is up to ADConnect to create these users and sync the password from the DC.
- HybridDomainGuid – Must be set if TechIDAgent.Hybrid is set to “Yes”
- Should be set to the DomainGuid of the TechIDAgent running on the domain that is being synced to this Azure Tenant. This DomainGuid can be found in the TechIDPortal by clicking on the gear icon in the Domains page or by running “TechIDAgent.exe show” on the source DC.
These options can be set at anytime and will take effect within a few minutes
Some common errors when running the Base installation script:
- If you get a “Decryption Error [WinError -2146893813]” or similar at the very start of the script.
- Exit the PowerShell window,
- Close all browser windows accessing azure stuff,
- On your computer delete the folder c:\Users\<YourUserName>\.azure
- Try the script again.
- If you get an error “About you don’t have permission to make a resource group in a subscription”.
- Make sure you are signed in with an account that is a Global Administrator
- Make sure you are an “Owner” of that subscription by looking in https://portal.azure.com under “Subscriptions” and “Roles”. If you are not, user the “+ Add” button on the roles screen to add yourself as an owner.
- If you get an error “(AuthorizationFailed) The client ‘live.com#???@????.com’ with object id ‘????’ does not have authorization to perform action ‘Microsoft.Web/sites/config/list/action’ over scope ‘/subscriptions/???..???/appsettings’ or the scope is invalid.
- Make sure you are an “Owner” of that subscription by looking in https://portal.azure.com under “Subscriptions” and “Roles”. If you are not, user the “+ Add” button on the roles screen to add yourself as an owner.
- If you get an error that there are no subscriptions
- Add a pay-as-you-go subscription to the tenant.
- Go to https://portal.azure.com
- Login to the tenant in question
- Click on “More Services”
- Click on “Subscriptions”
- Click on “Add”….finish the subscription setup.
- Try the script again.
Return to step 4 to install more agents.
