Azure AD Provider

Introduction

The Azure AD provider connects to the Microsoft Azure AD cloud tenant to collect data for time traveling that is not available to AADSync / DirSync.

The Azure AD provider uses the MSOnline PowerShell module to collect information about Azure AD, including groups, users, and licensing data. It uses Office 365 Exchange PowerShell sessions to collect host of identity information from Exchange in the cloud, including mailbox settings and usage, email last logon, mobile device, and auto-reply settings. The Azure AD provider is also able to connect and time travel data from on-premises Exchange 2013.

Setup

To use Azure AD PowerShell you must first download and install the MSOnline PowerShell module. On Server 2012 R2, this should install to C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\MSOnline by default. If MSOnline is installed to a different location, you will need to edit SoftwareIDM.PanelService.exe.config, and PanelTool.exe.config to contain the correct install directory.

Before attempting to configure an Azure AD connection, ensure that you can connect to Exchange Online PowerShell and MsolService .

Settings

Before using the Azure AD provider you must configure a connection in the Providers settings tab. If your organization has multiple Azure AD cloud tenants you can create separate connections for each one. It is also possible to create multiple environments pointed at the same tenant, in order to collect separate subsets of cloud data in different silos.

Each environment must have a unique name, but this name may be changed at any time. Because the environment name will be prefixed onto MSOnline and Exchange silos, short names are preferred (e.g. Azure: MSOnline).

Azure AD Settings

Account Credentials

The first part of the environment settings is account credentials. The username should be the UPN login for an account with global read access to the cloud tenant. If you plan to use the Workflow engine for tasks like assigning and removing licenses the account should be a global administrator. The account does not have to be mailbox enabled.

In order to collect data from the cloud, the Azure AD provider must do a regular scan with PowerShell. The largest performance bottleneck for this scan is the throttling limits applied by the Exchange PowerShell provider. The Azure AD provider is designed to respect these throttling limits from the client side, so as not to lockout the account. Certain data cmdlets are more demanding than others. Mobile device statistics and mailbox statistics are the slowest.

The best way to improve scan performance is to use multiple user accounts in parallel, since Exchange throttling is applied on a per-user session basis, and each organization is permitted up to 9 simultaneous concurrent PowerShell user sessions. If you provide multiple user credentials the Azure AD provider is able to run more commands in parallel to maximize scan performance.

Collecting Data

To collect data using the Azure AD provider select strips from the Data Type drop-down list and press the Add icon. Each data type corresponds to a PowerShell command that returns an iterable result. For example, the Mailbox — Exchange command iterates over Get-Mailbox in the Exchange PowerShell environment.

Once a command pipeline is added, you can select and deselect which attributes to collected for the time traveller.

Azure Command Attributes

Strips are treated as a pipeline because they can have Child commands. A child command is invoked once for each record returned by the parent command. The Azure AD scan dispatch logic runs each command pipeline in parallel. Threading enables the child commands within each pipeline to also run in parallel.

Child Commands

The included object scan types are:

  • User - MSOnline
  • Group - MSOnline
    • Group Membership - MSOnline
  • Role - MSOnline
    • Role Membership - MSOnline
  • License Sku - MSOnline
  • Contact - MSOnline
  • Mailbox - Exchange
    • Mailbox Statistics - Exchange
    • Mailbox Junk Mail - Exchange
    • Mailbox Message - Exchange
    • Mailbox Regional - Exchange
    • Mailbox Permissions - Exchange
    • Mailbox Auto Reply - Exchange
    • Mailbox Calendar - Exchange
  • Contact - Exchange
  • Distribution Group - Exchange
    • Distribution Group Membership - Exchange
  • Mobile Device - Exchange
    • Mobile Device Stats - Exchange
  • Role Group - Exchange
  • Retention Policy - Exchange
  • Federated Organization - Exchange
  • Federation Trust - Exchange

Chart Counters

The Azure Scan Record re-uses the Import Add/Update/Delete counters used by the Sync Engine

Import Add Import Update Import Delete

Schedule Steps

Azure Scan

Scans data from Azure AD - both MSOnline and Exchange, using settings defined in Azure AD section.

History

Returns an Azure Scan Record with Argument set to the Azure provider connection. The Result is "success" or an error message. The following Counters are set:

  • Add: 2 — Cloud object added
  • Update: 3 — Cloud object updated
  • Delete: 5 — Cloud object deleted

Concurrency

The Azure scan step may run simultaneously with anything but another Azure Scan step using the same cloud tenant connection.

Settings

  • Provider: Name of the provider connection defined in the Azure AD section.

Workflow Steps

Azure License User

Assigns the named MSOnline license sku to a user.

Settings

  • License Name: Name of a license sku with available units (names may be looked up by searching the MSOnline silo for AccountSku objects)
  • User Principal Name: UPN of user to assign license to — supports Rule Engine value lookup
  • Provider: Name of Azure AD provider connection settings

Azure Delicense User

Removes the named MSOnline license sku from a user.

Settings

  • License Name: Name of a license sku to revoke (names may be looked up by searching the MSOnline silo for AccountSku objects)
  • User Principal Name: UPN of user to assign license to — supports Rule Engine value lookup
  • Provider: Name of Azure AD provider connection settings

Azure PowerShell

Run a PowerShell script against either the MSOnline or Exchange cloud tenant.

Settings

  • PowerShell Environment: Whether to run against MSOnline or Exchange PowerShell environment
  • Command Count: Number of commands that will be executed by the script. This is used by the throttling mechanism for the Exchange environment
  • PowerShell Script: The script to execute — supports Rule Engine value lookup
  • Provider: Name of the Azure AD provider connection settings

Copyright © SoftwareIDM

Table of Contents