Versions Compared

Old Version 5

changes.mady.by.user Mikko Kerava

Saved on

compared with

New Version Current

changes.mady.by.user Mikko Kerava

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This page is for older ‘pull based’ user synchronization, which reads AzureAD information via GraphAPI.

We have newer and better ‘push based’ SCIM user synchronization, which should be used if you are implementing new user data synchronization.

See: SCIM provisioning from Azure AD

General

Expand
titleWhat different sync options there are?

Thre Three are three different syncs:

  • User Sync (BenePortal)

  • Directory sync of existing users

  • Directory sync of directory entries

User Sync is used for managing users in BenePortal.

Directory sync of existing users is used for keeping directory information of users up to date. User is someone having Benemen services.

Directory sync of directory entries is used for creating, updating and removing directory entries in Benemen directory. A directory entry is just an object in the Benemen directory and does not have any Benemen services.

Expand
titleHow AzureAD syncs work?

SyncModule reads AzureAD data via Azure GraphAPI over HTTPS connection. User data in Benemen systems is updated based on data in AzureAD.

All syncs are configured to happen as a scheduled job. The default interval is 24h.

Expand
titleWhich attribute names are used when reading from AzureAD

As SyncModule use GraphAPI to read AzureAD data, mappings must be done using property names of user resource type of GraphAPI. See GraphAPI documentation for the full list https://docs.microsoft.com/en-us/graph/api/resources/user?view=graph-rest-1.0#properties

Note, that the naming of some attributes/properties differ between On-Prem AD and AzureAD and also between AzureAD and GraphAPI. Some common examples below:

On-Prem AD Attribute (LDAP)

AzureAD Attribute

GraphAPI property

telephoneNumber

TelephoneNumber

businessPhones

mobile

Mobile

mobilePhone

sn

Surname

surname

physicalDeliveryOfficeName

PhysicalDeliveryOfficeName

officeLocation

Expand
titleWhat is needed to configure AzureAD syncs?

For all Syncs:

  • App registration must be added to customers AzureAD tenant.

For User sync following must be defined:

  • AzureAD group of which members will be synced

  • Attribute mappings

  • Removal policy

  • Email address for sync reports

Directory sync of existing users:

  • Attribute mappings

Directory sync of directory - entries:

  • AzureAD group of which members will be synced as directory-entires

  • Attribute mappings

...

Expand
titleHow users to be synced is defined in UserSync?

Users to be synced in BenePortal is defined by being a member of a specified group in AzureAD. All users belonging in the group or any of its nested subgroups will be included in the sync.

Expand
titleWhich aBenePortal BenePortal fields can be mapped

Following BenePortal fields are mandatory

  • UserEmail

  • FirstName

  • LastName

  • ContractName

  • BillingContractName

  • CostCenter

Following BenePortal fields are optional

  • AltEmail (Alternative email to send password recovery emails etc.)

  • UserCountry

  • UserRegion (TZ-format (Europe/Helsinki etc.))

  • UserLanguage (RFC 1766 format (fi-FI, en-GB etc.))        

  • ExtAuthUserName

  • ExtAuthDomain

...

Expand
titleHow user removal is done?

User removal happens, if a user is removed from the AzureAD group defined to be synced to BenePortal or the user is deleted from AzureAD.

There are two options for user removals:

  • Inform only (default)

  • Automatic termination

By default removed users are only added to the user sync report and actual removal must be done manually. Report I sent to as email to defined email-addresses.

If automatic termination is used, user and users services are terminated immediately. This option should be used only if there is no number porting needs or other similar cases requiring more controlled termination.

...