Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

General

 What different sync options ther are?

Thre are three different syncs:

  • User Sync (BenePortal)

  • Directory sync of existing users

  • Directory sync of directory entries

User Sync is used for managing users in BenePortal.

Directory sync of existing users is used for keeping directory information of users up to date. User is someone having Benemen services.

Directory sync of directory entries is used for creating, updating and removing directory entries in Benemen directory. A directory entry is just an object in the Benemen directory and does not have any Benemen services.

 What is needed to configure AzureAD syncs?

For all Syncs:

  • App registration must be added to customers AzureAD tenant.

For User sync following must be defined:

  • AzureAD group of which members will be synced

  • Attribute mappings

  • Removal policy

  • Email address for syn reports

Directory sync of existing users:

  • Attribute mappings

Directory sync of directory-entries:

  • AzureAD group of which members will be synced as directory-entires

  • Attribute mappings

 Is it possible to use extension attributes as a source?

Any attributes found from AzureAD can be used as a source attribute. However, not all attributes are synced from on-premises AD to AzureAD by default. Follow these instructions to sync extension attributes from on-prem AD to AzureAD: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-feature-directory-extensions

The attributes are prefixed with extension_{ApplicationId}_ where {ApplicationId} is id of Tenant Schema Extension App in AzureAD.

For example to retrieve values from externsionAttribute11, and AppID is 9d98ed114c4840d298fad781915f27e4 mapping value will be extension_9d98ed114c4840d298fad781915f27e4_externsionAttribute11.

ApplicationId has the same value for all attributes in AzureAD tenant.

User Sync (From AzureAD → BenePortal)

 How users to be synced is defined in UserSync?

Users to be synced in BenePortal is defined by being a member of a specified group in AzureAD. All users belonging in the group or any of its nested subgroups will be included in the sync.

 There are already existing users configured, how UserSync module deals with them?

WhenSyncModule runs the sync, it gets all users from three sources: Local database, BenePortal and users from AzureAD. If there are users that are found from both from BenePortal and AzureAD (username in BenePortal match UPN in Azure), they are added to the local database and updated to BenePortal if needed. User is now included in the sync, and future changes will be handled similarly as for users created by SyncModule.

If there are users in BenePortal which are not found from AzureAD, they are left as is.

 How user removal is done?

There are two options for user removals: By default removed user is only added to user sync report and actual removal must be done manually. There is an option for automatic removals, in this case, user and users services are terminated immediately.

 How username changes are handled?

In Benemen systems email is used as a username, and changing it requires manual work by Benemen support.

Sync module keeps a local database of synced user objects, having AzureAD objectId as a primary key. If the user's Email/UPN is changed in Azure, this is reported in sync-report for manual change.

  • No labels

© Enreach, Mannerheimintie 117, 00280 Helsinki, Finland
+358 40 450 3000, www.enreach.fi