AzureAD SyncModule FAQ

General

What different sync options there are?

Three are three different syncs:

User Sync (BenePortal)
Directory sync of existing users
Directory sync of directory entries

User Sync is used for managing users in BenePortal.

Directory sync of existing users is used for keeping directory information of users up to date. User is someone having Benemen services.

Directory sync of directory entries is used for creating, updating and removing directory entries in Benemen directory. A directory entry is just an object in the Benemen directory and does not have any Benemen services.

How AzureAD syncs work?

SyncModule reads AzureAD data via Azure GraphAPI over HTTPS connection.

Which attribute names are used when reading from AzureAD

As SyncModule use GraphAPI to read AzureAD data, mappings must be done using property names of user resource type of GraphAPI. See GraphAPI documentation for the full list https://docs.microsoft.com/en-us/graph/api/resources/user?view=graph-rest-1.0#properties

Note, that the naming of some attributes/properties differ between On-Prem AD and AzureAD and also between AzureAD and GraphAPI. Some common examples below:

On-Prem AD Attribute (LDAP)	AzureAD Attribute	GraphAPI property
telephoneNumber	TelephoneNumber	businessPhones
mobile	Mobile	mobilePhone
sn	Surname	surname
physicalDeliveryOfficeName	PhysicalDeliveryOfficeName	officeLocation

What is needed to configure AzureAD syncs?

For all Syncs:

App registration must be added to customers AzureAD tenant.

For User sync following must be defined:

AzureAD group of which members will be synced
Attribute mappings
Removal policy
Email address for sync reports

Directory sync of existing users:

Attribute mappings

Directory sync of directory entries:

AzureAD group of which members will be synced as directory-entires
Attribute mappings

Is it possible to use extension attributes as a source?

Any attributes found from AzureAD can be used as a source attribute. However, not all attributes are synced from on-premises AD to AzureAD by default. Follow these instructions to sync extension attributes from on-prem AD to AzureAD: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-feature-directory-extensions

The attributes are prefixed with extension_{ApplicationId}_ where {ApplicationId} is id of Tenant Schema Extension App in AzureAD.

For example to retrieve values from externsionAttribute11, and AppID is 9d98ed114c4840d298fad781915f27e4 mapping value will be extension_9d98ed114c4840d298fad781915f27e4_externsionAttribute11.

ApplicationId has the same value for all attributes in AzureAD tenant.

User Sync (From AzureAD → BenePortal)

How users to be synced is defined in UserSync?

Users to be synced in BenePortal is defined by being a member of a specified group in AzureAD. All users belonging in the group or any of its nested subgroups will be included in the sync.

Which BenePortal fields can be mapped

Following BenePortal fields are mandatory

UserEmail
FirstName
LastName
ContractName
BillingContractName
CostCenter

Following BenePortal fields are optional

AltEmail (Alternative email to send password recovery emails etc.)
UserCountry
UserRegion (TZ-format (Europe/Helsinki etc.))
UserLanguage (RFC 1766 format (fi-FI, en-GB etc.))
ExtAuthUserName
ExtAuthDomain

Can there be constant values or should all fields be mapped to AzureAD attributes?

BenePortal fields can have a constant value, an attribute mapping or both.

If constant value is set but no attribute mapping, the constant value will always be used for all users.

If there are both constant value and mapping, value is first tried to get from the mapped attribute. If attiribute is not set for a user, the constant value will be used.

Can there be multiple sync configurations?

If there is need to have different configurations for different groups of users, multiple sync jobs can be configured.

For example, there are users in two counties, and some values should be set to BenePortal which are not found from AzureAD-attributes, we can set up two different sync-jobs with a different configuration.

There must be separate AzureAD group for each user sync job, and users to be synced must be a member of only one of these groups!

There are already existing users configured, how user sync deals with them?

User sync gets all users from three sources:

Local database (Sync-job specific)
BenePortal
AzureAD

If there are users that are found from both from BenePortal and AzureAD (username in BenePortal match UPN in Azure), they are added to the local database and updated to BenePortal if needed. User is now included in the sync, and future changes will be handled similarly as for users created by SyncModule.

If there are users in BenePortal which are not found from AzureAD (username in BenePortal does not match any user received from AzureAD), they are left as is.

How user removal is done?

User removal happens, if a user is removed from the AzureAD group defined to be synced to BenePortal or the user is deleted from AzureAD.

There are two options for user removals:

Inform only (default)
Automatic termination

By default removed users are only added to the user sync report and actual removal must be done manually. Report I sent to as email to defined email-addresses.

If automatic termination is used, user and users services are terminated immediately. This option should be used only if there is no number porting needs or other similar cases requiring more controlled termination.

How username changes are handled?

In Benemen systems email is used as a username, and changing it requires manual work by Benemen support.

Sync module keeps a local database of synced user objects, having AzureAD objectId as a primary key. If the user's Email/UPN is changed in Azure, this is reported in sync-report for manual change.

Is it possible to bring the certain user role information via AzureAD-integration?

No. Only user Basic information can be synced from. Managing user roles and phone roles must be done in Benemen Portal.

Directory sync of existing users

How users to be synced is defined in directory sync of existing users?

Sync is performed for all users in Benemen directory. For each user, SyncModule tries to find the corresponding user from AzureAD by using ExternalId (hidden from Directory) and Email-address. Benemen Email can be mapped to UserPrincipalName or EmailAddress in AzureAD.

If the corresponding user is found form AzureAD, directory information of Benemen user is updated based on information in AzureAD.

Which directory fields can be synced?

Following fields in the directory are managed by BenePortal, and cannot be updated directly:

EmailAddress
FirstName
LastName
WorkNumber
MobileNumber

All other fields can be mapped to be synced from AzureAD:

Title
Description
OtherNumber
Company
Location
Department
Group
Team
Superior (see “How Manager->Supervisor mapping works?”)
Substitute
Address
PostalCode
City
Country
PhoneticName

How Manager->Supervisor mapping works?

All fields in Benemen directory are plain text, whereas Manager attribute in AzureAD is a link to an other AzureAD user. If the supervisor field is mapped to Manager-attribute, the value of DisplayName-attribute of user set as a manager is set to supervisor field.

Directory sync of directory entries

How users to be synced is defined in directory sync of directory entries

Users to be synced as directory entries to Benemen Directory is defined by being a member of a specified group in AzureAD. All users belonging in the group or any of its nested subgroups will be included in the sync.

What happens if existing user (ie. having Benemen services) is added to group to be synced as directory entries

If there is already active user having the same username (ie. Email-address), directory entry will not be created.