Importing Employees using Azure AD Connector
Version: 2022.4 onwards.
Role: Administrator
Upgrade details: When upgrading from versions older than 2022.4, apply this package - Azure AD Employee Import for Service Manager.
Configuring and setting up the required permissions from the Azure Portal
Scenario 1 - if you haven't created the application
To create the Application
1.From the Azure portal, navigate to the Azure Active Directory > App Registrations.
2.Click on New registration and enter the name for the Application, at the end of the page click the Register button.
3.Once the application is created, the following details is displayed. Ensure to make copy and save the details.
•Client ID - Remember to note down the client ID somewhere safe.
•Tenant ID - Remember to note down the Tenant ID somewhere safe.
•Client Secret ID: Unique client secret ID, see To create a Client Secret ID section below to know how to create one.
1.Click Add a certificate or secret.
2.Under Client Secrets, click on new client secret, enter a description.
3.Select the Add button to add this Client Secret ID but before that remember to check the expires as once it exceeds the Expiry date, we need to create a new Client Secret.
Ensure you make a note of the Client Secret Value and save it somewhere safe as it is not accessible later.
To add the necessary permissions:
Once the application is created and the information in the previous section is noted, the next step is to add the necessary permissions required in the Permission tab.
1.Under App Registrations in Owner Applications, open the application which you just created in the previous section.
2.In the left panel under Manage, open API permissions.
3.Select Add permissions > Microsoft Graph > Application Permissions > Directory > Directory.Read.All > Add Permissions.
Scenario 2 - if you have created the application in the Azure portal:
1.Navigate to the Azure Active Directory > App Registrations > Owner Applications.
2.Under Owner Applications, click the present application and you will be able to see the Client ID, Tenant ID and the Client Secret ID.
In case you forgot or lost the Client Secret ID, then you can create a new Client Secret ID by following the steps in creating a Client Secret ID.
Configuration in ITSM
Once the Azure configuration is completed, the next step is to configure the ITSM platform.
1.Login to ITSM as an Administrator.
2.Open the Configuration console.
3.Generate an API Key:
| a. | Navigate to Security Controls > API Keys. |
| b. | Click Add Key Group and enter a contextual name. |
| c. | Click Add API Key under the group you just created and enter the description. |
4.Click Save.
Azure AD Fields
To get a comprehensive understanding of Importing Employees using Azure AD Connector, it is important you understand what each field in the Azure Ad employee connector does.
|
Field |
Description |
|---|---|
| Enabled | This Enables the connector; it should be enabled for Employees to be imported. |
| Test Mode |
This is only used if you want to test the connector and sync 10 employees. Only first 10 employees will be synced everytime you run the test. |
| Client ID | As mentioned in Configurations/Permissions Required from Azure Portal section. |
|
Tenant ID |
As mentioned in Configurations/Permissions Required from Azure Portal section. |
|
Client Secret |
As mentioned in Configurations/Permissions Required from Azure Portal section. |
|
API Key |
This is the API key generated from Ivanti ITSM platform used to authenticate communications between ITSM and Azure AD. |
|
Primary Key |
Primary key as name suggest is the key which is used as a unique identifier to sync data from Azure to ITSM. |
|
AD filter |
Filter is used to filter the results fetched from Azure AD. Example: If you want to add a filter to not import inactive users then the filter value would be: {Azure AD Field} {Operator} {Value} accountEnabled eq true For more information on using filters, see Use the filter query parameter. In the examples shown here, the ones marked * are not supported, they are part of the Advanced query capabilities. |
|
ISM Employee Field |
This drop down shows the list of fields in the employee business object. |
|
Azure AD fields |
This drop down shows the list of fields which can currently sync from Azure AD. |
|
Fixed Value |
Once checked, the user can set a fixed value to sync to employee. Example: Team is a mandatory field in ITSM but there is no real value from Azure to sync to team, hence user can add a fixed value for sync work. |
|
Do not update field |
Once Do not update is enabled for an added mapping, the Employee field selected in the mapping will not be updated after the first insert of the employees. |
Importing Employee Records
1.Open the Azure AD Employee Connector workspace.
2.Select the Enabled check box.
3.Create an API Key on the tenant with admin access.
4.Enter values in the Client ID, Client Tenant ID, and Client Secret fields.
You can get these values from your Azure Client account.
5.Enter the API key.
6.Under the Please select only one option below section, select any one of the listed options as the Primary Key.
Ensure you select only one option.
7.AD Filter - use this field to enter the filter details to filter results fetched from Azure AD.
For example, to filter out inactive users from getting imported, enter the following query:
{Azure AD Field} {Operator} {Value}
accountEnabled eq true
For more information on using filters, see Use the filter query parameter. In the examples shown here, the ones marked * are not supported, they are part of the Advanced query capabilities.
Currently, the Advanced query capabilities on Azure AD directory objects is not supported. Documentation will be updated when it is made available.
8.A list of pre-mapped fields are displayed. You can add custom fields using,
• ISM Employee Field - field in ISM that should be mapped.
•Azure AD Fields - field in Azure AD that should be mapped.
9.Select the Fixed Value field and enter a value if there is no value for the Azure AD Field with respect to the Neurons for ITSM Field.
10.Click Add Mapping. The mapped fields are displayed in the Field Mappings tab.
For the import to work, add the following mappings:
• In the ISM Employee Field select Team
•In the Is Fixed - True
•Fixed Value - QA
Do not update Field - when this check box is selected, the fields are updated only first time upon inserting the fields and next time onwards it is ignored.
11.Save and exit by clicking List View.
12.From the Action Menu drop-down, select Execute Employee Import.
13.Open the record to check the import status.
After importing, the records are fetched in the Queue tab of the record. After which is goes into the Employee workspace.
14.Click the Queue tab, if the RunOutPut field displays Completed without errors. The import is successful.
The employee records would be fetched in the Employee workspace.
The Ivanti Azure AD Schedule Entry is scheduled to run every hour, therefore, the records are updated hourly basis.
Troubleshooting
If you get the Invalid Input error message while trying to import the Azure AD Employees, it means the import failed. This happens if the Server URL field (not visible in the UI, present in the backend) in the Azure AD Employee Connector workspace is not populated with appropriate value.
To fix the issue:
•Run the SET SERVER URL Quick Action.
This sets the appropriate value in the Server URL field which resolves the issue.
Ensure you run the Quick Action from the list view of the Azure AD Employee Connector workspace.