Importing Employees using the Azure AD Connector

Role: Administrator.

Minimum Version: 2022.4.

Package Installation: Existing customers - import the latest package from the Ivanti Marketplace - Azure AD Employee Import for Service Manager.

Configuring and setting up the required permissions from the Azure Portal

To create the application:

  1. From the  Azure portal, navigate to the  Azure Active Directory > App Registrations.

  2. Select New registration and enter the name for the application.

  3. Select the Register button.

  4. Once the application is created, the following details are displayed:

    • Client ID - Remember to note down the client ID somewhere safe.

    • Tenant ID - Remember to note down the Tenant ID somewhere safe.

    • Client Secret ID: Unique client secret ID. Refer to the next procedure for how to create one.

To create a Client Secret ID:

  1. Select Add a certificate or secret.

  2. Under Client Secrets, select on new client secret and enter a description.

  3. Select the Add button to add this Client Secret ID, but before that, remember to check when it expires, as once it exceeds the expiry date, you will need to create a new Client Secret.

    Ensure you make a note of the Client Secret value and save it somewhere safe, as it is not accessible later.

To add the necessary permissions:

Once the application is created and the information in the previous section is noted, the next step is to add the necessary permissions required in the Permission tab.

  1. Under App Registrations in Owner Applications, open the application which you just created in the previous section.

  2. In the left panel under Manage, open API permissions.

  3. Select Add permissions > Microsoft Graph > Application Permissions > Directory > Directory.Read.All > Add Permissions.

  1. Navigate to the Azure Active Directory > App Registrations > Owner Applications.

  2. Under Owner Applications, select the present application, and you will be able to see the Client ID, Tenant ID and the Client Secret ID.

    If you forget or lose the Client Secret ID, create a new one.

Once the Azure configuration is completed, the next step is to configure the ITSM platform.

  1. Login to ITSM as an Administrator.

  2. Open the Configuration Console.

  3. Generate an API Key:

    1. Navigate to Security Controls > API Keys.

    2. Select Add Key Group and enter a contextual name.

    3. Select Add API Key under the group you just created and enter the description.

      When creating a key, ensure you create it with a user who has an Administrator role and ensure the In Role field is set to an Admin role.

  4. Select Save.

To get a comprehensive understanding of importing employees using the Azure AD connector, it is important that you understand what each field in the Azure AD employee connector does.

Field

Description
Enabled  This enables the connector to import employees.
Test Mode

This is only used if you want to test the connector and sync 10 employees.

Only the first 10 employees will be synced everytime you run the test.

Client ID As mentioned in Configurations/Permissions Required from Azure Portal section.

Tenant ID

As mentioned in Configurations/Permissions Required from Azure Portal section.

Client Secret

As mentioned in Configurations/Permissions Required from Azure Portal section.

API Key

This is the API key generated from Ivanti ITSM and used to authenticate communications between ITSM and Azure AD.

Primary Key

This key is used as a unique identifier to sync data from Azure to ITSM.

AD filter

This is used to filter the results fetched from Azure AD.

Example: If you want to add a filter to not import inactive users, then the filter value would be:

{Azure AD Field} {Operator} {Value}

accountEnabled eq true

For more information on using filters, refer to the Microsoft document Use the filter query parameter. In the examples shown here, the ones marked * are not supported; they are part of the advanced query capabilities.

ISM Employee Field

This drop down shows the list of fields in the employee business object.

Azure AD fields

This drop down shows the list of fields which can currently sync from Azure AD.

Fixed Value

Once checked, you can set a fixed value to sync employees.

Example: Team is a mandatory field in ITSM, but there is no real value from Azure to sync to team, hence you can add a fixed value for syncing to work.

Do not update field

Once Do not update is enabled for an added mapping, the Employee field selected in the mapping will not be updated after the first insert of the employees.

  1. Open the Azure AD Employee Connector workspace.

  2. Select the Enabled check box.

  3. Create an API Key on the tenant with admin access.

  4. Enter values in the Client ID, Client Tenant ID, and Client Secret fields.

    You can get these values from your Azure Client account.

  5. Enter the API key.

  6. Under the Please select only one option below section, select any one of the listed options as the Primary Key.

    Ensure you select only one option.

  7. AD Filter - use this field to enter the filter details to filter results fetched from Azure AD.

    For example, to filter out inactive users from getting imported, enter the following query:

    {Azure AD Field} {Operator} {Value}

    accountEnabled eq true

    For more information on using filters, refer to the Microsoft document Use the filter query parameter. In the examples shown here, the ones marked * are not supported; they are part of the advanced query capabilities.

    Currently, advanced query capabilities on Azure AD directory objects is not supported. Refer to the Microsoft document Advanced query capabilities on Azure AD directory objects. Documentation will be updated when it is made available.

  8. A list of pre-mapped fields are displayed. You can add custom fields using:

    • ISM Employee Field - field in ITSM that should be mapped.

    • Azure AD Fields - field in Azure AD that should be mapped.

  9. Select the Fixed Value field and enter a value if there is no value for the Azure AD Field with respect to the Neurons for ITSM field.

  10. Select Add Mapping. The mapped fields are displayed in the Field Mappings tab.

    For the import to work, add the following mappings:

    • In the ISM Employee Field select Team

    • In the Is Fixed - True

    • Fixed Value - Enter the team name for the employee, for example: QA.

    Do not update Field - when this check box is selected, the fields are updated only the first time upon inserting the fields. The next time onwards, it is ignored.

  11. Save and exit by selecting List View.

  12. From the Action Menu drop-down, select Execute Employee Import.

  13. Open the record to check the import status.

    After importing, the records are fetched in the Queue tab of the record. After which, they go into the Employee workspace.

  14. Select the Queue tab. If the RunOutPut field displays Completed without errors, the import was successful.

    The employee records will be fetched in the Employee workspace.

    The Ivanti Azure AD Daily Schedule is scheduled to run every day; therefore, the records are updated daily.

If you get the Invalid Input error message while trying to import the Azure AD employees, it means the import failed. This happens if the Server URL field (not visible in the UI, present in the backend) in the Azure AD Employee Connector workspace is not populated with an appropriate value.

To fix the issue:

  • From the Azure AD Employee Connector workspace list view, run the SET SERVER URL Quick Action.

    This sets the appropriate value in the Server URL field and resolves the issue.