Set-up Active Directory sync using Azure automation
1. Create an Azure Automation Account
Sign in to the Azure portal. https://portal.azure.com/
In the left-hand navigation pane, select Create a resource.
In the search box, type Automation and select Automation.
Click Create.
Provide a Name, Resource Group, and Location. Then click Create.
2. Import Required Modules
In your Automation Account, select Modules under the Shared Resources section.
Click Browse Gallery.
———–
Search for:
Az.Resources
Click Import and follow the prompt to add it.
———–
Search for:
Az.Accounts
Click Import and follow the prompt to add it.
———–
Search for:
Az.Automation
Click Import and follow the prompt to add it.
———–
3. Creating a service principle (App Registration) to run the script
Go to the Azure portal: https://portal.azure.com/
Select Microsoft Entra ID.
On the left hand side click on App Registrations.
Click on + New registration.
Fill in the required fields:
Name: Provide a name for your application (e.g. VisitUsADSync).
Supported account types: Choose Accounts in this organizational directory only.
Redirect URI: This can be left blank for this purpose.
Click Register.
After registration, you’ll be taken to the app’s Overview page.
Copy the Application (client) ID and Directory (tenant) ID for later use.
Create a Client Secret:
In the left-hand menu, select Certificates & secrets.
Under Client secrets, click + New client secret.
Provide a description and set an expiration period.
Click Add.
Copy the Value of the client secret for later use. You’ll need it shortly, and it will not be retrievable again.
4. Add Automation Variables
To securely fetch API keys, Domain, and Azure group, use Automation Variables.
In your Automation Account, click on Variables under Shared Resources.
Click Add a variable.
Add six variables named APIKey, Domain, Group, AppId, TenantId and ClientSecret with corresponding values.
———–
Name: APIKey
Type: String
Value: Your API key (found in the dashboard -> Hosts / Employees section then on the right – Active Directory Sync)
———–
Name: Domain
Type: String
If AU hosted
Value: (If AU hosted “visit-us.com.au” / If US hosted “visit-us.com” / If EU hosted “visit-us.eu”)
———–
Name: Group
Type: String
Value: (The name of the AD group you would like to sync)
Group names can be found in your Azure Portal: https://portal.azure.com/#view/Microsoft_AAD_IAM/GroupsManagementMenuBlade/~/AllGroups
————-
Name: AppId (String, Application (client) ID from the )
Type: String
Value: Client ID from the previous step
———–
Name: TenantId (String, Directory (tenant) ID)
Type: String
Value: Tenant ID from the previous step
———–
Name: ClientSecret (Secure String, Client Secret)
Type: Secure String
Value: The client secret you made in the previous step
5. Assign Permissions to the Service Principal
For the service principal to be able to read Azure AD group members, it needs the Directory.Read.All permission.
In the Azure portal search for App Registrations
Or use this link: https://portal.azure.com/#view/Microsoft_AAD_RegisteredApps/ApplicationsListBlade
Then click on All Applications.
Click on the App that you created earlier (e.g. VisitUsADSync).
In the left-hand menu, select API permissions.
Click on + Add a permission.
Select Microsoft Graph.
Select Application permissions.
Search for and select Directory.Read.All.
Click Add permissions.
Next, just next to where you clicked the Add a permission you should see an option to Grant admin consent… for the permissions you’ve added. It’s important that you click this.
Role Assignments:
In the Azure portal, go to Microsoft Entra ID.
Under Manage, select Roles and administrators.
In the list of roles, find and select Directory Readers.
On the Directory Readers page, click on + Add assignment.
In the “Add assignment” pane, click on + Select members.
Search for your service principal by name (the name of the app you registered, e.g VisitUsADSync).
Select the service principal and click Select.
Review your selection and click Assign.
6. Create a Runbook
In your Automation Account, select Runbooks under Process Automation.
Click Create a runbook.
Provide a Name, select Runbook type as PowerShell, and select the Runtime version.
Click Create.
7. Edit the Runbook
Once the Runbook is created, click on it to open.
In the Edit PowerShell Runbook page, you can now paste the VisitUs AD Sync script here.
8. Publish and Execute the Runbook
After pasting the script, click Save and then Publish.
Click the Start button to execute the Runbook.
9. Schedule the script to run automatically
In the Azure Portal, click on the All services button located in the left-hand menu.
In the search bar, type Automation Accounts and select it from the list.
Click on the Automation account you created at the start.
Once you’re in your Automation Account, navigate to the Schedules section in the left-hand menu.
Click on the Add a schedule button at the top.
Configure the Schedule
Name: Enter a name for your schedule.
Description: Optionally, provide a description to identify what the schedule is for.
Start Time: Set the date and time when you want the schedule to start.
Time Zone: Choose the appropriate time zone for your schedule.
Recurrence: Choose Recurring.
Recur every: Select week.
On these days: Select a day of the week.
Set Expiration: Optionally, set an expiration date and time for the recurring schedule.
After filling in all the details, click on the Create button to create the schedule.
Link the Schedule to your Runbook
To link the created schedule to a runbook, go back to the Runbooks section in your Automation Account.
Select the runbook you want to schedule.
In the runbook’s pane, click on the Link to schedule button at the top.
Select the schedule you created from the list.
Click on OK to link the schedule to the runbook.