SSII - Cloud Connect Setup and Configuration

Overview

This guide will cover the processes needed to prepare your Azure environment for the Cloud Connect process and the steps needed on the Cloud Connect platform to begin syncing accounts.

Table of Contents

• Preparing Azure Environment
  • Creating A Dynamic Azure Group for Syncing
  • Create an Azure App Registration
  • Configuring the Azure App Registration
  • Azure Information to Collect
• Cloud Connect Configuration
  • Connecting to Cloud Connect Portal
  • Adding Azure App Registration to Cloud Connect
  • Create Sync Policy - Send to U-Wide Tenant
  • Create Sync Policy - Pull from U-Wide Tenant

Preparing Azure Environment

Creating A Dynamic Azure Group for Syncing

Note these steps for the group creation are a general guide and may require adjustment for your campus depending on custom attributes of your users. The dynamic rule created here may need additional attributes added, removed, or adjusted for your campus to comply with the policy requirements regarding who should be synchronized for the SSII program.

The creation guide assumes that your campus is using both the Global ID and Affiliation type attributes in your directory as required by other SUNY policies. They may have different names in your campus directory than what is used here.

• In your Azure tenant, select Entra ID, the Groups
   
• Select, “All Groups” on the left, pane, then on the right pane, select “New Group”
   
• Select or enter the following information
  • Group type: “Security”
  • Group Name: Recommended to give this a name that indicates it’s use, such as “Cloud Connect User Sync”
  • Group Description: Recommended to provide a use case such as “Accounts to Sync to U-Wide SSII Tenant”
  • ...Entra roles can be assigned..: “No”
  • Membership Type: “Dynamic User”
  • Owners: Add whoever are the appropriate people to adjust or modify the group
     
• Dynamic query: Here is where we will use our account attributes to limit who is placed in the group.
  • If you do not see your custom attributes listed in the dropdowns, you will need to add the application ID of your Azure Extensions. This can be found using powershell
    • Run the following in powershell (assumes you have the AzureAD module installed and have an account with permissions to access)
      • Import-module AzureAD
      • Connect-AzureAD (you’ll need to provide credentials)
      • Get-AzureADExtensionProperty
    • On the results returned, under the “Name” of the attributes, there will be a string after “Extension_” and before the “_Atribute Name”, copy down that string, it is the needed application ID
       
• Add the required attributes, operators, and values to fit the requirements of the SSII policy, in the example below, the custom group is using the built in first name attribute along with the custom affiliation and global ID attributes. This creates a group that only includes users who have a first name, are associated as an employee, and have a global ID assigned. Using the “Validate Rules” you can test with various users to determine if your rule is working as intended
   
• Once the rule is configured as needed, save it, then click Create on the group
• Verify that the group contains the expected members. Note that if you adjust the dynamic rules after their initial creation, it can take a few hours for the group to update the results.
   

Create an Azure App Registration

• With an account that has permissions to create App Registrations, log on to your Azure tenant, and go the “App Registration” section under Entra ID
   
• Select “New registration”
   
• Provide a name for the registration. It is recommended that you use the product name “Cloud Connect” for recognition in the future (e.x. SSII – Cloud Connect).
• Select the default supported account type “Accounts in this organizational directory only”
• Leave the redirect URI blank
• Confirm by registering the application

Configuring the Azure App Registration

Setting API Permissions

• Locate and open the created registration from your app registrations list.
   
• On the left-hand pane, select “API Permissions”
   
• Click on add permissions, select “Microsoft Graph”, then “Application permissions”
   
• Add the following Graph application permissions, then approve consent
  • Application.ReadWrite.All
  • Directory.Read.All
  • Group.Read.All
  • User.EnableDisableAccount.All
  • User.Invite.All
  • User.ManageIdentities.All
  • User.Read.All
  • User.ReadWrite.All

Creating a Client Secret

• Locate and open the created registration from your app registrations list.
  
   
• From the left-hand pane select “Certificates and Secrets”
   
• Select the “Client Secrets” tab, then select “New Client Secret”
   
• On the right-hand pane that opens, enter a description, and select an expiration date. It is recommended to set this to at least one (1) year. Once done, select “add” (Make note of this date in a place to remind you of the expiry time. A new client secret will need to be created at that time for the app registration to continue to function with Cloud Connect.)
   
• You should now see a secret with the description you provided in the Client Secrets tab.
  • Copy the “Value” of the secret to a notepad as it will be needed for the connection with Cloud Connect. 
  • Don’t leave the page until you have either made a copy of the secret or have used it on the Cloud Connect platform. Once you leave the page, the secret value will become obfuscated and the only way to acquire again is to create a new secret.
    

Azure Information to Collect

• You will need the following three items from the App registration
  • Application (client) ID
  • Directory (tenant) ID
  • Value of the client secret
• The client secret value can be obtained following the steps in the previous section.
• The Application and Directory ID can be located on the overview page of the registered application
  
   

Cloud Connect Configuration

Connecting to the Cloud Connect Portal

If you don’t already have one, contact Forsyte via the Support@forsyteit.com contact e-mail to request an account for the cloud connect portal. This login is not the same as your Microsoft login.

The Forsyte portal can be found at: Portal.Forsyteit.com

• Once you have logged on, select “Cloud Connect” from the left-hand pane
• Verify that you see your name and campus listed on the top right of the screen.
  
   

Adding Azure App Registration to Cloud Connect

• Have the IDs and secrets from the App Registration, as covered earlier in this guide, available.
• Select “Data Sources” on the Cloud Connect Portal
  
   
• There should already be one data source listed, create by Forsyte, the U-Wide Tenant.
• Click on the blue “+” sign next to “Data Sources:”
  
   
• A box will pop up asking for information enter the following items, then select “Create”
  • Type – O365
  • Name – This is for your reference; we recommend you use your campus name
  • Identifier – Enter the Application (client) ID
  • Application’s Secret Key – Enter the value of the client secret
  • Tenant ID – Enter the Directory (tenant) ID
    
     
• You should now see your newly created item in the data source list
  
   

Create Sync Policy - Send to U-Wide Tenant

• In the cloud connect platform, select “Synchronize Policies”
  
   
• Click on the “+” next to “Sync Policies”
  
   
• On the new screen enter/select the following items:
  • Rules Name: Sync to UWide
  • Active: Checked
  • Source Tenant: Type O365, then select your campus data source
  • Target Tenant: Select the U-Wide tenant
  • Groups: Enter the Sync group you created in your Azure tenant
  • Enable Guest Accounts: Leave Unchecked
  • Custom Attributes: Can be skipped
  • Type of Syncronization: B2B should be checked
  • Information:
    • Check “Display Name”, and click into the field.  Select “Last Name, First Name, Constant”
      • Click in the second box and type your Campus Name in parenthesis
      • Ex.  (New Paltz)
    • The following boxes are required:
      • Given Name (Same as Source)
      • Surname (Same as Source)
      • Company name (Constant, Enter your campus name)
    • It is recommended to also include
      • Nickname (Same as Source)
    • All other fields are optional, you can select “Constant”, then put in a value if you want all items to display the same value or select “Same as Source” to provide the information from your Azure tenant
      • E.x. Office Location – Constant, Building 3
        • All users would show their office location as Building 3
  • Once you have filled everything out, click “Add” at the bottom of the page
    
     
• You should now see your created sync policy in the list
  
   
• If you need to edit, delete, or adjust policies after creation, use the appropriate icon to the left.
  
   

Create Sync Policy - Pull from U-Wide Tenant (Optional)

Create a policy to pull down users from the other campuses and create them as guest accounts in your tenant. This will enable easier collaboration amongst your users when using O365 products such as Sharepoint, Onedrive, and Teams. Rather than having to manually create the users as guests in your Azure tenant this policy will automate the procedure for all SUNY employees so they may simply be added by the end users using the products. Note that it will also populate your O365 Outlook address book with the users so action may need to be taken on your part if you wish to separate out an address book that contains only your own campus users.
 

• In the cloud connect platform, select “Synchronize Policies”
  
   
• Click on the “+” next to “Sync Policies”
  
   
• On the new screen enter/select the following items:
  • Rules Name: Sync from UWide
  • Active: Checked
  • Source Tenant: Select “O365-SUNY U Wide”
  • Target Tenant: Select your tenant
  • Groups: Search for and select your campus. This group is tailored to omit any U-Wide entries from your campuses tenant
  • Enable Guest Accounts: Check this box, this will create guest accounts from the other campuses in your Azure tenant.
  • Type of Syncronization: B2B should be checked
  • Information:
    • To display correctly the following items are required:
      • Display Name (Same as Source)
      • Given Name (Same as Source)
      • Surname (Same as Source)
      • Company name (Same as Source)
    • It is recommended to also include
      • Nickname (Same as Source)
    • All other fields are optional, it is recommended to leave them all “Same as Source” if they are included
  • Once you have filled everything out, click “Add” at the bottom of the page
    
     
• You should now see your created sync policy in the list
  
   
• If you need to edit, delete, or adjust policies after creation, use the appropriate icon to the left.