Azure AD Connector Configuration
When using Admin By Request with Active Directory domain joined computers, Admin By Request settings can be configured differently for different users. Settings act as rules, such as whether the Run as Admin or Admin Session features are enabled, and whether or not users need approval to use them. You likely wouldn’t want the rules applied for an IT Administrator to be the same as those applied for a Customer Relations employee. Settings can be differentiated using Sub-Settings. As an administrator, you have a Global set of default settings, and Sub-Settings, which can overrule Global Settings for some users or computers based on groups or Organizational Units (OU) from your Active Directory. If some or all computers are no longer domain joined, you do not have these groups and OUs to base Sub-Settings on.
That’s where Azure AD Connector comes in. If your computers are Azure AD joined, or if your users connect an Office 365 mailbox (Azure AD workjoin), then Azure AD Connector can be used to bind your settings to your Azure Active Directory to create Sub-Settings based on Azure AD user or device groups. Azure AD Connector is part of your Global Settings, as shown below:
Setting up the connector provides the following benefits:
- Azure AD user and device groups can be used for Sub-Settings
- Azure groups Global Administrators and Device Administrators (Azure AD joined device local administrator) are correctly detected, and the tray icon appears red
- Azure AD phone number and email is suggested as default on the request form
- Your inventory collects computer and user groups, as well as full names, phone numbers, and emails from Azure AD (if enabled)
Should Azure AD Connector be Used? The answer depends on the scenario. If your computers are:
- Domain joined: No, the connector is not used – it’s only required if you have a subset of Azure AD joined computers.
- Azure AD joined: Yes, the Azure AD Connector should be used.
- Stand-alone with Office 365 mailbox mapped (see further down): Azure AD Connector should only be used if you need to use Sub-Settings.
Setting Up Azure App Registration
Azure AD Connector requires an Azure AD App Registration in order to function. An App Registration is a permission to integrate with your Azure AD through the Microsoft Graph API and consists of an Application ID and a Secret Key. Follow the steps below to set up an App Registration that allows Admin By Request to query your Azure Active Directory.
1. Open two browser tabs. In one, log into your Admin By Request User Portal and navigate to Settings > Authorization > Azure AD (see screenshot above). In the other, log in to your Azure portal.
2. In your Azure portal, in the top search box, search for App Registrations and select the matching option:
3. Select New registration, enter a name, such as Admin By Request Azure AD Connector, and click Register.
4. From the left menu, select API Permissions and delete the default entry named User.Read under Microsoft Graph as well as any other default permissions listed.
5. Click Add a permission and select Microsoft Graph.
6. Select Application permissions and expand Directory.
7. Select the Directory.Read.All checkbox, as well as Add permission. Your complete list should look like the following:
8. Click the Grant admin consent button at the bottom and confirm.
9. From the left menu, select Certificates & secrets and then New client secret.
10. Enter a description and set 24 months as the expiry.
11. Click the copy icon in the value column and then navigate back to your Admin By Request User Portal (open in the other browser tab).
12. Paste the copied value into the Secret Key field and click Overview.
13. In your Azure portal, click the copy icon in the Application (client) ID column and, in your Admin By Request User Portal, paste this into the Application ID field.
14. Also in your Admin By Request User Portal, enter your tenant name, which is typically your legal company name appended by ".onmicrosoft.com"
NOTE: To find your tenant name, log in to your Azure portal (https://portal.azure.com) and navigate to Azure Active Directory. Once there, select Domain Names and copy the tenant ID under Name.
15. Enter any email address in the Any email in Azure AD field. (The only purpose of this email address is to use it to test your adapter.)
16. Click Save. A green checkmark will appear next to the button indicating a successful save, and you're done. If instead you get the message "Entered Azure AD data is incorrect", please run through the procedure above again to eliminate possible errors. If you cannot get registration to work, contact us for assistance.
A Note on Expiry
The option to select Never as expiry has been discontinued by Microsoft. This means that you have to re-run the procedure every 2 years. If you forgot to do that, you will be notified on the Summary page in your Admin By Request User Portal when your App Registration is no longer functional. When the App Registration has expired, it means that endpoints can no longer refresh group memberships through Microsoft Graph. The short-term impact is not catastrophic because the endpoints will use a cache, but a new App Registration should be made as soon as possible after expiry.
Azure AD joined Windows 10 Computers
Computers would typically be joined to Azure AD as part of the provisioning with Autopilot or similar. To join a Windows 10 computer to an Azure AD manually, follow this procedure:
- Log in as a local administrator to the Windows 10 computer
- Navigate to Settings and select Accounts
- Click Access work or school in the left menu and click Connect on the right side
- Click the Join this device to Azure Active Directory option at the bottom
- Follow the rest of the prompts in the wizard:
If a Windows 10 computer is Azure AD joined, it behaves in the same way as an Active Directory domain joined computer, except it is using Azure AD as the directory service instead. Because the computer is now joined to Azure AD, any user from the Azure Active Directory can log on to the computer, just like in a domain:
Because both computers and users are now known entities in Azure AD, Admin By Request can retrieve the groups from both and use the correct Sub-Settings (assuming Azure AD Connector is set up correctly).
Azure AD Global and Device Administrators
When you Azure AD join your computer, Windows 10 will add these members to the local administrator's group:
- The Azure AD global administrator role (Company Administrator group)
- The Azure AD device administrator role (Device Administrator group)
- The user performing the Azure AD join
Admin By Request removes local admin rights from the user performing the join, but leaves the global and device administrators’ groups in the local administrator's group. When you log on with a global or device administrator account, the tray icon appears red, which means you are a permanent administrator.
When computers are not Azure AD joined, users can still workjoin to the Azure Active Directory and use Azure services. This happens automatically when the user configures an Office 365 mailbox. When the user starts Outlook, it will request your Office 365 account credentials:
When the credentials are accepted, a workjoin happens automatically in the background and the account entered by the user will automatically appear in the workjoined list:
This could also be manually done by the user if they navigate to Settings > Account > Access work or school and add their Azure AD account. If the user removes the workjoin, Outlook no longer has a connection to Azure AD and will request credentials again, which in turn will re-instate the workjoin. In other words, any user with a mapped Office 365 mailbox on Windows 10 is workjoined to Azure AD, and Admin By Request Sub-Settings based on user groups will work.
Office groups are not collected for Sub-Settings and inventory due to the fact that these are not security groups and are out of your direct control. Users can have thousands of Office groups because these are created and modified continually by end users, e.g., when someone creates a new Teams category.
When the green checkmark appears in your User Portal when saving your Azure AD Connector settings, it signifies that the adapter is functional. However, if the client doesn't pick up the expected Sub-Settings you expect, you may require assistance in determining the issue. For the purpose of troubleshooting, at any time you can go to an endpoint, right-click the Admin By Request tray icon and select About. The Connectivity tab will show you whether there is connectivity or not:
If everything looks correct but the expected Sub-Settings are not being applied, navigate to your Inventory, locate the computer in question, and look at the Groups left-hand menu. This will show you the groups the client collected for you to review. If you still have problems getting Azure AD Connector to work as expected, contact us at any time using the Contact page in the top menu.