Microsoft Active Directory Integration

To setup the integration, it is required to have a valid Microsoft Azure Tenant ID, Client ID and Client Secret for the application.

Required Azure permissions

A easy automated setup is default. Manual client setup can be toggled on to setup an own client that exists in the customer’s “App registrations” in Microsoft Entra ID.

The setup inherits the application from Telia, and is controlled and renewed by Telia, meaning no need to update secrets and handle time out issues.  

Enter your Tenant ID. Upon save you will be redirected to a Microsoft login where you need to pick an admin account for the tenant. After login consent to the permissions requested by the “Telia Smart Connect – AD User Sync” application are needed.

Accepting the permissions will create an application in the your Entra ID “Enterprise applications“. If you are not able to consent on behalf of the organization, you might need to enter the “Permissions” for the application, and choose “Grant permission for…”

1. In the Azure Active Directory click on “App registration”.

2. Click on “New registration”.

3. Enter any name for the application for example “Telia Active Directory Synchronization” and click on “Register”.

4. The Application will be created and generate the Application (client) ID. The same view will display your Directory (tenant) ID. Both the Client ID and Tenant ID needs to be entered into the Active Directory integration configuration page in Telia Admin Portal.

5. Open “Certificates & secrets” in the application view in the Azure Admin portal and click on “New client secret”.

6. Give the secret a name and select am expiration time of the secret. After the secret expires, a new one needs to be generated and updated in the configuration for the Active Directory configuration in Telia Admin Portal. Click on “Add” when finished.

7. Copy the client secret and paste it in the Active Direcotry integration configuration page in Telia Admin Portal.

8. Open “API permissions” in the application view in the Azure Admin portal and click on “Add a permission”.

9. Click on “Microsoft Graph”.

10. Click on “Application permissions”.

11. Select “User.Read.All” and click on “Add permissions” to add the permission.

12. Click on “Grand admin consent for <Company Name>”.

13. Confirm the permission in the popup.

Limited Users are users in the AD without corresponding users in the solution, but by enabling and synchronizing them they will be visible in the solution.

To add limited users you click on the menu in the top left corner > Integrations > choose the AD tab > Setup > Choose the AD Integration you want to AD Limited users to > Click on limited Users

When adding limited users you can choose to add all users from the AD at the same time, or you can filter them according to AD Sync advanced query capabilities. When you have filtered (or not) and are ready to sync limited users, click on the save button and a pop-up will show and let you confirm how many limited users that will be added.

We are not allowed to give Application permissions, can we use Delegated permissions?
No.

What if I use the same number on multiple users in Active Directory?
You will get an option in the “Users”-tab on which user you want to synchronize.

Can I change which user that is mapped with a specific number?
It depends, the users number in the solution needs to be mapped with a number in Active Directory. If multiple users have the same number in Active Directory, you will get an option to select which users you want to synchronize the data from.

Can I synchronise profile pictures?
No, not at the moment.

Can I have multiple Microsoft Tenants synchronised to the same Telia solution?
Yes.

Can I have the same Microsoft Tenant synchronised to multiple Telia solutions?
Yes.

How often is the data updated?
Once every 12 hours, the timer is based on the last sync. It’s possible to see the last synced time in the “Users”-tab in the Active Directory settings in Telias admin portal. It is possible to sync a single user manually in the user list.

Can I manually trigger an update of the user mapping?
Yes, do a change in the Active Directory configuration in Telia admin portal like the TenantId or ClientId, change back to a valid value and save. This will trigger an instant update of the integration. It’s also possible to manually synchronize single users from the “Users”-tab in the Active Directory settings in Telias admin portal.

The status icon for the integration is OK (green checkmark), but number of users is still 0?
The unique identifier is the mobilePhone or businessPhones fields from Azure Active Directory. If you don’t have any data in those fields for any users, no user will by synchronized.

It might be due to missing permissions. Verify that the application in Azure Active Directory got the correct permissions for User.ReadBasic.All (Application) and that you have granted admin consent.

After I save the configuration in Telia Switchboard the status is red with an error code?
The error message is returned from Azure Active Directory, you can lookup the error code here: https://docs.microsoft.com/en-us/azure/active-directory/develop/reference-aadsts-error-codes

I created a valid synchronisation and I see users in the Active Directory users list. But no new data is displayed in the switchboard?
The user details data is cached. You need to reload the switchboard for the updated data to be visible.

All our users have two phone numbers, where when is the company number, how to map up the correct user?
You will have to manually select which user to map with which number.

Can I synchronize users that doesn’t exist in Telias solution (passive users)?
No, not at the moment.

Which Graph API endpoint is used by the integration?
https://graph.microsoft.com/v1.0/users
With a filter for enabled accounts and a number in the mobile phone or business phone field.

Which fields can I use to map and synchronize?
All fields described in Microsoft’s documentation here: https://docs.microsoft.com/en-us/azure/active-directory-b2c/user-profile-attributes

Is it possible to filter which users that are synchronised from Azure Active Directory?
No, not at the moment. You are able to toggle if you want to disable the synchronization for a specific user.

The configurator complains about invalid client secret with error code 7000215?
If you just created the secret, wait a minute and try again by adding the secret again and save the settings. If that doesn’t help, verify that you did copy and paste the secret correct.

Can I disable the synchronization for a specific user?
Yes, from the “users”-tab in the integration configuration in Telias Admin portal.

I have a user that I don’t want to synchronize?
The service will fetch users and user data, and update the data right after the configuration is completed. After you created a new integration, but before you set it up, you are able to open the users-tab and disable the synchronization for single users.

Will the synchronization overwrite existing data in Active Directory?
No, the synchronization is one way only, data will be fetched from Active Directory and populate the fields in Telias Switchboard solution.

Will the synchronization overwrite existing data in Telias Switchboard solution?
As long as you mapped a value to a field in the Active Directory synchronization setup, it will overwrite existing data with data fetched from Active Directory. For example, if you have added tags to users in Telias Switchboard solution and you haven’t set up any field for mapping of tags in the Active Directory synchronization service, the tags will not be overwritten. But if you have set up for example postalCode to be mapped to the tags field, all tags will be overwritten with whatever data you have in the postalCode attribute in Active Directory. Users without any value in postalCode in Active Directory will be left without tags in Telias Switchboard solution.

Is the attribute mapping case sensitive?
Yes, so givenName will work, but not givenname, Givenname or GIVENNAME.

My custom attribute mapping isn’t working?
Each attribute needs to be unique. For example, you can’t use givenName on multiple attributes.

Some of the data from Active directory won’t synchronize to Telias Switchboard solution?
Anything within a less than sign (<) and a greater than sign (>) will be excluded from the synchronization.

I have 100 users in the solution, but the counter states that only 70/70 is synchronized?
Only users with a valid entity in Azure AD that is mapped to a number in the switchboard solution will be counted.

Some of the users is displayed without GUID, last sync, status and sync now-buttons?
Users without a match in Azure AD but exist in the switchboard solution will be displayed like that.

I have a user in Azure AD and Telias switchboard solution, but the information isn’t updated?
Verify that the user have the correct phone number in Azure AD and try to run the synchronization again.