Create Azure AD mapping for user provisioning

Last updated
Save as PDF
Share
1. Share

Prerequisites

Credentials and permissions

You must have a Microsoft 365 Global administrator account. If you do not have Microsoft Global admin credentials, you can do either of the following:
- Get them from your organization’s Microsoft 365 Global admin.
- Send an email to Microsoft 365 Global administrator and request them to authorize and configure inSync to access Microsoft 365. Perform the following steps:

On the Druva Management Console menu bar, click Users > Deployment.
On the Deployment page, click Do not have Global Admin Credentials? link. The Azure AD Integration pop-up appears.
In the Azure AD Integration pop-up, enter the email address of the recipient and click Send Email. inSync will notify and send an email for your request.

You must be a Druva Cloud Administrator or an inSync Cloud Administrator

Configurations

Create a profile that has only SaaS Apps enabled and settings configured in it. For more information, see Configure a profile to protect Microsoft 365 app data.
Configure SaaS Apps settings to define the user access settings of their SaaS Apps account. By default, inSync uses the email address of inSync users. You can configure inSync to use the User Principal Name (UPN). For more information, see Configure SaaS Apps Settings for Microsoft 365.
Your inSync storage region is configured..
AD/LDAP Connector is installed and configured. For more information. see Integrate inSync user management with AD/LDAP.

Step 1: Configure Druva to use Azure (AD)

Before you begin ensure that inSync is authorized and configured to access Microsoft 365. See, Configure inSync for Microsoft 365.

On the Druva Management Console menu bar, click Users > Deployment.
On the User Deployment page, click Use Azure AD to use Azure AD mappings to import and manage users.
On the confirmation dialog box that appears, read the message and click Confirm. You will be redirected to the Azure AD page. Now, you can create Azure AD mapping to import users.

Step 2: Create mapping

You can create multiple mappings to classify users and allocate them to a different profile, storage region, and storage quota.

Note: You can import users from Microsoft 365 Multi-Geo tenant based on their geo-location, group them in a profile and assign Druva storage as per their geo-location. Create Azure AD mapping with the attribute name as “preferredDataLocation”. For example, if your preferred geo location is Canada, create an Azure AD mapping as follows:

Azure AD Attribute {preferredDataLocation}
= {CAN}

Procedure

On the Azure AD Deployment page, click New Mapping.
In the Mapping Configuration tab specify the following:

Mapping Details
Mapping Name	Specify a name for the Azure AD Integration mapping.
Filter Users by
Groups	Import users that belong to a specific Azure AD group. In the Groups field, enter one or multiple Groups. You can enter the first letter, and a list of the top 10 Azure AD groups is displayed. The supported group types are M365, Security, etc.
Azure AD Attributes	Import users based on a specific Azure AD attribute name and matching values. Specify the Azure AD attribute name. In the Value(s) box, type the value for the attribute. See Reference for Attributes list. Considerations: The filter is case-sensitive. The value you specify in the Azure AD mapping and the attribute value should be in the correct case. the same case that graph API returns. For example, displayName, companyName, postalCode, preferredDataLocation. Use a comma to specify multiple values for the attribute. Only the user accounts, that match the values specified in the box are mapped to this mapping.
All Users	Import all the users based on no criteria

Click Next.
In the Backup Configuration tab, specify the following details:

Assign Storage	Storage on which the user data should be saved
Assign Profile	Profile to which the users should be assigned
Default Quota	Default storage quota per user. Enter 0 for unlimited storage.
Send activation email to newly added users	Select if you want to send an invitation email to all the newly added users

Click Finish. Azure AD mapping is created and listed on the Azure AD listing page.

Step 3: Verify the mapping

You can verify your mappings using the following approaches.

Click on the mapping you have created to view the details.
Any new Azure AD Mapping or an update to an existing Azure AD mapping is logged in the administrator audit trails.

For more information, see View audit trail for administrators.

The User Provisioning Report also records the users' details managed by Azure AD.

Azure AD Attributes

inSync supports Microsoft 365 Graph API and attributes under user resource type.

►The following table provides a list of attributes that you can use

Attribute	Sample Value
accountEnabled	true
ageGroup	null
city	null
createdDateTime	2020-12-24
creationType	null
companyName	ABC
country	null
department	QA,HR,Finance
displayName	'scriptalertXSSscript'_edited
employeeId	null
employeeHireDate	null
employeeOrgData	null
employeeType	null
isManagementRestricted	null
isResourceAccount	null
jobTitle	SSE
legalAgeGroupClassification	null
mail	null
officeLocation	null
onPremisesDomainName	null
onPremisesImmutableId	null
onPremisesLastSyncDateTime	null
onPremisesSecurityIdentifier	null
onPremisesSamAccountName	null
onPremisesSyncEnabled	null
onPremisesUserPrincipalName	null
passwordPolicies	null
postalCode	null
preferredDataLocation	null
preferredLanguage	null
refreshTokensValidFromDateTime	2020-12-24
showInAddressList	null
signInSessionsValidFromDateTime	null
state	null
streetAddress	null
surname	lastn
usageLocation	null
userPrincipalName	'scriptalertXSSscript'@test.onmicrosoft.com
externalUserState	null
externalUserStateChangeDateTime	null
userType	Member

SUPPORT community

support Resources

More links

Support Contacts