Ask the Community
Groups
Azure AD Integration - Connect IT Community | Kaseya
<main> <article class="userContent"> <p><span data-contrast="auto">The BMS integration with Azure Active Directory enables </span><span data-contrast="auto">contacts and users to be automatically created and synced based on the users that are defined in one or more Active Direc</span><span data-contrast="auto">tory tenants</span><span data-contrast="auto">. </span><span data-contrast="auto">Primary integration is with Azure AD, but it can be used with on premises Active Directory via Azure AD Connect. Additionally, Active Directory records will propagate to IT Glue if that integration is enabled.</span></p> <p><img src="https://us.v-cdn.net/6032361/uploads/migrated/IGCV3ARJKFND/mceclip0.png" alt="mceclip0.png" class="embedImage-img importedEmbed-img"></img></p> <h2 data-id="azure-ad-to-bms-mapping-overview"><span data-contrast="auto">Azure AD to BMS Mapping Overview</span></h2> <ul><li> <span data-contrast="auto">Mapping of users from Active Directory to BMS is based on Security Group.</span><span data-ccp-props="{"134233279":true,"335559738":200}"> </span><span data-contrast="auto">If a user belongs to more than one </span><span data-contrast="auto">Security Group, the </span><span data-contrast="auto">Order </span><span data-contrast="auto">value determines which record</span><span data-contrast="auto"> has precedence</span><span data-contrast="auto">. The lowest </span><span data-contrast="auto">Order</span><span data-contrast="auto"> value has precedence.</span><span data-contrast="auto"> If two groups have the same Order value, the oldest group has precedence.</span><span data-ccp-props="{"134233279":true,"335559738":200}"> </span> </li> <li> <span data-contrast="auto">BMS will match Active Directory records to existing records based on email address</span><span data-contrast="auto">.</span><span data-ccp-props="{"134233279":true,"335559738":200}"> Where the email address in the AD record is found in BMS, those records will be merged. Where the email address is not found, a new record will be created in BMS. T</span><span data-contrast="auto">he record identifier for contacts created locally in BMS is not changed. Therefore, </span><span data-contrast="auto">no linkages to tickets or other record types are affected.</span><span data-ccp-props="{"134233279":true,"335559738":200}"> </span> </li> <li> <span data-contrast="auto">After </span><span data-contrast="auto">initial sync, any updates to records in Active Directory will </span><span data-contrast="auto">automatically be</span><span data-contrast="auto"> </span><span data-contrast="auto">pushed to BMS.</span><span data-contrast="auto"> It takes up to 3 minutes for changes in Active Directory to be synced to BMS.</span><span data-ccp-props="{"134233279":true,"335559738":200}"> </span> </li> <li> <span data-contrast="auto">Any changes to </span><span data-contrast="auto">synced</span><span data-contrast="auto"> </span><span data-contrast="auto">record in </span><span data-contrast="auto">BMS</span><span data-contrast="auto"> will persist until </span><span data-contrast="auto">the record is changed in Active Directory, at which point the local changes will be overwritten.</span><span data-ccp-props="{"134233279":true,"335559738":200}"> </span> </li> <li><span data-contrast="auto">Records deleted records in Active Directory will be deactivated in BMS, but not deleted.</span></li> <li>The table below indicates the field mapping between Active Directory and BMS. When any field in the AD user record is updated, whether mapped or not, AD sends a notification to BMS to update the record. However, only the fields listed below are consumed.</li> </ul><table border="1px"><tbody><tr><td><strong>AD Field</strong></td> <td><strong>BMS Field</strong></td> </tr><tr><td> <p>First Name</p> </td> <td>First Name</td> </tr><tr><td>Last Name</td> <td>Last Name</td> </tr><tr><td>User Principal Name</td> <td>Username </td> </tr><tr><td> <table><tbody><tr><td><strong>Source</strong></td> <td><strong>Field</strong></td> </tr><tr><td>Microsoft Account</td> <td>Email</td> </tr><tr><td>Azure AD</td> <td>User Principal Name</td> </tr><tr><td>External AD</td> <td>User Principal Name</td> </tr></tbody></table></td> <td>Email</td> </tr><tr><td>Office Phone</td> <td> <table><tbody><tr><td><strong>Type</strong></td> <td><strong>Field</strong></td> </tr><tr><td>Employee</td> <td>Phone</td> </tr><tr><td>Contact</td> <td>Phone Number<br>(Default Phone Type)</td> </tr></tbody></table></td> </tr><tr><td>Job Title</td> <td>Job Title</td> </tr></tbody><caption><strong>Field Mapping Table</strong></caption> </table><h1 aria-level="1" data-id="azure-ad-setup"> <span data-contrast="none">Azure AD</span><span data-contrast="none"> Setup</span><span data-ccp-props="{"335559738":240}"> </span> </h1> <p><span data-contrast="auto">Kaseya BMS</span><span data-contrast="auto"> </span><span data-contrast="auto">access</span><span data-contrast="auto">es</span><span data-contrast="auto"> </span><span data-contrast="auto">the </span><span data-contrast="auto">user</span><span data-contrast="auto"> records in your </span><span data-contrast="auto">Azure AD</span><span data-contrast="auto"> tenant via the Microsoft Graph API. In</span><span data-contrast="auto"> order to do this, </span><span data-contrast="auto">BMS must be </span><span data-contrast="auto">authenticated and authorized </span><span data-contrast="auto">by </span><span data-contrast="auto">the Microsoft Identity Platform using the OA</span><span data-contrast="auto">uth</span><span data-contrast="auto"> 2.0</span><span data-contrast="auto"> standard.</span><span data-ccp-props="{"335559738":200}"> </span></p> <h2 id="h_01EDR511M4TFMWTC3T8JSJAB5M" data-id="step-1-bms-registration"> <span data-contrast="none">Step 1: BMS</span><span data-contrast="none"> Registration</span><span data-ccp-props="{"335559738":200}"> </span> </h2> <p><span data-contrast="auto">In this part of the setup, you will </span><span data-contrast="auto">register BMS with your </span><span data-contrast="auto">Azure AD tenant. For </span><span data-contrast="auto">background</span><span data-contrast="auto">,</span><span data-contrast="auto"> see the </span><a rel="nofollow" href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevelop%2Fquickstart-register-app%23register-a-new-application-using-the-azure-portal"><span data-contrast="none">this section</span></a><span data-contrast="auto"> of the Microsoft Identity Platform documentation</span><span data-contrast="auto">.</span></p> <ol><li> <span data-contrast="auto">Navigate to your Azure AD tenant.</span><span data-ccp-props="{"134233279":true,"335559738":200}"> </span> </li> <li data-leveltext="%1." data-font=""Franklin Gothic Book", "Franklin Gothic Book_MSFontService", sans-serif" data-listid="13" aria-setsize="-1" data-aria-posinset="2" data-aria-level="1"> <span data-contrast="auto">Note your <strong>tenant</strong></span><span data-contrast="auto"><strong> domain name</strong>, you will this need later. ()</span> <p>The domain name is found as <strong>Current directory</strong> in your Microsoft directory subscription details. If you do not have a fully qualified domain name and are using the Microsoft sub-domain it would be <em>yoursubdomain.onmicrosoft.com. </em>Refer <em><span data-contrast="auto"><a href="https://kaseya.vanillacommunities.com/kb/articles/aliases/kaseya/hc/en-gb/articles/115002521251" rel="noopener nofollow">How to Find My Azure AD Tenant Name</a></span></em></p> </li> <li data-leveltext="%1." data-font=""Franklin Gothic Book", "Franklin Gothic Book_MSFontService", sans-serif" data-listid="13" aria-setsize="-1" data-aria-posinset="2" data-aria-level="1">Under <span data-contrast="auto">Manage</span><span data-contrast="auto">, click </span><strong><span data-contrast="auto">App Registration</span></strong><span data-contrast="auto">.</span><span data-ccp-props="{"134233279":true,"335559738":200,"335559739":200}"> </span> </li> <li data-leveltext="%1." data-font=""Franklin Gothic Book", "Franklin Gothic Book_MSFontService", sans-serif" data-listid="13" aria-setsize="-1" data-aria-posinset="2" data-aria-level="1">Click <strong><span data-contrast="auto">+</span></strong><strong><span data-contrast="auto">New Registration</span></strong><span data-contrast="auto">.</span> </li> <li data-leveltext="%1." data-font=""Franklin Gothic Book", "Franklin Gothic Book_MSFontService", sans-serif" data-listid="13" aria-setsize="-1" data-aria-posinset="2" data-aria-level="1">Name the application<span data-contrast="auto">, e.g., <em>Kaseya BMS</em>.</span> </li> <li data-leveltext="%1." data-font=""Franklin Gothic Book", "Franklin Gothic Book_MSFontService", sans-serif" data-listid="13" aria-setsize="-1" data-aria-posinset="2" data-aria-level="1"> <span data-contrast="auto">Under Supported Account Types, </span>make BMS multi-tenant. You can<span data-contrast="auto"> </span><span data-contrast="auto">select either option beginning with </span><strong>Accounts in any organizational directory...</strong> </li> <li data-leveltext="%1." data-font=""Franklin Gothic Book", "Franklin Gothic Book_MSFontService", sans-serif" data-listid="13" aria-setsize="-1" data-aria-posinset="2" data-aria-level="1">Enter the following Redirect URI : <span data-contrast="auto"> <a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2F%3Cserver-base-url%26gt">https://<server-base-url&gt</a>;</span><span data-contrast="auto">/OAuth/IntegrationCallback.aspx</span><br><ol><li data-leveltext="%1." data-font=""Franklin Gothic Book", "Franklin Gothic Book_MSFontService", sans-serif" data-listid="13" aria-setsize="-1" data-aria-posinset="2" data-aria-level="1"><span data-contrast="auto"><strong>US</strong> server: <a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fbms.kaseya.com">https://bms.kaseya.com</a></span><span data-contrast="auto">/OAuth/IntegrationCallback.aspx</span></li> <li><span data-contrast="auto"><strong>UK</strong> server: <a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fbmsemea.kaseya.com">https://bmsemea.kaseya.com</a></span><span data-contrast="auto">/OAuth/IntegrationCallback.aspx</span></li> <li><span data-contrast="auto"><strong>APAC</strong> server: <a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fbmsapac.kaseya.com">https://bmsapac.kaseya.com</a></span><span data-contrast="auto">/OAuth/IntegrationCallback.aspx</span></li> <li> <span data-contrast="auto"><strong>Vorex</strong>: <a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fwww.vorexlogin.com">https://www.vorexlogin.com</a></span><span data-contrast="auto">/OAuth/IntegrationCallback.aspx</span><span data-contrast="auto"></span> </li> </ol></li> <li data-leveltext="%1." data-font=""Franklin Gothic Book", "Franklin Gothic Book_MSFontService", sans-serif" data-listid="13" aria-setsize="-1" data-aria-posinset="2" data-aria-level="1">On the <span data-contrast="auto">Ap</span><span data-contrast="auto">plication Overview page, note the <strong>Application ID</strong>.</span> </li> </ol><p><span data-contrast="auto"><img src="https://us.v-cdn.net/6032361/uploads/migrated/989BO09KMHQM/mceclip10.png" alt="mceclip10.png" class="embedImage-img importedEmbed-img"></img></span></p> <h2 data-id="step-2-bms-permissions"><span data-contrast="auto">Step 2: BMS Permissions</span></h2> <p><span data-contrast="auto">In this part of the setup, you will </span><span data-contrast="auto">grant BMS permissions to access the Microsoft Graph API as the signed in BMS user. For </span><span data-contrast="auto">background</span><span data-contrast="auto">, see </span><a rel="nofollow" href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevelop%2Fquickstart-configure-app-access-web-apis%23add-permissions-to-access-web-apis"><span data-contrast="none">this section</span></a><span data-contrast="auto"> of the Microsoft Identity Platform documentation.</span><span data-ccp-props="{"335559738":200}"> </span></p> <ol><li data-leveltext="%1." data-font="" data-listid="20" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"> <span data-contrast="auto">Navigate to App </span><span data-contrast="auto">Registrations, and</span><span data-contrast="auto"> </span><span data-contrast="auto">select your app, e.g., <em>Kaseya BMS</em>.</span> </li> <li data-leveltext="%1." data-font="" data-listid="20" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"> <span data-contrast="auto">Under </span><span data-contrast="auto">Manage</span><span data-contrast="auto">, select </span><span data-contrast="auto">API Permissions.</span><span data-ccp-props="{"134233279":true,"335559738":0,"335559739":200}"> </span> </li> <li data-leveltext="%1." data-font="" data-listid="20" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1">Under<span data-contrast="auto"> </span>Configured Permissions<span data-contrast="auto">, select</span><span data-contrast="auto"> </span><strong><span data-contrast="auto">Add</span></strong><strong><span data-contrast="auto"> </span></strong><strong><span data-contrast="auto">a</span></strong><strong><span data-contrast="auto"> </span></strong><strong><span data-contrast="auto">P</span></strong><strong><span data-contrast="auto">ermission</span></strong><span data-contrast="auto">.</span> </li> <li data-leveltext="%1." data-font="" data-listid="20" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1">From the <span data-contrast="auto">right side</span><span data-contrast="auto"> panel, select </span><strong><span data-contrast="auto">Microsoft Graph API</span></strong><span data-contrast="auto">.</span><span data-ccp-props="{"134233279":true,"335559738":200,"335559739":200}"> </span> </li> <li data-leveltext="%1." data-font="" data-listid="20" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1">Select <strong><span data-contrast="auto">Delegated Permissions</span></strong><span data-contrast="auto">. For</span><span data-contrast="auto"> background</span><span data-contrast="auto"> on permission types, see </span><a rel="nofollow" href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevelop%2Fv2-permissions-and-consent%23permission-types"><span data-contrast="none">this section</span></a><span data-contrast="auto"> of the Microsoft Identity Platform documentation.</span><span data-ccp-props="{"134233279":true,"335559738":200,"335559739":200}"> </span> </li> <li data-leveltext="%1." data-font="" data-listid="20" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1">Select the following permissions, and then click <strong><span data-contrast="auto">Add Permissions</span></strong><span data-contrast="auto">.</span> <ul><li data-leveltext="%1." data-font="" data-listid="20" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"> <span data-contrast="auto">Directory.Read.All</span><span data-ccp-props="{"134233279":true}"> </span> </li> <li data-leveltext="%1." data-font="" data-listid="20" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"> <span data-contrast="auto">Group.</span><span data-contrast="auto">Read.All</span><span data-ccp-props="{"134233279":true}"> </span> </li> <li data-leveltext="%1." data-font="" data-listid="20" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"> <span data-contrast="auto">User.Read</span><span data-ccp-props="{"134233279":true}"> </span> </li> <li data-leveltext="%1." data-font="" data-listid="20" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"> <span data-contrast="auto">User.Read.All</span><span data-ccp-props="{"134233279":true,"335559685":1434,"335559739":200,"335559991":357}"> </span> </li> </ul></li> <li data-leveltext="%1." data-font="" data-listid="20" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1">Click <strong><span data-contrast="auto">Grant Admin Con</span></strong><strong><span data-contrast="auto">s</span></strong><strong><span data-contrast="auto">ent</span></strong><strong><span data-contrast="auto">…</span></strong><span data-contrast="auto">, and</span><span data-contrast="auto"> accept.</span><span data-contrast="auto"> </span><span data-contrast="auto">For</span><span data-contrast="auto"> background </span><span data-contrast="auto">on this button</span><span data-contrast="auto">, see </span><a rel="nofollow" href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevelop%2Fv2-permissions-and-consent%23admin-restricted-permissions"><span data-contrast="none">this section</span></a><span data-contrast="auto"> of the Azure AD documentation.</span> </li> </ol><p><span data-contrast="auto"><img src="https://us.v-cdn.net/6032361/uploads/migrated/J4P0BNH1JO00/mceclip9.png" alt="mceclip9.png" class="embedImage-img importedEmbed-img"></img></span></p> <h2 id="h_01EDR59AM3RVXXW96Z7R7BK3ET" aria-level="2" data-id="step-3-bms-credentials"> <span data-contrast="none">Step 3: BMS Credentials</span><span data-ccp-props="{"335559738":200}"> </span> </h2> <p><span data-contrast="auto">BMS needs its own credentials in order to be able to authenticate itself to the </span><span data-contrast="auto">Microsoft Identity Platform. In this </span><span data-contrast="auto">part of the setup</span><span data-contrast="auto">, you will </span><span data-contrast="auto">generate a</span><span data-contrast="auto"> </span><span data-contrast="auto">client ID and secret key for BMS.</span><span data-contrast="auto"> </span><span data-contrast="auto">For </span><span data-contrast="auto">background</span><span data-contrast="auto">, see </span><a rel="nofollow" href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevelop%2Fquickstart-configure-app-access-web-apis%23add-credentials-to-your-web-application"><span data-contrast="none">this section</span></a><span data-contrast="auto"> of </span><span data-contrast="auto">the Microsoft Identity Platform documentation.</span><span data-ccp-props="{"335559738":200}"> </span></p> <ol><li data-leveltext="%1." data-font="" data-listid="29" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"> <span data-contrast="auto">Begin from the last screen of the previous section.</span><span data-ccp-props="{"134233279":true,"335559738":200}"> </span> </li> <li data-leveltext="%1." data-font="" data-listid="29" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"> <span data-contrast="auto">Under </span><span data-contrast="auto">Manage</span><span data-contrast="auto">, c</span><span data-contrast="auto">lick </span><span data-contrast="auto">Certificates & Secrets</span><span data-contrast="auto">.</span> </li> <li data-leveltext="%1." data-font="" data-listid="29" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1">Click <strong><span data-contrast="auto">+New Client Secret</span></strong><span data-contrast="auto">.</span> </li> <li data-leveltext="%1." data-font="" data-listid="29" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1">Complete the form that pops up.<span data-ccp-props="{"134233279":true,"335559738":200,"335559739":200}"> </span> </li> <li data-leveltext="%1." data-font="" data-listid="29" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"> <span data-contrast="auto"><strong>Copy</strong> the secret key to a notepad for use in the next section. This section gets hashed out once saved. Do not skip copying the values.</span><span data-contrast="auto"></span> <ul><li data-leveltext="%1." data-font="" data-listid="29" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><span data-contrast="auto">The data in the <strong>Value </strong>column should be copied.</span></li> </ul></li> </ol><h2 data-id="step-4-bms-setup"> <span data-contrast="none">Step 4: BMS Setup</span><span data-ccp-props="{"335559738":240}"> </span> </h2> <h3 aria-level="2" data-id="employee-defaults"> <span data-contrast="none">Employee Defaults</span><span data-ccp-props="{"335559738":200}"> </span> </h3> <p><span data-contrast="auto">In this part of the setup, you will set the mapping rules for employee records. Every employee record in BMS has certain mandatory fields. If this field is not set in the Active Directory record you must decide what value the field should default to.</span><span data-ccp-props="{"335559738":200}"> </span></p> <ol><li data-leveltext="%1." data-font="" data-listid="1" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"> <span data-contrast="auto">Navigate to Admin </span><span data-contrast="auto">></span><span data-contrast="auto"> My Company > </span><span data-contrast="auto">Auth & Provision.</span> </li> <li data-leveltext="%1." data-font="" data-listid="1" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><span data-contrast="auto">At the bottom of the page, select the <strong>Azure AD Sync</strong> radio button.</span></li> <li data-leveltext="%1." data-font="" data-listid="1" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><span data-contrast="auto">Complete the Employee Defaults section.</span></li> <li data-leveltext="%1." data-font="" data-listid="1" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"> <span data-contrast="auto">Click <strong>Save</strong>.</span><span data-ccp-props="{"134233279":true,"335559738":0,"335559739":200}"> </span> </li> </ol><h3><span data-ccp-props="{}"><img src="https://us.v-cdn.net/6032361/uploads/migrated/T49VM5SKGLK9/mceclip7.png" alt="mceclip7.png" class="embedImage-img importedEmbed-img"></img></span></h3> <h3 data-id="azure-ad-connection"> <span data-ccp-props="{}"> </span><span data-contrast="none">Azure AD Connection</span><span data-ccp-props="{"335559738":200}"> </span> </h3> <p><span data-contrast="auto">In this part of the setup, </span><span data-contrast="auto">you</span><span data-contrast="auto"> will plug in details of your Azure AD configuration into BMS. </span><span data-contrast="auto">From Azure, y</span><span data-contrast="auto">ou will need the following:</span><span data-ccp-props="{"335559738":200}"> </span></p> <ul><li data-leveltext="" data-font="Symbol" data-listid="21" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"> <a rel="nofollow" href="#h_01EDR511M4TFMWTC3T8JSJAB5M"><span data-contrast="auto">Tenant Domain Name</span></a><span data-ccp-props="{"134233279":true,"335559738":200}"> </span> </li> <li data-leveltext="" data-font="Symbol" data-listid="21" aria-setsize="-1" data-aria-posinset="2" data-aria-level="1"> <a rel="nofollow" href="#h_01EDR511M4TFMWTC3T8JSJAB5M"><span data-contrast="auto">Application ID for BMS</span></a><span data-ccp-props="{"134233279":true,"335559738":200}"> </span> </li> <li data-leveltext="" data-font="Symbol" data-listid="21" aria-setsize="-1" data-aria-posinset="3" data-aria-level="1"> <a rel="nofollow" href="#h_01EDR59AM3RVXXW96Z7R7BK3ET"><span data-contrast="auto">Client Secret for BMS</span></a><span data-ccp-props="{"134233279":true,"335559738":200}"> </span> </li> </ul><ol><li data-leveltext="%1." data-font="" data-listid="25" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"> <span data-contrast="auto">Click </span><strong><span data-contrast="auto">Add</span></strong><span data-contrast="auto"> under</span><span data-contrast="auto"> the </span><span data-contrast="auto">Azure AD Connections</span><span data-contrast="auto"> tab.</span> </li> <li data-leveltext="%1." data-font="" data-listid="25" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1">Enter the <span data-contrast="auto">Tenant Domain Name, Application ID, and Application Key</span><span data-contrast="auto"> from your Azure AD configuration</span><span data-contrast="auto">.</span> <ul><li data-leveltext="%1." data-font="" data-listid="25" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><span data-contrast="auto">The directory name is your tenant name or the ID, both of them work for this initial connection. Mapping rules however need only the ID. </span></li> <li data-leveltext="%1." data-font="" data-listid="25" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><span data-contrast="auto">Application ID </span></li> <li data-leveltext="%1." data-font="" data-listid="25" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><span data-contrast="auto">Application Key (BMS) = Secret Value </span></li> </ul></li> <li><span data-contrast="auto">Click on Azure Connect and authenticate using OAuth. </span></li> </ol><p><span data-contrast="auto"><img src="https://us.v-cdn.net/6032361/uploads/migrated/99E9AU0FE3YX/mceclip1.png" alt="mceclip1.png" class="embedImage-img importedEmbed-img"></img></span></p> <p><span data-contrast="auto"><img src="https://us.v-cdn.net/6032361/uploads/migrated/MUBN2MTX2IIY/mceclip0.png" alt="mceclip0.png" class="embedImage-img importedEmbed-img"></img></span></p> <p><img src="https://us.v-cdn.net/6032361/uploads/migrated/U9OBY5B6OY4K/mceclip11.png" alt="mceclip11.png" class="embedImage-img importedEmbed-img"></img></p> <h3 aria-level="2" data-id="mapping-rules"> <span data-contrast="none">Mapping Rules</span><span data-ccp-props="{"335559738":200}"> </span> </h3> <div> <strong>Warning:</strong> Once mapping rules are set and sync is initiated, BMS users will be associated with the new security group coming from the AD. Existing user access will be <strong>overridden</strong> with what is specified in the AD. Mapping rules should be set correctly as this controls the login access and module permissions for the synced users. <strong>Any synced user with no rules would have no access to BMS</strong>. </div> <p><span data-contrast="auto">In this part of the setup</span><span data-contrast="auto">,</span><span data-contrast="auto"> you will specify the groups you want to sync between BMS and Azure AD</span><span data-contrast="auto">.</span><span data-contrast="auto"> </span><span data-contrast="auto">From Azure, y</span><span data-contrast="auto">ou will need:</span><span data-ccp-props="{"335559738":200}"> </span></p> <ul><li data-leveltext="" data-font="Symbol" data-listid="36" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"> <span data-contrast="auto">Tenant Domain Name</span><span data-ccp-props="{"134233279":true,"335559685":714,"335559738":200,"335559991":357}"> </span> </li> <li data-leveltext="" data-font="Symbol" data-listid="36" aria-setsize="-1" data-aria-posinset="2" data-aria-level="1"> <span data-contrast="auto">Group Object ID</span><span data-ccp-props="{"134233279":true}"> </span> </li> </ul><ol><li data-leveltext="%1." data-font="" data-listid="42" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"> <span data-contrast="auto">In Azure, navigate to your Active Directory tenant, and under </span>Manage<span data-contrast="auto">, click </span><strong><span data-contrast="auto">Groups</span></strong><span data-contrast="auto">.</span> </li> <li data-leveltext="%1." data-font="" data-listid="42" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"> <span data-contrast="auto">Copy the </span><span data-contrast="auto">Group <strong>Object ID</strong></span><span data-contrast="auto"> for the groups you want to sync to BMS.</span> </li> <li data-leveltext="%1." data-font="" data-listid="42" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1">In BMS, click <strong><span data-contrast="auto">Add</span></strong><span data-contrast="auto"> under the </span>Mapping Rules<span data-contrast="auto"> tab.</span> </li> <li data-leveltext="%1." data-font="" data-listid="42" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1">Complete<span data-contrast="auto"> the </span><span data-contrast="auto">pop-up </span><span data-contrast="auto">form</span><span data-contrast="auto">, and</span><span data-contrast="auto"> click </span><strong><span data-contrast="auto">Save</span></strong><span data-contrast="auto">.</span> </li> <li data-leveltext="%1." data-font="" data-listid="42" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1">Go to the Azure AD Connections tab and click <strong><span data-contrast="auto">Sync</span></strong><span data-contrast="auto">.</span> </li> <li data-leveltext="%1." data-font="" data-listid="42" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"> <span data-contrast="auto">You can now</span><span data-contrast="auto"> navigate to CRM > </span><span data-contrast="auto">Contacts or HR </span><span data-contrast="auto">> </span><span data-contrast="auto">Employees to view synced records.</span> </li> </ol><p><img src="https://us.v-cdn.net/6032361/uploads/migrated/78MZB181S8QO/mceclip12.png" alt="mceclip12.png" class="embedImage-img importedEmbed-img"></img></p> <p>Tips</p> <ul><li>Your Active directory is always the source of truth. If you have a user <a rel="nofollow" href="mailto:user@mymsp.com">user@mymsp.com</a> as part of PSA's HR > Employees, and if your AD has this mapped as a Client portal user, AD will sync existing employee as a Client portal user in PSA.</li> <li> The user will be archived from HR and a new entry for the Client portal will be created in CRM. The archived user will have user_Archived in their username and <a rel="nofollow" href="mailto:user@mymsp.com_Archived">user@mymsp.com_Archived</a> in the email address.</li> <li>As both these user types are part of HR, One of them will have to be archived and the sync archives the one in Employees as the mapping rules set is for the Client portal. </li> <li>The system cannot have two different logins for one user. This will trigger an archive on the user part of the Employee. PSA then creates another user and makes it a Client portal user.</li> <li>If this was accidental, This has to be fixed in the AD. Make any false change to the user, like edit in the last name, job title, etc., so that the AD can push this change to PSA in real-time. </li> <li>If the archived user had a relational data, like tickets or invoices, the user cannot be renamed or deleted from the database.</li> </ul> </article> </main>