MF-BTIAAD sync setup (only Azure AD)

This manual describes the process needed to setup a sync between a member firm Azure AD and the
BTI Azure AD. Most different scenarios are elaborated in this document, but if there is something
missing, please feel free to contact adsupport@bakertilly.global

Prerequisites
- All users must have an active Microsoft 365 Business license.
- All users must have their first- and last name filled.
- All users must have an active email address in your Azure tenant.

Basic steps to work through:

1. Invite the adsupport@bakertilly.global account as guest user in your Azure tenant

a. We then accept the invitation
2. In your tenant, you can then assign the "directory reader" role to the adsupport account.
3. Share the Azure GroupID you want the sync to run against in your tenant.
a. (Optional) Create a BTI sync group in Azure AD.
4. Share the tenant ID of your firm.
5. (Optional) When 2FA is enabled, please follow this step
6. We can then setup the sync on the BTI server.
a. Configure groupID, tenantID and user login in test config file.

Contents
1 Invite account as guest user ........................................................................................................... 2
2 Assign the “Directory Readers” role ............................................................................................... 3
3 Share the “Group objectID” to run the sync against ...................................................................... 6
3.1 User addition/deletion - Sync group processflow .................................................................. 7
3.2 Create a security group in your tenant ................................................................................... 8
3.2.1 Using dynamic membership rules – Users from existing group to new group .............. 9
3.2.2 Setup Assigned Azure security group – Manual/PowerShell user addition ................. 10
4 Share the tenant ID of your firm’s Azure tenant .......................................................................... 11
5 Setup trusted location/IP for 2FA ................................................................................................. 12
5.1 Named Locations (IP ranges location) .................................................................................. 12
5.2 Configure multifactor authentication trusted IPs ................................................................. 13
6 BTI sync setup on server ............................................................................................................... 14
1 Invite account as guest user
1. Go to www.portal.azure.com
2. Login with an administrator account
3. Go to “Azure Active Directory”

4. Go to “Users”

5. Click on “New user” and then on “Invite external user”

6. Fill in the fields as displayed below and click on “Invite” at the bottom of the page.
 7. To be sure: respond to the email trail that the invitation has been send.
8. We accept the invitation and respond to the email trail.

2 Assign the “Directory Readers” role

Go to www.portal.azure.com and login with a user with administrator rights onto your own tenant.

9. Click on “Azure Active Directory”

10. Click on “Users”

11. Search for adsupport@bakertilly.global and click “AD Support/BTI sync user”.

12. Click on “Assigned Roles” and if the “Directory Readers” role is not in the list, click on “Add
assignments”.
13. Select the “Directory Readers” role and click on “Next” at the bottom of the page.

14. If you have an Azure P1 subscription: Set “Assignment Type” on “Active”, fill in the “Enter
justification” form and click on “Assign” at the bottom of the page. Otherwise go to step 16.
15. A message appears in the top right corner confirming the role assignment.
3 Share the “Group objectID” to run the sync against
To be able to setup the sync, a group must be present in Azure AD to read the users from. This group
is also used to manage your users in the BTI tenant. When a user is enabled AND has a license, it gets
synced in to the BTI tenant. Removal of one of those properties, results in the user being deleted in
the BTI tenant. See the images in paragraph 3.1 for the user addition and deletion flows.

16. Go to www.portal.azure.com and login with a user with administrator rights onto your own
tenant.
17. Click on “Azure Active Directory”

18. Click on “Groups

19. Select the group you want to sync your users from and copy the group ID
a. Please note that nested groups are not supported, users must be present in the
group individually!

20. Share the group “Object ID” with our team.

3.1 User addition/deletion - Sync group processflow
3.2 Create a security group in your tenant
If you have no dedicated security group in your Azure tenant, you can set this up by following the
steps below. If not, please skip to chapter/step 4.

21. Follow step 16 and 17 to login to your Azure tenant.

22. Click on “New group”.

Depending on the way you want to add users to the new group, the group is configured with the
“Membership type” Assigned or Dynamic user.

The options for those types are as follows:

- ONLY Azure AD Premium P1 or P2 licenses:

o Dynamic user (recommended for multiple existing security groups and users)
▪ (Less technical) Using dynamic membership rules to add users
- All Azure licenses:
o Assigned
o (Not technical) Manual addition of users (for firms with less than 20-30 users or
no existing security groups)
o (More technical) PowerShell addition of users to new group (for firms with a lot
of users in multiple groups)
3.2.1 Using dynamic membership rules – Users from existing group to new group
To use dynamic membership rules, setup the new security group from step 21 as displayed in figure
1.

Advantage: Dynamic membership rules have as an advantage that every user that gets added to the
original (source) groups, will automatically get added to the BTIADsync group as well.

Figure 1 - Dynamic user Azure security group

23. Click on “Add dynamic query”

24. Click on “Edit”

25. Copy the below (a) syntax and paste it in the open syntax editor
a. user.memberof -any (group.objectId -in ['INSERT GROUP ID 1', 'INSERT GROUP ID 2'])
b. For every extra group you want to include, copy and paste the highlighted part
(maximum of 500 groups). Do the opposite for deleting groups.
26. Click on “Ok”, click on “Save” and close the “Dynamic membership rules” window.
27. Click on “Create”
3.2.2 Setup Assigned Azure security group – Manual/PowerShell user addition
If your firm has few members to sync in follow (step 27-29). If you want to assign members using
PowerShell, follow step 30. Setup the group as described in below figure 2.

Figure 2 - Assigned Azure security group

Manually select users

28. Click on “No members selected”.

29. Select the users in the list (or search for them) and click on “Select”.
30. Click on “Create”

Use PowerShell to import users

Using PowerShell to copy users to the new group. This must be done group by group, or by changing
the script.

31. Click on “Create” after configuring the group as displayed in figure 2.

PowerShell can be used to copy users in existing groups to new groups. You need to make sure the
members in $group1 (source) are not already in $group2 (target), otherwise you will get a “One or
more added object references already exist” error. If that is the case for multiple groups, I’d suggest
using the dynamic nested groups instead as described in paragraph 3.1.1

- Open PowerShell ISE as an administrator

- Run the following commands before running the script:
o Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope Process
o [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
 #Import necessary modules (if the module is not available, run: Install-Module AzureAD)
Import-Module AzureAD

#Login to your tenant

$Credential = Get-Credential
Connect-AzureAD -Credential $Credential

#Specify the group object ID’s of the source and target

$group1 = "ObjectId pulled from AAD"
$group2 = "ObjectId pulled from AAD"

#Get all members from specified source group

$membersGroup1 = Get-AzureADGroupMember -ObjectId $group1 -All $true

foreach($member in $membersGroup1)
{
$currentuser = Get-AzureADUser -ObjectId $member.ObjectId | select objectid
Add-AzureADGroupMember -ObjectId $group2 -RefObjectId $currentuser.objectid

}
Disconnect-AzureAD

- Repeat step 30 for every group you want to add to the new group.

4 Share the tenant ID of your firm’s Azure tenant

32. Go to www.portal.azure.com
33. Login with an administrator account
34. Go to “Azure Active Directory”

35. Copy the “Tenant ID” and share it with us.

5 Setup trusted location/IP for 2FA
PowerShell is unable to automatically handle two-factor-authentication requests when this is
enabled on the member firm tenant. To overcome this, the server in the BTI domain must be added
as a trusted location in the member firm Azure tenant.

36. Go to www.portal.azure.com
37. Go to Named locations in the Azure portal under:

Azure Active Directory → Security → Conditional Access → Named locations.

On this page there are two options to whitelist an IP-address:

- Named locations (IP ranges location):

o Preferred method: Only for Azure AD Premium tenants!
- Configure multifactor authentication trusted IPs
o Secondary method: Also available for free tenants.

5.1 Named Locations (IP ranges location)

These named network locations may include locations like an organization's headquarters network
ranges, VPN network ranges, or ranges that you wish to block. Named locations can be defined by
IPv4/IPv6 address ranges or by countries. This method is preferred because:

- Named locations have a description option. This way you always know what a whitelisted IP
is for.
- This can be used in combination with conditional access. Conditional access can be used to
apply the rules only for a certain group, user, application etc.

38. To define a named location by IPv4/IPv6 address ranges, you'll need to provide:
1. A Name for the location
2. One IP range: 40.127.188.134/32
3. Mark as trusted location
5.2 Configure multifactor authentication trusted IPs
Setup a MFA IP-range on which Azure won't ask for 2FA. Only use this method if the method in
paragraph 5.1 is not usable.

Azure Active Directory → Security → Conditional Access → Named locations

39. Go to above page in Azure and click on “Configure multifactor authentication trusted IPs”

40. In the newly opened window, add the 40.127.188.134/32 IP under trusted IP’s and click on
save.
41. Done!
6 BTI sync setup on server
After previous steps are complete, we have all the information we need to setup/test the sync on
the BTI server. After a successful test we’ll come back to you with the results.

See the below flow to better understand the working and timings of the scripts.