Professional Documents
Culture Documents
This manual describes the process needed to setup a sync between a member firm Azure AD and the
BTI Azure AD. Most different scenarios are elaborated in this document, but if there is something
missing, please feel free to contact adsupport@bakertilly.global
Prerequisites
- All users must have an active Microsoft 365 Business license.
- All users must have their first- and last name filled.
- All users must have an active email address in your Azure tenant.
Contents
1 Invite account as guest user ........................................................................................................... 2
2 Assign the “Directory Readers” role ............................................................................................... 3
3 Share the “Group objectID” to run the sync against ...................................................................... 6
3.1 User addition/deletion - Sync group processflow .................................................................. 7
3.2 Create a security group in your tenant ................................................................................... 8
3.2.1 Using dynamic membership rules – Users from existing group to new group .............. 9
3.2.2 Setup Assigned Azure security group – Manual/PowerShell user addition ................. 10
4 Share the tenant ID of your firm’s Azure tenant .......................................................................... 11
5 Setup trusted location/IP for 2FA ................................................................................................. 12
5.1 Named Locations (IP ranges location) .................................................................................. 12
5.2 Configure multifactor authentication trusted IPs ................................................................. 13
6 BTI sync setup on server ............................................................................................................... 14
1 Invite account as guest user
1. Go to www.portal.azure.com
2. Login with an administrator account
3. Go to “Azure Active Directory”
4. Go to “Users”
6. Fill in the fields as displayed below and click on “Invite” at the bottom of the page.
7. To be sure: respond to the email trail that the invitation has been send.
8. We accept the invitation and respond to the email trail.
11. Search for adsupport@bakertilly.global and click “AD Support/BTI sync user”.
12. Click on “Assigned Roles” and if the “Directory Readers” role is not in the list, click on “Add
assignments”.
13. Select the “Directory Readers” role and click on “Next” at the bottom of the page.
14. If you have an Azure P1 subscription: Set “Assignment Type” on “Active”, fill in the “Enter
justification” form and click on “Assign” at the bottom of the page. Otherwise go to step 16.
15. A message appears in the top right corner confirming the role assignment.
3 Share the “Group objectID” to run the sync against
To be able to setup the sync, a group must be present in Azure AD to read the users from. This group
is also used to manage your users in the BTI tenant. When a user is enabled AND has a license, it gets
synced in to the BTI tenant. Removal of one of those properties, results in the user being deleted in
the BTI tenant. See the images in paragraph 3.1 for the user addition and deletion flows.
16. Go to www.portal.azure.com and login with a user with administrator rights onto your own
tenant.
17. Click on “Azure Active Directory”
19. Select the group you want to sync your users from and copy the group ID
a. Please note that nested groups are not supported, users must be present in the
group individually!
Depending on the way you want to add users to the new group, the group is configured with the
“Membership type” Assigned or Dynamic user.
Advantage: Dynamic membership rules have as an advantage that every user that gets added to the
original (source) groups, will automatically get added to the BTIADsync group as well.
25. Copy the below (a) syntax and paste it in the open syntax editor
a. user.memberof -any (group.objectId -in ['INSERT GROUP ID 1', 'INSERT GROUP ID 2'])
b. For every extra group you want to include, copy and paste the highlighted part
(maximum of 500 groups). Do the opposite for deleting groups.
26. Click on “Ok”, click on “Save” and close the “Dynamic membership rules” window.
27. Click on “Create”
3.2.2 Setup Assigned Azure security group – Manual/PowerShell user addition
If your firm has few members to sync in follow (step 27-29). If you want to assign members using
PowerShell, follow step 30. Setup the group as described in below figure 2.
PowerShell can be used to copy users in existing groups to new groups. You need to make sure the
members in $group1 (source) are not already in $group2 (target), otherwise you will get a “One or
more added object references already exist” error. If that is the case for multiple groups, I’d suggest
using the dynamic nested groups instead as described in paragraph 3.1.1
foreach($member in $membersGroup1)
{
$currentuser = Get-AzureADUser -ObjectId $member.ObjectId | select objectid
Add-AzureADGroupMember -ObjectId $group2 -RefObjectId $currentuser.objectid
}
Disconnect-AzureAD
- Repeat step 30 for every group you want to add to the new group.
36. Go to www.portal.azure.com
37. Go to Named locations in the Azure portal under:
- Named locations have a description option. This way you always know what a whitelisted IP
is for.
- This can be used in combination with conditional access. Conditional access can be used to
apply the rules only for a certain group, user, application etc.
38. To define a named location by IPv4/IPv6 address ranges, you'll need to provide:
1. A Name for the location
2. One IP range: 40.127.188.134/32
3. Mark as trusted location
5.2 Configure multifactor authentication trusted IPs
Setup a MFA IP-range on which Azure won't ask for 2FA. Only use this method if the method in
paragraph 5.1 is not usable.
39. Go to above page in Azure and click on “Configure multifactor authentication trusted IPs”
40. In the newly opened window, add the 40.127.188.134/32 IP under trusted IP’s and click on
save.
41. Done!
6 BTI sync setup on server
After previous steps are complete, we have all the information we need to setup/test the sync on
the BTI server. After a successful test we’ll come back to you with the results.
See the below flow to better understand the working and timings of the scripts.