… Hey guys Nick welcome to another episode of T-minus 365 And this episode we're gonna talk about a cool new feature coming from Microsoft called API driven provisioning, which allows you to automate user provisioning from a third party source. This could be your HR platform It could be a third party database could also even just be a CSV file. So it's going to solve a huge pain point here and help us streamline our automations And we talk about user onboarding and I'll unpack more of the efficiencies as we keep going Going here. One of the things though that I want to talk about is the traditional methods or how we exist today As far as when we talk about the interaction between HR departments, whether that's our own internal HR department or the third party HR department for an MSP. So today if we're lucky we have a user. That goes in and they submit some type of form for us. And that form ultimately goes into our ticketing system here…
And again I say that's if we're lucky, Because in a lot of cases, many of these users are just sending us an email that says Hey I have this user going to start on this date. And that typically though still goes into our ticketing system at the end of the day. So the main thing here is that we have this manual interaction or manual handoff between HR. And it, and this has traditionally just been the way we do things And after we get this ticket we go in and we perform or read an SOP which details out all the steps that we have to do to create that user. And in a lot of cases you're going in and you're creating user in Microsoft …
You're licensing them …
You're giving them access to certain groups or teams channels
…
And then you're performing some type of handoff where you deliver the password to the. in some form or fashion…
So this is oversimplifying things but I just want to make the point here that this is all manual. And so with this process that we're talking about as well too, we're going to look at how we can automate this process of creating the user when they're generated in this third party source And again this is going to be agnostic to whatever tool we use today whether that's actual software HR software. A third party database or even a CSV file. So when we talk about the traditional sense here we have the concept of local active directory in cloud based active directory as well too. So we have add S down here…
No I'll just put this in the box. And then we have. In 365 up here in the cloud. And usually we have you know 80 sync going on if we're running this environment so that we're sinking our users up into Microsoft 365 when they're. Now Microsoft has traditionally had a solution that saved to a couple of different HR softwares. In entre or Azure ID as is previously known. And that was just Workday…
And SAP. Now a lot of us out there are using. Um not necessarily these tools, but we're also in a lot of cases with SMB that I see nobody even has an HR software that they're using right now There may be manually collecting that in a CSV file. So what Microsoft has done here with API driven provisioning is allowing you just to have an API end point. That you can hit.
And this API endpoint allows you to send what's known as a skim package or a skin provisioning package. Over into either the cloud. Or local active directory…
And so I can go ahead and send a package or payload up into the cloud or down into. uh the local active directory environment and the user record itself will flow up into Microsoft 365. So this is kind of a really high level picture of what this is doing I'm going to show you this within the…The admin center, but it's very cool because we can start to tap into and automate this process of driving users into our active directory from what I would consider to be a better source of truth for the actual Genesis of that user. And by the way you're kind of eliminating this handoff potentially between HR and it, because all they're doing is updating the user record on their side and their systems, and that flows into this automated process. Now when we take a look at This checklist again this is high level. This is solving already One of the use cases here as far as creating the user. But we can leverage other aspects of entre ID to automate the rest of the process or a lot of the process that we do at least in Microsoft. So largely you can solve all of these are lot of these in here from leveraging something. Like dynamic groups…
And so if we have this in here we can say that we can leverage a dynamic group based off of their job title or their department, things like that, which will then give them access into licensing…
My give them access into different groups …
Which would then subsequently give them access to things like teams channels …
SharePoint sites. Things like that that we wouldn't want to give. But it could also flow into other aspects of the Microsoft suite like Intune and the groups and the policies that we apply to that user as well. The cool the cool part here with this API. We're also sending over a hire date …
So this is actually transcending that at. over and I'll show you that when we get into the portal as well too. So while we cannot automate the entire process. With just this flow It can automate a lot by also having other things in place like dynamic group entry and things of that nature. You could also do some cool things with power automate.
Help streamline that additional part of the process Like the welcome email the past regeneration things like that. Um if you're running in this type of environment, So this is a really powerful feature that I just wanted to highlight because it is going to change the way we could perform uh the user onboarding process. And eventually this might carry over into offboarding as well, but it does allow us to perform these types of activities outside of dynamic groups. Um we might also have group membership that would give access into…applications as well. If we've set them up for single sign-on, this is really beginning to streamline a lot of the operations that we have to conduct today When we talk about the onboarding tasks that we perform. And so. can save you a lot of time. A lot of the ticket load I think at MSPs you'll find a high percentage of time is spent into this activity. And a lot of companies out there are trying to solve for this. So this is a huge win for Microsoft. And I do want to show you this within the entre ID admin center So let's go ahead and pop in there now and I'll show you how to set this up Some of the caveats I learned there as well. Can you just sort of get us started here again this is in public preview So some of the things that you see in this video might change by the time you're watching it. But hopefully a lot of the basic core concepts are the same as well. I'll probably update the video If it does change that much, I'm hearing the entre ID admin center. We're going to go under applications here to enterprise applications. And from this list we're going to click on new application here…
And you can see within this ecosystem you know you have your tools like SAP highlighted here. You also have tools like Workday highlighted as well. And those again were traditionally the only applications that Microsoft supported with this type of provision the activity. So the thing that we're going to want to search for I just searched by API um to look at this list. And within here you have your API driven provisioning to Microsoft entre ID, but also you have API driven provisioning to on-premise active directory. I'll link below Microsoft guides um you know with both of these on how to set them up Just so you have both, I'm going to be highlighting the um entre ID cloud Only one. The only difference really is that you're installing an agent on your active directory server just to be able to run this and provision the user locally as well. There's not a whole lot of variance outside of that but I'll definitely link the top documentation So you guys can see that I'm going to click into this one though. You can have multiple instances of this as well too. So I'm just going to call this.
EHR test. And click on create. After this is created here you'll have this screen in the main section we're going to go into is this provisioning section here And then from here you're going to click on and get started…
And then from the provisioning mode we're going to click on automatic And then I just like to click on save here. And this will give us the mappings which you're going to need as well too. You can modify certain settings here which is the send an email notification when failure occurs. If you're an MSP likely this'll just be your ticketing system. I'm just going to put in my email here for the purpose of this example under the mappings here this is where you're going to find your scheme of mappings between the skim package or payload that we're going to be sending from this API and the mapping also to entre ID attributes as well. So within this, we see that this is in re enabled We can see the target object actions If you're familiar with any software today that does do skim provisioning This will look familiar to you Um as far as this screen here goes, because this is very common where you're dictating what types of create update read, delete the capabilities that the application has And then what uh the attribute mappings exists between these two tools. So out of the box you know we have a lot here that you really would want to configure like title, um
the job department. Um even things like the UPN here is being mapped. And that's pulling it in and has specific syntax They don't really have to change here. For this as well. So one thing that you'll want to do in a lot of cases just because I think this is a really imperative attribute to add. When you talk about new user on boards and the things you might want to chain off of that is to show this advanced mappings and edit the attribute list for the API…
And specifically, this is getting into a lot of the Metta detail that I'm not going to go into today but I just want to show you how to add another attribute here. And a very good common one that you'll find is actually an extension for the hire date. So I didn't come up with this is actually a Microsoft documentation I'll link that below You can reference it but in this documentation you grab this schema definition. And in here you have this parsed out. The only thing that you're going to change here is you going to dictate that this isn't Contoso, you're going to put your company's primary domain So in this case it's for me it's T-minus 365. And then the rest I can leave as is I don't have to fill out the rest of this information but I'm going to go ahead and save here. And then from here we're going to add a new mapping. And this mapping is going to be direct. We're going to use the source attribute that we just created. Which is that higher date.
And then the target attribute is going to be on the Azure ID side or on sure ID side is the employee hire date. So you can say that you want to match objects using this attribute. This setting is something I'll show you in a different um
attribute itself that you would want to do just for the sake of mapping existing users that you may be wanting to update. Um and then for the apply this mapping. You can dictate whether that's always only during object creation or only if the attribute contains multiple values. So for this particular one I'd like to say always just because it's safe for instance, you have a hire date and then that gets shifted maybe by a week or two Um you know and and that updates on the HR side. You want that to push over here and go ahead and update. Uh the mapping as well too So, um I just have that here just for the sake of this example but now you can see here I have this mapping as part of the schema definition. That I've created for this. Um and be sure to also make sure you save this and not go off the page. You can also define the scope um for this as well too whether that's all records. You could scope uh based off of certain fields of the users So you could say I don't want to sink anybody from this department. As a use case or if you're local active directory you could say. I don't want anybody in this OU with these attributes Um so it can get more granular if you wanted to do things that way. And um, one thing to note just as I was mentioning that there. I exited out So let me do this real quick One more time. We're gonna do the hire date. We're going to say the target attribute is the employee hire date. We're going to always match. And say okay. And then we're going to save up top here…
So that's just one example of a custom attribute you could do Um there's obviously other custom attributes you might want to create. Uh based off of your HR platform or the fields that you want to map up into Azure ID, but this is a pretty good inclusive list here. So I'm going to click out of the attribute mapping. And then from here we're kind of ready to go So I'll save this …
And then from here Alexa it out And all you need to do is click on start provisioning here to just turn on the service It's not actually doing anything. Um but it does give you some of this technical information in. Including your API endpoint. And I'll be showing you guys how to leverage this via the graphic score. Uh but this is where you can go ahead and start to tap into this Send a body of a payload as well to. And so all this is coming from Microsoft documentation I didn't just figure this out Um manually running through it. Um but let's go ahead and talk about also how we go ahead and start to provision users As part of this service really needed an identity to be tapping into that has some type of secure authentication. And to do that in a lot of cases there's really two major ways One of which is with an app registration or a service principle that you're going to stand up as a separate part of this um setup itself. And the other would be a managed identity which I'm not going to cover. I'm going to be using a service principle or an app registration to be able to perform this not only in this video but the next one where I show you more of the automation with power automate as the backend. So I'm going to go into app registrations here and I'm going to go ahead and create a new registration. And I'm going to call this HR test…
And this is going to be a single tenant application I don't need to redirect you or I because we're just using it to grab a token to authenticate at the end of the day…
And so this creates um what we'll need here And I'll show you guys this in the next video completely but we have an application ID We have a uh director ID which is our tenant ID that we'll use. But the main thing here is we need to give this permission in order to run the API APIs for the skim service or the API driven provisioning that we want to leverage. So there's two permissions really That's your want for this And they're both Microsoft graph permissions and they're both application permissions as well. So the first one of which you just get type in sync. And you're going to see this data synchronization data dash user. And this is the main one We need to be able to send the bulk payload of user data. Into our active directory environment in order for that to provision the user. And then the other one we're going to want here and agree. and application permissions is the audit log. So the audit log allows us to see the results of this API being pushed And that includes like success or failure obviously. And then um
kind of the meta detail behind what was created So want to see that as well? I can go ahead and grant consent in order to do this by the way you do have to be. A global admin or at least an application admin, um to be able to create the average duration and then a global admin to be able to grant consent. Um to the application in your tenant as well too, you may be able to get away with that I think maybe with application administrator too but typically I'm using a global admin to do this process. So after this is done you know this is what you can then leverage You would create a certificate or secret and then you could go through the auth. Uh token flow. To get an authentication token And again that sounds maybe a little bit scary or just a lot of detail but I'll unpacking that in the next video and showing you guys that directly. Um just so there's no confusion there. But what we're going to do now is I'll go back over to our API provisioning application that we created. And I have a couple of these in here now because I can name them the same thing which is a poor practice as well I think this is the one that we're going to use here …
I go into provisioning …
Yep. So if I go under here, I've got my API endpoint as well. And this is just API test. When I start provisioning. I'll have these provisioning logs that will come through and we'll reference this here in a minute, but the main thing is that I do want to grab the API end point. I'm just going to copy this into a clipboard, and then I'm going to open up the graph Explorer which I'll link again below in this video You'll see it in Microsoft documentation as well too. But we want to open the graph Explorer to start to manipulate and play around with the API. Okay so just a quick note this is the link I'll provide below which kind of takes you through this test of manipulating or sending in the API, connecting to graph explore, and then they have a sample payload down for you here which I love because it gives me the Jason schema. That we're going to need, uh to be able to provision these users within the account. And we don't have to change too much in here but I'm a couple are I'm going to go through a couple of the caveats that I mentioned here but as you can see, We have things like the username that is creating the metadata deal about the username and then things like their location as well as title Um
whether they're active or not. The user type. Um and then also things like the department that they're in along with their manager as well. So let's pivot into the graph Explorer So I can show you this as well…
And following the documentation here you want to sign in with your account here. Typically you want to sign in with a global administrator I am in my tenant So I have the permissions needed, but if he didn't have those permissions it would give you an error and you would have to click into the modify permissions tab Uh, in order to be able to run this particular request. So I've pasted in that URL that we've got that we got from our entre ID, uh app that we provision there but this is custom to your tenant It'll be different looking from what you're going to be able to see based off of the app that was generated. But effectively here I've pasted in kind of a body. Um that where we're going to leverage it This is a post request that we're going to run that query on and effectively. Um this was one I used previously just in testing this out we're going to modify a few things here as well too. Um just to create a brand new user. So within my active directory right now I don't have anybody…
by the name of Barry Allen So I'm going to go ahead and type this in here …
And I'm going to modify. a couple of these settings as well. So just you know, modifying the the names here. I'm going to say…
None of them That one other big piece to note here is this external ID and an Azure This is known as the employee ID. But when you send this over you're basically sending a random custom good. As part of this as well too. So I want to modify this so that I create this user a little bit differently here. Uh with a custom ID and this is in a couple of different locations here as well, but I think this is really important And I'll get into this a lot more later but this is important because when you want to reference this user as maybe making them a manager of somebody else, you have to reference this value as well here too. So what I'll go ahead and do now that we have this scheme already. Um and and ready to go we can just go ahead and run this query. This will give you should give you a two to accepted If you don't it probably is related to your permissions Um but in the request headers you do get this location um value that's returned, and this is what we can call to see kind of the audit trail of how this is performing or what it's doing, uh
within there as well too. So if you copy this and you put this up in here we're going to shift this into a get request and we're going to run this query now. And so in the response headers we get back something that's really generic that we don't have to pay attention to. But this response preview is what we're really going to look to in this in a provisioning state right now. And the value is empty.
So it does take you know a couple minutes actually to finish this provisioning process. And you know when it's done because the value will actually be populated with an object Um or multiple objects depending on what you sent over there as well. This body that I sent over. As part of the main request. I can include many different users as part of that Um as well too, and this is where we'll get into later on how you can automate when a CSB is updated or you want to run this daily on a CSV file based off of an employee date. Um and then pushing those users or updating users over time if their job title changes or their department changes something like that. So I'm going to pause the video briefly here just for a few minutes and allow this value to return. So I can show you guys that as well. K So we're back every run the call and we've gotten our value back. And this has a lot of metadata attached to it And a lot of it is what I would consider not to be. Something you have to really dive into but it contains a lot of objects about what was done what was created things of that nature as well too. And it also gives you descriptions um
on this as well. I like honestly the entree the admin center just to see a little bit better version of this within the UI So let's pop it in there now to see that Okay So back in entre I'm going to go into my app again that I was on before And I'm going to go into the provisioning logs here and you'll see we have this record of Barry Allen and the action is to create, and this was a successful message. So we can see the import details of everything that I defined as part of that body. And then I can see what was done and if all these things past as well too. Um and then when you go in you can also see a clear list of the modified properties. A lot of cases the update. Uh job or action is going to be something where you want to see what was modified as part of that whether that's a ploy moving from one department to the other or something like that that can go into an update job in a little sync. Based off of this employee ID on that it can find here as well. So um
that is something that we've we've seen in here Um but we also want to go into the user section real quick here. And I can see Barry Allen and I can see some of those attributes you know that I put in here under the properties. Um like there created Tate um the, uh actual job title that they have. the department that they're in their employee ID things of that nature as well. Um and then from there I can you know kind of manipulate things as I see fit as well. So this is really cool because we can send these um users up into this environment. And then let's say I went into this job again. And I'll modify this back to the bulk upload API. You don't have to change much in this sense but let's say I just changed his department. And this use case.
Two…
To her manager. From tour operations in this case. Um so I'll go ahead and run this query and I get this unknown error…
And that is because I did not change this back to a post request So always look to make this a post request at first. And then run the query We get the response accepted. And then again I get my load. which I can put in here changed to a get request and run the query again. And this gives me the preview which again takes a few minutes So so while this is updating I also wanted to reference some caveats that I've found here. Uh mostly just around this manager field. It's manager field has this value um in the display name of the user that you can put in here. But if the user was not created through this service, it doesn't know what the employee ID is. Um and so it doesn't know what to reference here. So the way I've found to overcome this is that you basically have to do kind of a bulk job When you start to add all of the users up into the cloud-based service. And reference um you know a new employee ID for them but match them based off of their user principal name. So that's a lot to unpack just verbally but I'll show you this between the two portals here. So we have Pardeep in this use case and I have a value for him as 5, 5, 6, 6, 6… Back in the entre portal If I go back to users and I go to party …
And I go to his properties. I can see 5, 5, 6, 6, 6 is his employee ID. And that's because I sync them with the service Initially, if you don't do this it doesn't know well who that user is because it can't reference the employee ID. I tried hard coding an employee ID here. And then referencing that in the Jason file And that still didn't work either because the actual skim service or the API service He doesn't know what that attribute is. So your best bet or your best option in my opinion, at least right now they may solve for this By the time you watch this video because I think it's a pretty annoying problem. Um as part of the service but effectively here if you go into the provisioning service, One attribute will want to modify if we go into um the edit provisioning section here …
We're going into the mappings again we'll click on users. And then here. Um we'll want to go down into the user principal name and then we'll just change this section here to yes. So that it can match the object using the user principal name. And that way I can enforce that employee ID to sync with the users and then I can reference them. Uh as I go to look at maybe manipulating other um attributes as far as um the manager field right If I want to assign them as part of that as well too. So I'm going to go ahead and save this. As an example Um but then we'll go back into the user section year cause our service should have stopped running or finished running by now. We'll go into. Barry Allen was the user we updated. Going to his properties You remember we tr. Changes. Um Depop. from tour. Operations the tour manager And so that St and we can additionally reference that in the logs, uh for the service again as well too So go back to HR test …
We go into provisioning…
And then we go into our provisioning logs. We have an update action right Because it referenced the source ID. Um and the target ID here, being that the identifier is that employee ID. And then we modified the department and that was modified from tour to. To our operations to to our manager.
So notice I didn't have to uniquely say update this user as part of a field. Just did that by referencing the employee ID. And so um you know this is something where we want to be able to leverage the capabilities of update when we have lateral movement in the company. Um and then when somebody leaves as well if we go back to our graphics floor, Uh we can. Uh change their active status to false and that would disable the user. Um inactive directory again as well too. You could also put in a their termination date. As well So that one is a little bit more complex to think about because we need to disable them at the date of their termination. So the workflow behind this you would have to customize for that. There's more to unpack in that sense that I'll get into another video, but this is the main core purpose Your overview of the API You can send in the Jaison body that you're sending over as well too. Okay So after seeing that I bet your question here is okay How do I automate this process Not just send a bulk file. Over every time I want to update this I need the process to be dynamic So whenever we have some entry updated in a CSV file or want to run it on a periodic basis. I can bring these users over. So today Microsoft has a couple of out of the box options that you could leverage here for this prom. and they have some tutorials for this as well too.
They have the concept of using a logic app. Which would allow you to read particularly a CSV file and recurrence or have a recurrence there that reads that every day to go ahead and provision. Uh
the users they could see that in their tutorials, you could use power show…
And they have a tutorial on that as well too. I'm going to show you next week how to use power automate to leverage this and automate this process with a CSV…
And then because it's an API, you can really just do something custom at the end of the day…
So if you have either developers or want to automate this process to some third-party tool, You have the connectors and the API connections in order to do so. So a lot of this is going to be unpacked more so on the detail of how to streamline this and operate on this in next week's video But I hope this was helpful and understand. a little bit more about this preview service does require an Azure ADP one license today to be able to leverage this But a lot of us have that because we have Microsoft business premium at least in the SMB side of the house. So stay tuned for next week Definitely comment with any questions below on any of the things that I talked about today and as always liking subscribe if you guys want to see more content around Microsoft and the MSP space Thanks guys I'll see you next week …
