managing microsoft services · manage adfs policies via the services > microsoft online >...
TRANSCRIPT
Managing Microsoft Services
Colin [email protected]://www.linkedin.com/in/colinwill/
Agenda1. Introduction
2. Configuring Atria for Microsoft Online Services• PartnerCenter Connections• Azure AD Service• Microsoft Online Service
3. Provisioning Tenants• Create a new tenant (direct partner)• Provisioning users
4. Connecting to existing Tenants
5. FAQs
6. Q&A
Key Features
Provisioning• Tenants• Users• Subscriptions
Security• Reduced need for
Global Admin access• Secure App Model
Delegation• Service Desk• Resellers• End-Customers
Data• Audit Changes• User level billing
Remove requirement for AD Connect in Multi-tenant Hosted Desktop scenarios
Assumptions
• Atria installed v12.6.6 or later
• Understanding of Atria Concepts, Services & Provisioning
• Atria Service Modules installed and enabled for
• Azure AD
• Microsoft Online
Microsoft Partner Center
Direct CSP Partner (Tier 1)Sales, Support, Billing
Indirect CSP Reseller(Ingram Micro, Rhipe, Softcat)
Support, Billing
Indirect CSP Partner (Tier 2)Sales
CUSTOMERS
Provision TenantsConfigure Subscriptions
Allocate Licenses
Allocate Licenses
Provision TenantsConfigure Subscriptions
Azure AD & Microsoft Online
Azure ADMicrosoft
Online
Controls how the tenant is configured and the connection between Atria and Azure including the PartnerCenter Connection
Controls Microsoft Licenses, defines the plans that can be provisioned to users. Creates user in Azure AD.
Dependent on
Provision to customerProvision to customerProvision to User(s)
Configuration
CONNECT TO PARTNERCENTER
CONFIGURE AZURE AD SERVICE
CONFIGURE MICROSOFT ONLINE SERVICE
1 2 3
Create Connections to Partner CenterGranting the rights needed to provision via Partner Center APIs
▪ Scripts deployed with Atria Microsoft Online Web service ▪ Create-new-azure-app.ps1 ▪ Exchange-online-consent.ps1
▪ Must be executed as a Global Administrator WITH MFA ENABLED
1. Creates an Application in Azure AD (your CSP partnercenter AD)2. The application is delegated required permissions3. Tokens are generated 4. Tokens entered into Atria 5. Atria stores tokens securely
Product CatalogServices > Microsoft Online > Offer Management
Direct Partners:
retrieves product catalogdirectly from Microsoft via API.
Indirect Partners:
retrieves static product catalog from Automate101 file
Direct Partners – select Partner Center Connection from drop down and click on the “SYNC OFFERS FROM PARTNER CENTER” link
to test your connection is working
Walkthrough 1…
• Configuring Partner Center Connections
• Retrieving Microsoft Product Catalog
Configuration
CONNECT TO PARTNERCENTER
CONFIGURE AZURE AD SERVICE
CONFIGURE MICROSOFT ONLINE SERVICE
1 2 3
Azure AD Customer Plans
• Use as a template for common scenarios for tenant configuration.
• settings can be overridden at reseller or customer level to meet specific needs.
Azure AD Customer Plans
Manage ADFS When Checked – Atria will assume the customer is federated:
- Federate domains in Azure AD
- Relate the Azure AD account to the on-premises (AD) account via the immutableIDattribute
- For federated users – Atria will only change passwords in Active Directory
If NOT checked – Atria will
- Provision accounts into Azure AD and AD
- Reset/Change passwords in both AD and Azure AD.
Azure AD Customer Plans
ADFS Policy• Defines domain
federation settings
• Can configure multiple as needed
• Atria uses these settings to federate domains in Azure
Manage ADFS Policies via the Services > Microsoft Online > ADFS Policies menu
Azure AD Customer Plans
Manage LicensesWhen enabled, Atria will
(a) automatically provision subscriptions
(b) Increment subscriptions as needed
(c) remove unassigned licenses on a daily basis.
Set as unchecked if :
- Indirect Partner
- Third party/EA/external licensing
Azure AD Customer Plans
Partner CenterDefines the PartnerCenter connection to be used for managing the customer.
- Can only be set by Service Provider
- Not available for resellers or customers to change.
Azure AD Customer Plans
Remove RelationshipWhen the Azure AD service is deprovisioned, if this option is selected Atria will also remove the PartnerCenterrelationship with that customer
WARNING!! If the Partner Relationship is removed, you will no longer be able to manage the tenant via Partner Center and all delegated permissions will be removed.
Azure AD Customer Plans
Sync PolicyConfiguration for the sync process which is used to import changes from Azure AD into Atria.
Will review in more detail later…
Manage Sync Policies via the Services > Microsoft Online > Sync Policies menu
Configuration
CONNECT TO PARTNERCENTER
CONFIGURE AZURE AD SERVICE
CONFIGURE MICROSOFT ONLINE SERVICE
1 2 3
Atria & Microsoft Plans
• Each Atria plan can have• 1 primary Microsoft Product• Any number of add-ons for the product• Enable or disable product features (Microsoft call these
service plans)
• Setting up plans can be complex, plan in advance to save time:https://support.automate101.com/portal/kb/articles/configuring-microsoft-online-user-plans
• Assign Product SKU’s to each plan to simplify billing
Configure Microsoft Products via the Microsoft Online Service User Plans.
Qualifications
• Subscriptions can differ based on the qualification a customer has.
• When a product is selected in the Plan Editor, you can see the types of customer it can apply to
• When Atria provisions subscriptions (direct partner), it will choose the appropriate offer for the product/qualification combination
• If no offer is available, Atria will default to commercial subscriptions
• https://support.automate101.com/portal/kb/articles/atria-and-microsoft-csp-tenant-qualifications
If you work with Education, Government or NonProfits…
Walkthrough 2…
• Provision Tenant from Atria
• Provision users and assign services
Provision Customer in
Atria
Provision Azure AD Service
Select Plans & Provision Microsoft
Online Service
Provision Users with Microsoft
Online Service
Log in as User into Azure
Connect Tenant Process
Atria Customer Azure AD Tenant
Subscriptions
Azure AD Users
1
Use Cases:- Onboarding a new customer- Importing an existing customer not in Atria- Must have a Partner relationship in place
with tenant!
Connect Tenant Process
Atria Customer Azure AD Tenant
Connector
Subscriptions
Azure AD UsersTenant Connect Process:• Atria searches for tenant via Partnercenter• Connector created to link TenantID to Atria
Customer
2
Connect Tenant Process
Atria Customer Azure AD Tenant
Connector
Domains
Subscriptions
Azure AD Users
Tenant Details
3
Azure AD Service Provisioned to Customer
Connect Tenant Process
Atria Customer Azure AD Tenant
Connector
Domains
Users
SubscriptionsSubscriptions
Azure AD Users
Tenant Details
4
Atria + AD Users
Sync process executes and pulls users from Azure AD into Atria
Walkthrough 3…
• Connecting and synchronising an existing Office 365 tenant
Provision Customer in
Atria
Connect to Azure AD
Tenant
Select Plans & Provision Microsoft
Online Service
Execute Sync Process
Review Sync Log
“Linking” Users
• Sync process will try and find matching users in Atria/AD
• Matches on users UPN
Atria/AD Azure AD
[email protected] [email protected]
[email protected] no match…
“Linking” Users
• Sync process will try and find matching users in Atria/AD
• Matches on users UPN
Atria/AD Azure AD
[email protected] [email protected]
[email protected] no match…
[email protected] [email protected]
Matched & linked
Created & linked
Sync - Licenses & Plans
• Microsoft Online service must be provisioned to customer
• Matching Plans must be available to the tenant which represent the license combinations within the tenant.
• Add-ons are part of the Atria plan, so you may need more combinations of Atria plans; e.g.• E3
• E3 + voice
• E3 + ATP
Sync Policy
Manage Sync Policies via the Services > Microsoft Online > Sync Policies menu
Controls the behaviour of the process which synchronises users and licenses into Atria.
Set against the Azure AD Customer plan
Sync Policy
Disable Nightly SyncThis will stop the nightly sync from running if checked.
Create Users in AtriaWhen checked, will create or match a user in Atria each time a user is found in Azure AD.
Manage Sync Policies via the Services > Microsoft Online > Sync Policies menu
Sync Policy
FilterAny Microsoft Graph compliant query filter. By default, only retrieves Member users.
Master DirectoryOnly applies on initial user match…
Matching users found in Azure and Atria, determines which data field takes precedence.
Manage Sync Policies via the Services > Microsoft Online > Sync Policies menu
Sync Policy – Master Directory
Attribute Atria User Azure User Resultant User
City Auckland Christchurch Auckland
Department Sales Sales Sales
Phone 09 200 9920 09 200 9920
Attribute Atria User Azure User Resultant User
City Auckland Christchurch Christchurch
Department Sales Sales Sales
Phone 09 200 9920 09 200 9920
“Atria” Master
“Azure” Master
Applies only on initial connection of user to Atria – subsequent sync:1. Changes in Azure AD are assumed to be intentional and take precedence2. Changes made in Atria are saved to both locations
Password Settings
Allows configuration of the password complexity settings.
When user is created in AD, Atria generates a password, the password must equal or exceed the local AD password policy.
Manage Sync Policies via the Services > Microsoft Online > Sync Policies menu
Walkthrough 3…Review..
• Review synced users
Provision Customer in
Atria
Connect to Azure AD
Tenant
Select Plans & Provision Microsoft
Online Service
Execute Sync Process
Review Sync Log
User Management
Following features are all actioned across AD and Azure AD from within Atria:
• User Update (via Edit User page)
• Add/Remove/Update Email aliases
• Password Reset
• Self-password reset
• Change password
• Disable/Enable Account
Does de-provisioning delete Azure AD tenants?
De-Provisioning the MSOL Service from a user will delete the user from Azure AD.
De-Provisioning Microsoft Online Service from a customer does not de-provision users or the tenant• It will break the “user connection” between Azure AD and Atria
De-Provisioning Azure AD Service at the tenant level does not delete the tenant• It removes the connection to AzureAD from Atria• It will suspend any partner provisioned subscriptions• Remember it can also remove your partner relationship if configured
to do so
Can I still make changes via Office 365?
• Sync will pick up changes to:
• Users
• Licenses assigned to users
• Added email aliases
• If you remove email aliases from Office 365, the sync process will not remove these from the user in Atria.
• If the sync process is not executed, Atria may overwrite changes made directly in Office 365.
Can I use Azure AD Connect with Atria?
WARNING!! Atria cannot currently co-exist with Azure AD Connect – when Azure AD Connect is configured, it is not possible to provision users via API’s
Today:• Use Atria to manage AD,• We can supply fix that allows email aliases to be provisioned to AD
Q&A
For more detailed information and articles on Managing Microsoft Services with Atria:https://support.automate101.com/portal/kb/articles/microsoft-online-service-planning
What happens with Suspended Microsoft Subscriptions?
When onboarding tenants, suspended subscriptions with license assignments can exist.
At present, Atria does not re-activate subscriptions – you will need to handle this within PartnerCenter.
Suspended licenses do not show in the Subscription view in the Microsoft Online Service
Can Atria work with multiple PartnerCenter Regions?
Europe - Production
USA - Production
Reseller 1 - Production
USA - Sandbox
Reseller 2 - Production
- One Partner Center connection for each region
- Consider using Reseller structure to segregate regions
- Create USA Market (internal reseller)- Create Europe Market (internal
reseller)- Configure the reseller service to use
appropriate Partner CenterConnection
- Make sure override checkbox is selected or changes are not saved!
How can I see sync problems across tenants?
• We are working on wider architectural changes to improve operational support and welcome feedback…
• Database view – shows errors from last sync run across all tenants:
USE OLM
GO
select * from vw_AzureSyncLog