Azure AD Configuration
As part of the move to a Microsoft 365 centric architecture, often on-premises Active Directory information is being migrated into Azure Active Directory (AD). Discover fully supports obtaining user information or group information from Azure AD. This document describes how to configure this access.
Section 1: PowerShell Setup/Access
Any Discover Connector server that will be performing queries into Azure AD must have the following PowerShell modules loaded:
You can verify if these modules are present by launching a PowerShell session as Administrator then issuing the following command:
If the modules are present, the response to that command will show the following:
If the modules are present, the Discover machine is prepared to access Azure AD please continue with configuring the data target search as described in Section 2. If the modules are not present, continue with the installation instructions shown in this section.
To install the MSOnline module issue the following PowerShell command:
Install-Module -Name MSOnline
(Note: You may receive a notification that the NuGet provider is required. If so, PowerShell will offer to install it automatically, simply answer Y if that prompt appears.)
The MSOnline command should respond with a confirmation prompt as shown below, press Y to proceed with the installation:
After the MSOnline module is installed, it must be connected to Microsoft 365. Use the command shown below to initiate the connection.
Note: you may be prompted for authentication credentials if SSO is not being used)
After completing the MSOnline installation, continue with installing the Azure AD module using this command:
Install-Module -Name AzureAD
As shown below, this command will also present a confirmation prompt. When it does, press Y to proceed
Section 2: Discover Configuration
Once the PowerShell modules have been loaded, there are two locations where Azure related settings should be verified within your Discover configuration. First, the PowerShell authentication type and URL should be verified in the Connector settings. Also, the PowerShell account information should be verified in the Connector Status Utility.
To validate the PowerShell authentication and URL in Connector settings, log into the Discover dashboard. Either click the red Connectors block on the home page or click Administration then Configuration/Connectors.\
Select a Connector, hover over the orange MORE button, and choose connector settings
Check the advanced box then select the tab for Connector settings and scroll to the bottom of the page to locate the settings for PowerShell Auth Type and URL and verify the settings are correct for your environment.
If your settings are correct, move on to the Connector Status Utility Settings section of this document. If you do modify the settings, be sure to click the blue UPDATE button at the bottom of the form. Return to the Connectors screen then hover over the green ACTION button and click Download Configuration File.
Selecting this option will force an update of the Connector settings from the Discover database to the local Connector server. Gimmal recommends restarting the Connector service on the server to ensure the updated setting are in effect.
Connector Status Utility Settings
Log into the Connector server and launch the Connector Status Utility by clicking the desktop icon shown below.
If your server does not have a desktop icon, locate the file SherpConnectorStatus.exe file in the folder
C:\Program Files (x86)\Sherpa Software\Sherpa Connector
And launch the utility from that location.
Click on the Credentials hyperlink, then click the Connectors tab:
At the bottom of the form confirm that the Master PowerShell Credentials shown are accurate. If the credentials are correct, continue with Section 3: Azure AD Data Target Searches in this document.
If you need to enter (or modify) the credentials be sure to click the Save button at the bottom of the form. Then close the Connector Status Utility then restart the Connector Service to ensure the latest credential information is being used by the service.
Section 3: Azure AD Data Target Searches
Once the Azure AD components are in place, Discover should be able to query Azure AD through a Data Target search query. In the Discover Administration module, select Configuration then Connectors. Hover over the green ACTION button and select Searches:
On the search screen, hover over the green ACTION button and select Add. From the Type drop-down list select Data Owners.
Supply a name for the search type, then select the 'Search For' option shown below to reference an Azure AD group. Then set the 'Search By' to Specific Connector and select your Connector device using the Edit button.
Click the Find Azure AD Group tab at the top of the form and supply the name of the Azure AD group that you would like Discover to query for user information.
Note: You may only specify one group name for each search. To search for additional groups, create multiple Azure AD searches
If you would like to create a corresponding group within Discover (this step is optional), check the 'Synch search results' box and supply a name for the Discover group to be created.
When finished, click the blue UPDATE AND RUN button to queue the search for execution. The next time the Connector device checks in, it will pick up the search request and perform the query.