Configure Hybrid Identity environment
Hybrid Identity synchronizes the on-premises Active Directory with cloud-based Microsoft Entra ID. It enables organizations to seamlessly manage user identities, authentication, and access control across both their on-premises and cloud environments.
For information about Microsoft Azure automation in a hybrid environment, see the Microsoft documentation.
Cloud Commander labels on-premises Active Directory users as Cloud and On-premises users. When you add, edit, or remove a hybrid user or group in Cloud Commander, the action is saved back to the on-premises Active Directory.
To configure the Hybrid Identity environment:
- Step 1: Perform configuration steps in the Azure portal
- Step 2: Configure the Hybrid Identity user settings in Cloud Commander
Key Hybrid Runbook Worker architecture terminology
- Automation account: A cloud service that automates configuration and management across your Azure and non-Azure environments.
-
Hybrid Runbook Worker: A computer that's configured with the Hybrid Runbook Worker feature and can execute runbooks directly on the computer and against the resources in the local environment.
-
Hybrid Runbook Worker group: Group with multiple Hybrid runbook workers for higher availability and scale to run a set of runbooks.
-
Runbook: A collection of one or more linked activities that together automate a process or operation.
Requirements
- Azure subscription with appropriate permissions.
- Access to the Azure portal.
- Cloud Commander Administrators platform role.
Step 1: Perform configuration steps in the Azure portal
Create automation account in Azure portal
For more details about this task, see the Microsoft documentation.
- Sign into the Azure portal.
- Select Automation accounts.
- Select Create.
- On the Basics tab, provide the essential information for your Automation account including the region and resource group.
- Select Review + Create to create the account.
Example data:
Create a hybrid worker group
- In the automation account, go to Hybrid worker groups.
- Select Create hybrid worker group.
- On the Basics tab, enter a descriptive and meaningful Name for the hybrid worker group.
Example data:
Add a hybrid worker in the hybrid worker group
- In the hybrid worker group, select Add to add a device as a new hybrid worker.
- Add the domain controller Windows VM as a hybrid worker.
Example data:
Create the required runbooks
Use the following instructions and PowerShell code to create the required runbooks to create, update, and remove users.
Ensure the runbooks are configured to interact with your on-premises environment.
Create the runbook to create users
- In the automation account, go to Process Automation and select Runbooks.
- Select Create a runbook.
- Name the runbook, New-ADUser.
From the Runbook type drop-down menu, select PowerShell.
From the Runtime version drop-down menu, select 5.1.
Enter an applicable Description.
- Select Create to create the runbook.
- In the runbook editor, paste the following code:
CopyNew-ADUser (PowerShell)param(
[Parameter(Mandatory=$True)]
[string]
$userName,
[Parameter(Mandatory=$False)]
[string]
$password,
[Parameter(Mandatory=$False)]
[string]
$givenName,
[Parameter(Mandatory=$False)]
[string]
$surName,
[Parameter(Mandatory=$False)]
[string]
$displayName,
[Parameter(Mandatory=$False)]
[string]
$upn,
[Parameter(Mandatory=$False)]
[string]
$country,
[Parameter(Mandatory=$False)]
[string]
$department,
[Parameter(Mandatory=$False)]
[string]
$companyName,
[Parameter(Mandatory=$False)]
[string]
$jobTitle,
[Parameter(Mandatory=$False)]
[string]
$streetAddress,
[Parameter(Mandatory=$False)]
[string]
$city,
[Parameter(Mandatory=$False)]
[string]
$state,
[Parameter(Mandatory=$False)]
[string]
$postalCode,
[string]
$manager
)
#Create the user
$secureString = convertto-securestring $password -asplaintext -force
$params = @{
Name = $userName
Accountpassword = $secureString
Enabled = $true
}
if($givenName){
$params.GivenName = $givenName
}
if($surName){
$params.Surname = $surName
}
if($displayName){
$params.DisplayName = $displayName
}
if($upn){
$params.UserPrincipalName = $upn
}
if($country){
$params.Country = $country
}
if($department){
$params.Department = $department
}
if($companyName){
$params.Company = $companyName
}
if($jobTitle){
$params.Title = $jobTitle
}
if($streetAddress){
$params.StreetAddress = $streetAddress
}
if($city){
$params.City = $city
}
if($state){
$params.State = $state
}
if($postalCode){
$params.PostalCode = $postalCode
}
if ($manager) {
# Check if the Active Directory module is loaded
if (Get-Module -ListAvailable | Where-Object { $_.Name -eq 'ActiveDirectory' }) {
$givenManager = Get-ADUser -Identity $manager
if ($givenManager) {
$params.Manager = $givenManager
}
else {
Write-Host "Manager '$manager' not found in Active Directory."
}
}
else {
Write-Host "Active Directory module not loaded. Please ensure the module is available."
}
}
New-ADUser @params
import-module "C:\Program Files\Microsoft Azure AD Sync\Bin\ADSync\Microsoft.IdentityManagement.PowerShell.Cmdlet.dll"
Start-ADSyncSyncCycle -PolicyType Delta- Review the copied code, and edit as needed, to ensure it is correctly configured to interact with your on-premises environment.
- Select Save.
Before you can execute a runbook, you must publish it first. For more information and instructions, see the Microsoft article to Publish a runbook.
Create the runbook to remove users
- In the automation account, go to Process Automation and select Runbooks.
- Select Create a runbook.
- Name the runbook, Remove-ADUser.
From the Runbook type drop-down menu, select PowerShell.
From the Runtime version drop-down menu, select 5.1.
Enter an applicable Description.
- Select Create to create the runbook.
- In the runbook editor, paste the following code:
CopyRemove-ADUser (PowerShell)param(
[Parameter(Mandatory=$True)]
[string]
$userName
)
#Remove the user
Remove-ADUser -Identity $userName -Confirm:$false
import-module "C:\Program Files\Microsoft Azure AD Sync\Bin\ADSync\Microsoft.IdentityManagement.PowerShell.Cmdlet.dll"
Start-ADSyncSyncCycle -PolicyType Delta- Review the copied code, and edit as needed, to ensure it is correctly configured to interact with your on-premises environment.
- Select Save.
Before you can execute a runbook, you must publish it first. For more information and instructions, see the Microsoft article to Publish a runbook.
Create the runbook to edit users
- In the automation account, go to Process Automation and select Runbooks.
- Select Create a runbook.
- Name the runbook, Set-ADUser.
From the Runbook type drop-down menu, select PowerShell.
From the Runtime version drop-down menu, select 5.1.
Enter an applicable Description.
- Select Create to create the runbook.
- In the runbook editor, paste the following code:
CopySet-ADUser (PowerShell)param(
[Parameter(Mandatory=$True)]
[string]
$userName,
[Parameter(Mandatory=$False)]
[string]
$givenName,
[Parameter(Mandatory=$False)]
[string]
$surName,
[Parameter(Mandatory=$False)]
[string]
$displayName,
[Parameter(Mandatory=$False)]
[string]
$upn,
[Parameter(Mandatory=$False)]
[string]
$country,
[Parameter(Mandatory=$False)]
[string]
$department,
[Parameter(Mandatory=$False)]
[string]
$companyName,
[Parameter(Mandatory=$False)]
[string]
$jobTitle,
[Parameter(Mandatory=$False)]
[string]
$streetAddress,
[Parameter(Mandatory=$False)]
[string]
$city,
[Parameter(Mandatory=$False)]
[string]
$state,
[Parameter(Mandatory=$False)]
[string]
$postalCode,
[string]
$manager
)
#Update the user
$params = @{
Identity = $userName
}
if($givenName){
$params.GivenName = $givenName
}
if($surName){
$params.Surname = $surName
}
if($displayName){
$params.DisplayName = $displayName
}
if($upn){
$params.UserPrincipalName = $upn
}
if($country){
$params.Country = $country
}
if($department){
$params.Department = $department
}
if($companyName){
$params.Company = $companyName
}
if($jobTitle){
$params.Title = $jobTitle
}
if($streetAddress){
$params.StreetAddress = $streetAddress
}
if($city){
$params.City = $city
}
if($state){
$params.State = $state
}
if($postalCode){
$params.PostalCode = $postalCode
}
if ($manager) {
# Check if the Active Directory module is loaded
if (Get-Module -ListAvailable | Where-Object { $_.Name -eq 'ActiveDirectory' }) {
$givenManager = Get-ADUser -Identity $manager
if ($givenManager) {
$params.Manager = $givenManager
}
else {
Write-Host "Manager '$manager' not found in Active Directory."
}
}
else {
Write-Host "Active Directory module not loaded. Please ensure the module is available."
}
}
Set-ADUser @params
import-module "C:\Program Files\Microsoft Azure AD Sync\Bin\ADSync\Microsoft.IdentityManagement.PowerShell.Cmdlet.dll"
Start-ADSyncSyncCycle -PolicyType Delta- Review the copied code, and edit as needed, to ensure it is correctly configured to interact with your on-premises environment.
- Select Save.
Before you can execute a runbook, you must publish it first. For more information and instructions, see the Microsoft article to Publish a runbook.
Test the Hybrid User environment
Execute the runbooks to test adding, removing, and editing users.
Monitor the Azure Automation logs for any errors or issues.
Verify that changes in the on-premises environment are the same as in Microsoft Entra ID.
Verify that changes are being synced in Microsoft Entra ID. Synchronization takes approximately 5 minutes, and the time may vary based on the number of users, devices available in Microsoft Entra ID.
Step 2: Configure the Hybrid Identity user settings in Cloud Commander
- On the , select Settings > User settings.
- Use the Customer drop-down menu to select the customer you want to configure.
- Enter the customer data based on customer information in the Microsoft Azure portal.
- Select Save.
Related articles
Updated: Jul 09, 2024