Configure Hybrid Identity environment

Hybrid Identity synchronizes the on-premises Active Directory with cloud-based Microsoft Entra ID. It enables organizations to seamlessly manage user identities, authentication, and access control across both their on-premises and cloud environments.

For information about Microsoft Azure automation in a hybrid environment, see the Microsoft documentation.

Cloud Commander labels on-premises Active Directory users as Cloud and On-premises users. When you add, edit, or remove a hybrid user or group in Cloud Commander, the action is saved back to the on-premises Active Directory.

To configure the Hybrid Identity environment:

Key Hybrid Runbook Worker architecture terminology

  • Automation account: A cloud service that automates configuration and management across your Azure and non-Azure environments.
  • Hybrid Runbook Worker: A computer that's configured with the Hybrid Runbook Worker feature and can execute runbooks directly on the computer and against the resources in the local environment.

  • Hybrid Runbook Worker group: Group with multiple Hybrid runbook workers for higher availability and scale to run a set of runbooks.

  • Runbook: A collection of one or more linked activities that together automate a process or operation.

Requirements

  • Azure subscription with appropriate permissions.
  • Access to the Azure portal.
  • Cloud Commander Administrators platform role.

Step 1: Perform configuration steps in the Azure portal

Create automation account in Azure portal

For more details about this task, see the Microsoft documentation.

  1. Sign into the Azure portal.
  2. Select Automation accounts.
  3. Select Create.
  4. On the Basics tab, provide the essential information for your Automation account including the region and resource group.
  5. Select Review + Create to create the account.

    Example data:

Create a hybrid worker group

  1. In the automation account, go to Hybrid worker groups.
  2. Select Create hybrid worker group.
  3. On the Basics tab, enter a descriptive and meaningful Name for the hybrid worker group.

    Example data:

Add a hybrid worker in the hybrid worker group

  1. In the hybrid worker group, select Add to add a device as a new hybrid worker.
  2. Add the domain controller Windows VM as a hybrid worker.

    Example data:

Create the required runbooks

Use the following instructions and PowerShell code to create the required runbooks to create, update, and remove users.

Ensure the runbooks are configured to interact with your on-premises environment.

Create the runbook to create users

  1. In the automation account, go to Process Automation and select Runbooks.
  2. Select Create a runbook.
    1. Name the runbook, New-ADUser.
    2. From the Runbook type drop-down menu, select PowerShell.

    3. From the Runtime version drop-down menu, select 5.1.

    4. Enter an applicable Description.

  3. Select Create to create the runbook.
  4. In the runbook editor, paste the following code:
    Copy
    New-ADUser (PowerShell)
    param(
            [Parameter(Mandatory=$True)]
            [string]
            $userName,
            [Parameter(Mandatory=$False)]
            [string]
            $password,
            [Parameter(Mandatory=$False)]
            [string]
            $givenName,
            [Parameter(Mandatory=$False)]
            [string]
            $surName,
            [Parameter(Mandatory=$False)]
            [string]
            $displayName,
            [Parameter(Mandatory=$False)]
            [string]
            $upn,
            [Parameter(Mandatory=$False)]
            [string]
            $country,
            [Parameter(Mandatory=$False)]
            [string]
            $department,
            [Parameter(Mandatory=$False)]
            [string]
            $companyName,
            [Parameter(Mandatory=$False)]
            [string]
            $jobTitle,
            [Parameter(Mandatory=$False)]
            [string]
            $streetAddress,
            [Parameter(Mandatory=$False)]
            [string]
            $city,
            [Parameter(Mandatory=$False)]
            [string]
            $state,
            [Parameter(Mandatory=$False)]
            [string]
            $postalCode,
            [string]
            $manager
    )

    #Create the user
    $secureString = convertto-securestring $password -asplaintext -force

    $params = @{
        Name = $userName
        Accountpassword = $secureString
        Enabled = $true
    }

    if($givenName){
        $params.GivenName = $givenName
    }

    if($surName){
        $params.Surname = $surName
    }

    if($displayName){
        $params.DisplayName = $displayName
    }

    if($upn){
        $params.UserPrincipalName = $upn
    }

    if($country){
        $params.Country = $country
    }

    if($department){
        $params.Department = $department
    }

    if($companyName){
        $params.Company = $companyName
    }

    if($jobTitle){
        $params.Title = $jobTitle
    }

    if($streetAddress){
        $params.StreetAddress = $streetAddress
    }

    if($city){
        $params.City = $city
    }

    if($state){
        $params.State = $state
    }

    if($postalCode){
        $params.PostalCode = $postalCode
    }

    if ($manager) {
        # Check if the Active Directory module is loaded
        if (Get-Module -ListAvailable | Where-Object { $_.Name -eq 'ActiveDirectory' }) {
            $givenManager = Get-ADUser -Identity $manager

            if ($givenManager) {
                $params.Manager = $givenManager
            }
            else {
                Write-Host "Manager '$manager' not found in Active Directory."
            }
        }
        else {
            Write-Host "Active Directory module not loaded. Please ensure the module is available."
        }
    }

    New-ADUser @params
    import-module "C:\Program Files\Microsoft Azure AD Sync\Bin\ADSync\Microsoft.IdentityManagement.PowerShell.Cmdlet.dll"
    Start-ADSyncSyncCycle -PolicyType Delta
  5. Review the copied code, and edit as needed, to ensure it is correctly configured to interact with your on-premises environment.
  6. Select Save.

    Before you can execute a runbook, you must publish it first. For more information and instructions, see the Microsoft article to Publish a runbook.

Create the runbook to remove users

  1. In the automation account, go to Process Automation and select Runbooks.
  2. Select Create a runbook.
    1. Name the runbook, Remove-ADUser.
    2. From the Runbook type drop-down menu, select PowerShell.

    3. From the Runtime version drop-down menu, select 5.1.

    4. Enter an applicable Description.

  3. Select Create to create the runbook.
  4. In the runbook editor, paste the following code:
    Copy
    Remove-ADUser (PowerShell)
    param(
            [Parameter(Mandatory=$True)]
            [string]
            $userName
    )

    #Remove the user
    Remove-ADUser -Identity $userName -Confirm:$false
    import-module "C:\Program Files\Microsoft Azure AD Sync\Bin\ADSync\Microsoft.IdentityManagement.PowerShell.Cmdlet.dll"
    Start-ADSyncSyncCycle -PolicyType Delta
  5. Review the copied code, and edit as needed, to ensure it is correctly configured to interact with your on-premises environment.
  6. Select Save.

    Before you can execute a runbook, you must publish it first. For more information and instructions, see the Microsoft article to Publish a runbook.

Create the runbook to edit users

  1. In the automation account, go to Process Automation and select Runbooks.
  2. Select Create a runbook.
    1. Name the runbook, Set-ADUser.
    2. From the Runbook type drop-down menu, select PowerShell.

    3. From the Runtime version drop-down menu, select 5.1.

    4. Enter an applicable Description.

  3. Select Create to create the runbook.
  4. In the runbook editor, paste the following code:
    Copy
    Set-ADUser (PowerShell)
    param(
            [Parameter(Mandatory=$True)]
            [string]
            $userName,
            [Parameter(Mandatory=$False)]
            [string]
            $givenName,
            [Parameter(Mandatory=$False)]
            [string]
            $surName,
            [Parameter(Mandatory=$False)]
            [string]
            $displayName,
            [Parameter(Mandatory=$False)]
            [string]
            $upn,
            [Parameter(Mandatory=$False)]
            [string]
            $country,
            [Parameter(Mandatory=$False)]
            [string]
            $department,
            [Parameter(Mandatory=$False)]
            [string]
            $companyName,
            [Parameter(Mandatory=$False)]
            [string]
            $jobTitle,
            [Parameter(Mandatory=$False)]
            [string]
            $streetAddress,
            [Parameter(Mandatory=$False)]
            [string]
            $city,
            [Parameter(Mandatory=$False)]
            [string]
            $state,
            [Parameter(Mandatory=$False)]
            [string]
            $postalCode,
            [string]
            $manager
    )

    #Update the user
    $params = @{
        Identity = $userName
    }

    if($givenName){
        $params.GivenName = $givenName
    }

    if($surName){
        $params.Surname = $surName
    }

    if($displayName){
        $params.DisplayName = $displayName
    }

    if($upn){
        $params.UserPrincipalName = $upn
    }

    if($country){
        $params.Country = $country
    }

    if($department){
        $params.Department = $department
    }

    if($companyName){
        $params.Company = $companyName
    }

    if($jobTitle){
        $params.Title = $jobTitle
    }

    if($streetAddress){
        $params.StreetAddress = $streetAddress
    }

    if($city){
        $params.City = $city
    }

    if($state){
        $params.State = $state
    }

    if($postalCode){
        $params.PostalCode = $postalCode
    }
    if ($manager) {
        # Check if the Active Directory module is loaded
        if (Get-Module -ListAvailable | Where-Object { $_.Name -eq 'ActiveDirectory' }) {
            $givenManager = Get-ADUser -Identity $manager

            if ($givenManager) {
                $params.Manager = $givenManager
            }
            else {
                Write-Host "Manager '$manager' not found in Active Directory."
            }
        }
        else {
            Write-Host "Active Directory module not loaded. Please ensure the module is available."
        }
    }

    Set-ADUser @params
    import-module "C:\Program Files\Microsoft Azure AD Sync\Bin\ADSync\Microsoft.IdentityManagement.PowerShell.Cmdlet.dll"
    Start-ADSyncSyncCycle -PolicyType Delta
  5. Review the copied code, and edit as needed, to ensure it is correctly configured to interact with your on-premises environment.
  6. Select Save.

    Before you can execute a runbook, you must publish it first. For more information and instructions, see the Microsoft article to Publish a runbook.

Test the Hybrid User environment

  1. Execute the runbooks to test adding, removing, and editing users.

  2. Monitor the Azure Automation logs for any errors or issues.

  3. Verify that changes in the on-premises environment are the same as in Microsoft Entra ID.

  4. Verify that changes are being synced in Microsoft Entra ID. Synchronization takes approximately 5 minutes, and the time may vary based on the number of users, devices available in Microsoft Entra ID.

Step 2: Configure the Hybrid Identity user settings in Cloud Commander

  1. On the left navigation, select Settings > User settings.
  2. Use the Customer drop-down menu to select the customer you want to configure.
  3. Enter the customer data based on customer information in the Microsoft Azure portal.
  4. Select Save.

Related articles

Updated: Jun 03, 2024