I am using my Entra ID credentials to authenticate to Citrix Workspace then connecting to a Entra Hybrid Joined VM. My credentials will passthrough to the Microsoft Cloud Plane .
Monthly Archives: February 2024
Entry Hybrid Join
Creating Dynamic Groups in Microsoft Entra ID
I will demonstrate how to automate assigning group membership automatically.
The scenario is group membership will be updated automatically based on the user job titles. This feature requires a Microsoft Entra ID P1 or a P2 subscription
First we are going to create two test users in MS Entra ID
This user will need at least need the Attributes:
Job title (Properties tab): Cloud Administrator
Department (Properties tab): IT
Usage location (Properties tab):Canada
The 2nd user we will create will have the following attributes:
Job title: System Administrator
Department: IT
Usage location: Canada
For this demo I have a P2 Trial license. Under Microsoft Entra ID | license | All Products | Select your P2 license. We want to assign our users a P2 license as this is required for Dynamic group membership
Click Assign….
Add the user…
Select the two users we just created….
Now lets create some dynamic groups. Navigate to Microsoft Entra ID | Groups
Click on New Group
We will call this group IT Cloud Administrators
We want to create a dynamic expression but we cannot create one until we select in the dropdown for Membership type
In the drop down list select Dynamic user
Once you select Dynamic user the “Members” option changes to “Dynamic user members”
Click on ‘Add dynamic query” and then + Add expression
We will based our query on the attribute “jobtitle” and the value we put for the user as “Cloud Administrator”
Save the expression and save the create the group
We will create a 2nd group called “IT System Administrators”
We will use “jobtitle” again but this time the value will be “System Administrators”
Now if we look at the group membership for IT System Administrators we can see that our user svitest02 became a member of the IT Systems Administrators group automatically..
The reason is the Job Title was defined as as “System Administrator” based on our dynamic query.
Remember this all happens because we have to assign a license to our users. To show this I have created a third user svitest02 with a job title of Cloud Administrator..
However If we look at the group the user is not a member….
I now assign svitest03 a license.
If we look at the IT Cloud Administrators group we now see our svitest03 a member of that group.
Entra ID Connect–Permissions for the AD DS Connector Account
There are many articles out there that go over the installation of Microsoft Entra connect (formally Azure AD Connect) so I won’t go into great detail here. However, what the main stumbling block we come across with customers is the windows accounts to be used for the sync process. Some bad habits we have seen is environments simply creating a “service account” and granting domain/enterprise administrator permissions for the AD DS Connector Account or worse by using the Domain\Administrator account itself. Please do not take that approach.
In this article I will explain how to stage a dedicated service account using PowerShell commands to grant “enough” access to the service account.
Power Shell Module AdSyncConfig.psm1
The AdSyncConfig.psm1 module is required to which you can either install the module through Windows Features which requires RSAT-AD-Tools or if you have installed “Microsoft Entra Connect” the modules should be in place
You can install using the command:
Install-WindowsFeature RSAT-AD-Tools
Success Restart Needed Exit Code Feature Result
——- ————– ——— ————–
True No Success {Remote Server Administration Tools, Activ…
Once installed Import the Module distuingedName
Import-Module "C:\Program Files\Microsoft Azure Active Directory Connect\AdSyncConfig\AdSyncConfig.psm1"
Granting Permissions to Service Account
If you have not done so already create your AD account or in this example a service account that you will use for the AD DS Connector Account. You will need the distinguished name which you can obtain via ADUC Account properties Attribute Editor, ADSIEDIT, powershell, or however you want to obtain the DN. In this example here is the DN I am using:
CN=SVIADSync,OU=Service Accounts,DC=svienson,DC=local
One you have the DN open a PowerShell window as administrator. I have posted below the series of commands you will need to run through
Permissions for MS-DS-Consistency-Guid
Set-ADSyncMsDsConsistencyGuidPermissions -ADConnectorAccountDN "CN=SVIADSync,OU=Service Accounts,DC=svienson,DC=local"
Permissions for Password Hash Synchronization
Set-ADSyncPasswordHashSyncPermissions -ADConnectorAccountDN "CN=SVIADSync,OU=Service Accounts,DC=svienson,DC=local"
Permissions for Password Writeback
Set-ADSyncPasswordWritebackPermissions -ADConnectorAccountDN "CN=SVIADSync,OU=Service Accounts,DC=svienson,DC=local"
Permissions for Group Writeback
Set-ADSyncUnifiedGroupWritebackPermissions -ADConnectorAccountDN "CN=svcAzureSync,OU=Service Accounts,DC=svienson,DC=local"
Permissions for Exchange Hybrid Deployment
Set-ADSyncExchangeHybridPermissions -ADConnectorAccountDN "CN=SVIADSync,OU=Service Accounts,DC=svienson,DC=local”
Permissions for Exchange Mail Public Folders
Set-ADSyncExchangeMailPublicFolderPermissions -ADConnectorAccountDN "CN=svcAzureSync,OU=Service Accounts,DC=svienson,DC=local"
Permissions restriction on AD DS Connector Account
$credential = Get-Credential
Once you apply you will prompted for an account with local domain admin rights
Apply the permissions for the AD DS Connector Account.
Set-ADSyncRestrictedPermissions -ADConnectorAccountDN "CN=SVIADSync,OU=Service Accounts,DC=svienson,DC=local" -Credential $credential
One Additional Permission
I have found you also need to grant the service account at the root of the domain for the Service Account and make sure the account has permissions
Replicating Directory Changes
Replicating Directory Changes All
