Syncing profile details with active directory - sharepoint

Several fields in MOSS profiles are mapped to fields in active directory and we have given the user the ability to modify these.
But when the incremental profile import runs it overwrites these with the old values from active directory.
How do we make it so that AD is updated with the new values from the profile?
Thanks for any suggestions.

From http://blog.seancleaver.com/sean_cleaver/2008/07/sync-ad-users-to-sharepoint---2-way.html
So some of you have requested support to provide 2-Way Synchronization of AD Users between a SharePoint List and Active Directory. The good news is that the AD Provider for Data Synchronization Studio now supports this.
So you can effectively publish your AD Users to an Intranet Site to create a "Staff List" or "Telephone List" and then from this you can now allow your staff to update the personal information stored in the AD themselves by just simply editing the records in SharePoint. Then when the Synchronization occurs all changes are applied to the AD. There are a few limitations you can't create new AD Users this way and you can't delete users from the AD and certain properties are not updateable such as Member-Of etc.

We've given up on an easy way to do this and are writing a scheduled task that gets the recent change info from the users profile and updates AD from that.
Will try to post code once I've got something working.

Related

How to automatically clean up users not logged in since 90days in Azure AD

My requirements are to find all the users not logged in via Azure AD since last 45 days and last 90days and take action. That is,
A daily nightly job to run on Azure AD and if it finds users not login since last 45days; it should automatically disable the users.
A daily nightly job to run on Azure AD and if it finds users not login since last 90days or previous inactive users; it should delete the users.
This link looks similar where it’s going via a review process. However, my requirements are bit simple.
Thanks.
There are several options for identifying and removing stale/inactive users:
The access review feature you linked for identifying and removing inactive users is the most seamless, built-in way to achieve this at the moment. You can specify the "days inactive" and then remove the accounts either after the review period passes or after no reviewer has responded. To create access reviews and identify inactive users, you do need to have a Premium P2 license.
Alternatively though, you could use an Azure Automation account or Azure Logic app to achieve the same thing. For instance, you could create an Azure Automation Powershell runbook with a daily schedule that checks the Azure AD sign-in logs and deletes the accounts based on the condition of whether they have recently signed in (i.e. where max_TimeGenerated <= ago(45d)). There is an example blog post here that implements this logic. Note that to update the accountEnabled property of admin users, you need to use delegate permissions which need to run in the context of a user.
Another option is to query based on the lastSignInDateTime property.
The documentation for How To Manage Inactive Users has an example of how to query users who haven't signed in after a certain date using Microsoft Graph API.
Example:
https://graph.microsoft.com/beta/users?filter=signInActivity/lastSignInDateTime le 2019-06-01T00:00:00Z
To test the call, you can Sign in to Graph Explorer using the Global Administrator account of your tenant and execute the GET call.
Permissions Required:
Directory.AccessAsUser.All
Directory.Read.All
The SignInActivity property/endpoint is documented in detail here: https://docs.microsoft.com/en-us/graph/api/user-list?view=graph-rest-beta&tabs=http#example-3--list-users-including-their-last-sign-in-time
If you don't want the full list of users, you can also search for a specific user by name and evaluate the lastSignInDateTime:
https://graph.microsoft.com/beta/users?$filter=startswith(displayName,'marileet')&$select=displayName,signInActivity

Microsoft GraphAPI: How do I retrieve the assigned groups of an azure user?

As you can see my question above, I was wondering if it is possible to retrieve the assigned groups of an Azure Active Directory (AAD) based user via Microsoft GraphAPI.
My situation is, that I have an ASP.NET MVC project with Microsoft Azure enabled. My goal is, that an Azure user can login on my website with it's Azure account.
The idea is, that an azure user is an admin or an user (depending on the azure groups) and depending of this role group, the user can view more or less of my webpage.
For example:
When Peter logs in with his azure account on my webpage, he should only be able to see:
Add new Document
Edit Document
Remove Document
because he is only assigned as "User" in Azure Active Directory.
But when Sabrina logs in with her azure account on my webpage, then she should be able to do the same as Peter, but she also can see:
Manage Products
Add new customer
etc.
because she is been assigned as an admin in Azure Active Directory.
My problem is, that I did not find out how I retrieve the assigned group of an user with Microsoft GraphAPI. The part, which user can see or not after I got the roles is not a big deal.
I already tried this API call:
https://graph.microsoft.com/v1.0/me/
But it seems, that the response of this call does not include the actual assigned group of that user.
Do you think it is possible to retrieve the assigned group of an azure user? Is this even possible? Or do I have to do something else to retrieve these information?
I hope you understand my point and I am also looking forward for any response. Thanks in advance!
Add /memberOf to the URL to receive the groups a user is member of.
https://graph.microsoft.com/v1.0/me/memberOf
Here's a link to the specific graph api - https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/user_getmembergroups
Take a look at this sample application on Github. It does something very similar with a task tracker application, where different users are able to perform different actions based on the group they belong to -
https://github.com/Azure-Samples/active-directory-dotnet-webapp-groupclaims/blob/master/README.md
Also, in cases where a user is a member of too many groups, you get back an overage indicator and have to make a separate call to get all groups. Read about “hasgroups” and “groups:src1” claims here - https://learn.microsoft.com/en-us/azure/active-directory/develop/v1-id-and-access-tokens
According to your system architecture, if some user has too many joined groups, the API https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/user_getmembergroups will return too many groups.
But if the groups with permissions in your system are not too much, you can use this API: https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/user_checkmembergroups to check if the current user is the member of specified groups.
It is not good idea to use this API: https://graph.microsoft.com/v1.0/me/memberOf. Because it returns only the groups that the user is a direct member of, but security group can be member of security group.

Force user LogOff from application if user is deleted.

I have little problem. In my application users are auth via Azure AD and his user profil is in DocumentDB.
When Administrator delete user profile I need to force log out the deleted user.
How to do it? Delete action deleting ad and documentdb entry.
Based on the description, you want to sign-out the users after the administrator delete the users profile from documentDB.
If I understood correctly, it is more likely building a real time application that nofify the specific client when the delete action is performed. I am trying to explain it using a figure below:
And for building the real time application, we can use the SignalR. And you can refer more detail about it from links here.
And another solution for prevent the deleted users to access the proteced resrouces, you can check it before the users access the resources.

sharepoint and ActiveDirectory

Hi guys i am new to sharepoint . Actually we are using WSS not the MOSS 2007. we don't have shared service provider installed and no user profile service web service installed.Now I need to populate the active directory data to sharepoint list and after that I have to sync both Active directory and sharepoint list.which means the changes happened to Active directory data it must reflect in sharepoint list also.
What we are doing is extracting active directory data to SQL Server database and populating sharepoint list from SQL server database. I need a solution to populate sharepoint list from SQL Server database and sharepoint list must synchronize with SQL Server database table or stored procedure all the time automatically.
Can anyone suggest me the best solution to solve both importing the active directory data and sync the active directory and sharepoint list.
If anyone of you provide the sample source code that will be helpful.
I just want to clarify a bit first. Not sure if you're looking to configure sync for proper user profiles (which mundeep's answer solves nicely) or a generic SP list.
If you're looking to:
AD <-> SharePoint list
It's probably easier to break this problem down into two parts:
AD -> SP list
and:
SP list -> AD
For AD -> SP list
Microsoft provides some guidance on monitoring the AD for changes. Unfortunately, neither of these methods is a specific event message system (if anyone knows of one, please chime in!) both are essentially polling.
I would create a Windows service to handle this part of the solution.
The service would (in pseudo-code):
look for records that have changed
for each record that has changed:
get the matching SP item from the SP list (probably based on username)
update/add/remove the properties of the SP item
save the SP item
For SP list -> AD
I would create a custom event handler and attach it to the SP list.
Again in pseudo-code:
On SP item delete:
remove the matching AD record (if that's the behaviour you want)
On SP item create:
create a new AD record
On SP item update:
find the matching record in the AD
update the changed properties (which are flagged in the SP event handler)
The SP side of things is a little more elegant because events are raised only when something happens. This is definitely more efficient than polling.
What I'm suggesting has the added benefit of removing SQL (explicitly) from the solution. You can use the ADSI interface in the .NET framework to handle the AD update code. It's in the System.DirectoryServices assembly.
The AD polling service could use the SP object model if it's installed on the WSS box or the web services if it's on another system.
Again, if you're just looking to use the actual WSS/SP user profiles, use mundeep's solution.
1) Have you look into the User Information Lists & User Profiles? Sahil Malik has a very good overview of 'All you ever wanted to know about user profiles'. Keep in mind that because you are using WSS you don't have SSP Admin.
2) If you read the above article you will he mentions "How can profile information be kept up to date, if in case I am not using MOSS (and have no SSP)?" and his answer is an import/export utiltiy, the codebase of which (or even the utility itself) should give you a good start on what you want to do.
3) Also mentioned in the above article is a good diagram on how user information flows.

How to create a new user in SharePoint when the user doesn't exist in AD?

I have to import a lot of old data into SharePoint. In this data, I need to create a lot of users who are no longer in AD. Does anyone have any idea how to do that?
Cheers
The options I can come up with:
Recreate the users in Active Directory and disable the accounts
Attribute the files to a generic account
Tie into a SQL database for user accounts in addition to Active Directory
On a sidenote, I've seen it to be a best practice to never delete users from Active Directory due to issues like these. Instead, just disable the accounts and move them to an out of the way OU.
I don't think this is possible as you are really trying to create orphaned users. Better just revert these users to the System Account - that is what I did when I last migrated a SharePoint 2003 farm to MOSS 2007.
You can use CSVDE to import a comma separated file, or dsadd command to add each user. See this link for details.

Resources