How to configure Azure AD Custom Tenant Configuration Scripts

How to configure Azure AD Custom Tenant Configuration Scripts

Overview

As part of the Atria Azure AD Service Sync Policies, you can assign custom configuration scripts that will be run each time the service is provisioned.  This is useful to ensure your customer's tenants are always configured with your preferred best practice settings.  The key benefit is that Atria will connect up with the right security context for your customer tenants leveraging the Secure Application Model

This guide will be updated as we create new script examples.  If there are examples you need assistance with please contact us at support@automate101.com 

Note: If you want to apply scripts as part of the user provisioning process or need to pass in other variables to your scripts see the following article here: https://support.automate101.com/portal/en/kb/articles/how-to-extend-automation-of-microsoft-online-services

Applying a script to a Sync Policy

To apply a custom script to a Sync Policy:
  1. Navigate to Services > Microsoft Online > Sync Policies
  2. Edit or create a new Sync Policy
  3. When editing a Sync Policy there is a section called Tenant Configuration Script as shown below
  4. Specify a custom script to be run i.e. C:\msol\customscript.ps1 (Note: script path should be a local path in the provisioning server or a UNC path accessible in intranet)
  5. Save your Policy - the script will be run every time the Azure AD service is provisioned or reprovisioned to a customer.


Example Scripts

Enforce MFA with security defaults – or enable/disable security defaults

Required application permissions
For this script, you will need to edit the Atria Partner Center App Registration located in Azure AD of your Partner Center account.  This is the App Registration you created during the setup of Microsoft Online: https://support.automate101.com/portal/en/kb/articles/connecting-atria-to-microsoft-partnercenter

The following additional permissions are required.


Validation
  1. Tenant level (https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Properties)

 Script Example
  1. $GraphUri    = "https://graph.microsoft.com/v1.0/policies/identitySecurityDefaultsEnforcementPolicy"
  2. $ContentType = "application/json"
  3. $Headers     = @{ 
  4.     Authorization = "Bearer $GraphToken"
  5. }

  6. # Get security defaults status
  7. $SecurityDefaults = Invoke-RestMethod -Headers $Headers -Uri $GraphUri -Method GET -ContentType $ContentType

  8. If($SecurityDefaults.isEnabled -eq $False) {
  9.     $Body = '{ "isEnabled": true }'

  10.     # Enable security defaults
  11.     $Response = Invoke-RestMethod -Headers $Headers -Uri $GraphUri -Method Patch -Body $Body -ContentType $ContentType
  12. }

Enable audit logging

Validation
  1. Tenant level (https://compliance.microsoft.com/auditlogsearch?viewid=Test%20Tab)

 

Script Example
  1. # Get the current Unified Audit Log status
  2. $AdminAuditLogConfig = Invoke-Command -Session $Session -ScriptBlock {
  3.     return Get-AdminAuditLogConfig
  4. }

  5. $UnifiedAuditLogIngestionEnabled = $AdminAuditLogConfig.UnifiedAuditLogIngestionEnabled

  6. If(!$UnifiedAuditLogIngestionEnabled) {
  7.     # Prerequisite
  8.     Invoke-Command -Session $Session -ScriptBlock {
  9.         Enable-OrganizationCustomization -Confirm:$false -ErrorAction SilentlyContinue
  10.     }

  11.     # Enable Unified Audit Log
  12.     Invoke-Command -Session $Session -ScriptBlock {
  13.         Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true | Out-Null
  14.     }
  15. }



    • Related Articles

    • How to Configure Atria to Set Users' Proxy Addresses Attribute in AD

      Objective This article provides a guide on how to configure Atria to Set Users' Proxy Addresses Attribute in AD during provisioning Considerations This configuration is OPTIONAL to be implemented and is dependent on your requirement. Once the ...
    • How to Extend Automation of Microsoft Online Services

      Overview Since version 12.0, Atria has provided the capability to allow easy management of Azure AD and User-based subscriptions (such as Microsoft 365 and Office 365).  As a CSP provider operating at scale, you may have additional configuration ...
    • How to Migrate from Hosted Exchange to Exchange Online

      Overview This article provides an example of how to migrate from the Atria Hosted Exchange Service to the Microsoft Online Service.  It will cover the change in service as well as data migration.  The process will use the following free Microsoft ...
    • Atria v12.11+ Deployment Guide

      Overview  This article outlines the deployment procedure of Atria v12.11+.  This article will also refer to other articles that may assist with your installation or upgrade. Alert:  In-place migration from any version of CloudPortal Services Manager ...
    • Atria v12.11+ System Requirements

      Overview  The following article provides the prerequisites necessary for the deployment of Atria v12.11+ into your environment.  System Requirements   Environment  Core servers for the platform should be domain joined. Before you can deploy Atria ...