How to configure Azure AD Custom Tenant Configuration Scripts

Overview

As part of the Atria Azure AD Service Sync Policies, you can assign custom configuration scripts that will be run each time the service is provisioned.  This is useful to ensure your customer's tenants are always configured with your preferred best practice settings.  The key benefit is that Atria will connect up with the right security context for your customer tenants leveraging the Secure Application Model. 

This guide will be updated as we create new script examples.  If there are examples you need assistance with please contact us at support@automate101.com 

Note: If you want to apply scripts as part of the user provisioning process or need to pass in other variables to your scripts see the following article here: https://support.automate101.com/portal/en/kb/articles/how-to-extend-automation-of-microsoft-online-services

Applying a script to a Sync Policy

To apply a custom script to a Sync Policy:

1. Navigate to Services > Microsoft Online > Sync Policies
   
2. Edit or create a new Sync Policy
   
3. When editing a Sync Policy there is a section called Tenant Configuration Script as shown below
   
4. Specify a custom script to be run i.e. C:\msol\customscript.ps1 (Note: script path should be a local path in the provisioning server or a UNC path accessible in intranet)
   
5. Save your Policy - the script will be run every time the Azure AD service is provisioned or reprovisioned to a customer.
   

Example Scripts

Enforce MFA with security defaults – or enable/disable security defaults

Required application permissions

For this script, you will need to edit the Atria Partner Center App Registration located in Azure AD of your Partner Center account.  This is the App Registration you created during the setup of Microsoft Online: https://support.automate101.com/portal/en/kb/articles/connecting-atria-to-microsoft-partnercenter

The following additional permissions are required.

1. 
   

Validation

1. Tenant level (https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Properties)
   

1. 
   

 Script Example

1. $GraphUri    = "https://graph.microsoft.com/v1.0/policies/identitySecurityDefaultsEnforcementPolicy"
   
2. $ContentType = "application/json"
   
3. $Headers     = @{ 
   
4.     Authorization = "Bearer $GraphToken"
   
5. }
   
6. 
   
7. # Get security defaults status
   
8. $SecurityDefaults = Invoke-RestMethod -Headers $Headers -Uri $GraphUri -Method GET -ContentType $ContentType
   
9. 
   
10. If($SecurityDefaults.isEnabled -eq $False) {
    
11.     $Body = '{ "isEnabled": true }'
    
12. 
    
13.     # Enable security defaults
    
14.     $Response = Invoke-RestMethod -Headers $Headers -Uri $GraphUri -Method Patch -Body $Body -ContentType $ContentType
    
15. }
    

Enable audit logging

Validation

1. Tenant level (https://compliance.microsoft.com/auditlogsearch?viewid=Test%20Tab)
   

1. 
   

 

Script Example

1. # Get the current Unified Audit Log status
   
2. $AdminAuditLogConfig = Invoke-Command -Session $Session -ScriptBlock {
   
3.     return Get-AdminAuditLogConfig
   
4. }
   
5. 
   
6. $UnifiedAuditLogIngestionEnabled = $AdminAuditLogConfig.UnifiedAuditLogIngestionEnabled
   
7. 
   
8. If(!$UnifiedAuditLogIngestionEnabled) {
   
9.     # Prerequisite
   
10.     Invoke-Command -Session $Session -ScriptBlock {
    
11.         Enable-OrganizationCustomization -Confirm:$false -ErrorAction SilentlyContinue
    
12.     }
    
13. 
    
14.     # Enable Unified Audit Log
    
15.     Invoke-Command -Session $Session -ScriptBlock {
    
16.         Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true | Out-Null
    
17.     }
    
18. }
    

• Related Articles

• Using Azure Active Directory to Authenticate with Atria

  Overview It is possible for the Atria users to login into Atria using their Azure AD Account. For doing so, some configuration required both in Azure Active Directory and Atria. Here in this document we are going to show the required configurations ...

• How to Configure Atria to Set Users' Proxy Addresses Attribute in AD

  Objective This article provides a guide on how to configure Atria to Set Users' Proxy Addresses Attribute in AD during provisioning Considerations This configuration is OPTIONAL to be implemented and is dependent on your requirement. Once the ...

• Adding a Remote Dedicated Customer

  Overview In Atria V15, we now have the ability to manage Private Active Directory's. Customers who have their own AD Infrastructure, gain the same self service and management capabilities of Atria that have worked so well for multi-tenant Active ...

• Microsoft Online - How to configure your Customer plan

  Overview The Microsoft Online service within Atria has been designed from the Ground Up with Customization and flexibility in mind. This means, that it can likely cater with most configuration scenarios you may come across with Microsoft Online ...

• How to Customize Display Name Patterns

  Overview By default, Atria's Display Name Pattern is set to First Name Last Name format.  This is used to default the Display Name when creating new users. This guide shows how to customize Display Name Patterns in Atria to meet the needs of ...