Add immutable IDs to users in Microsoft Entra ID
Microsoft Entra ID uses an attribute named immutableId to identify users and their virtual server (tenant) in the Microsoft Entra ID infrastructure. When you use the Microsoft Entra ID Provisioning Service to synchronize users from Microsoft Entra ID to SafeNet Trusted Access (STA), the immutable ID must be set on all users. Microsoft Entra ID expects the immutable ID in the authentication request response, to uniquely identify a user. Therefore, the immutable ID needs to be synchronized between Microsoft Entra ID and STA.
You can manually set the immutable ID when you use the SCIM API for STA to create or update a user. However, the immutable ID is not a required attribute in Microsoft Entra ID, which means that it can be empty.
By default, users that exist only in Microsoft Entra ID don't have an immutable ID. Therefore, if you have users that exist only in Microsoft Entra ID, you must add an immutable ID to these users.
To automate the process of adding an immutable ID to these users, configure the Microsoft Entra immutable ID management solution in your Microsoft Entra ID environment. The solution sets an immutable ID attribute on every user and synchronizes it to STA. The solution runs periodically, finds users that are missing the immutable ID, and patches them with a new, generated immutable ID value.
Get the Microsoft Entra immutable ID management solution
To deploy the Microsoft Entra immutable ID management solution, you need a valid Microsoft Entra subscription with access to create resources. After you download the template, you perform all of the remaining steps in Microsoft Entra ID.
The solution has the required permissions to patch users in Microsoft Entra ID. It periodically scans the users in Microsoft Entra ID. If it finds any users that are missing an immutable ID attribute, it patches them with a new, generated value.
The solution is packaged in a template that you deploy in Microsoft Entra ID.
Obtain the template
To obtain the template that you deploy in Microsoft Entra ID:
- Open Thales GitHub Deployment, then right-click and select Save as to save the latest Microsoft Entra ID deployment template (AzureADUsersImmutableIdPatch.template.json) to your computer.
- Open Thales Github Microsoft Graph Permission Script, then right-click and select Save as to save the latest permissions script (MSGraphPermissionToManagedIdentity.ps1) to your computer.
You perform all of the remaining steps on the Microsoft Entra ID portal. You must have a valid subscription with permission to create resources on the portal.
Deploy a custom template in Microsoft Entra ID
To deploy the template in Microsoft Entra ID, you need a resource group to manage the users in Microsoft Entra ID. A resource group allows you to deploy, update, and delete the users as a group. If you don't already have one, you can create one when you deploy the template.
-
Log in to the Microsoft Entra ID portal.
-
In the search box, type deploy, and then select Deploy a custom template.
-
Select Build your own template in the editor.
-
Select Load file.
-
Select the AzureADUsersImmutableIdPatch.template.json file that you downloaded in step 1 of Obtain the template and then select Open.
-
Select Save.
-
(Optional) Create an Microsoft Entra ID resource group by selecting Create new on the Custom deployment screen and following steps 1 to 6 of the Microsoft documentation.
Alternately, skip this step to use an existing resource group.
-
Select a Resource group and enter the parameters as required.
The parameter fields are automatically populated if you are updating an existing service.
If you update an existing service, DO NOT change the Logic App Name nor the Automation Account Name. Otherwise, your changes will not be saved for the existing service.
-
Subscription: Select the subscription for your Microsoft Entra ID instance.
-
Resource group: Select an existing resource group or select Create new and enter a Name.
All of the components are deployed under the resource group. If you ever need to clean it up, you can simply delete the resource group.
-
Webhook Authentication Secret: Enter a unique password because the secret is used for web requests. This setup uses different Microsoft Entra ID components, and this secret validates requests from one component to another.
Webhook Authentication Secrets have an expiry date. The maximum allowed time is 10 years. Prior to the expiry date, navigate to Webhooks on Microsoft Entra ID portal and manually extend the expiry date.
-
Recurrence Interval and Recurrence Frequency: Select an interval and frequency.
These parameters specify how often to scan Microsoft Entra ID for users that are missing the ImmutableId. If the interval is too short, Microsoft Entra ID resource consumption and costs will be high but users will be updated relatively quickly. The interval should be set according to how often users are added to Microsoft Entra ID.
It is recommended that the interval be no less than 5 minutes and no greater than 1 week. A single iteration with no ImmutableIDs to add completes in approximately 4 minutes.
-
Automation Account Name: Remember the value of this parameter. It will be required in step 2 of Assign a managed identity to the account.
The other parameters are optional. To learn more about a parameter, hover over the 'i' symbol next to its name.
-
-
Select Next : Review + create to display the Microsoft Entra ID Marketplace Terms.
-
When the deployment succeeds, select Create.
It takes a few minutes for the components to be deployed under the resource group that you selected. You can check the notifications to see the status of the deployment.
Assign a managed identity to the account
You need to assign a managed identity to the automation account.
-
In the Microsoft Entra ID portal, search for automation and select Automation Accounts.
-
Select the AzureADImmutableIDAutomationAccount, which was created when the template was deployed.
You might need to Refresh the page.
-
On the left panel of the account screen, select Account Settings > Identity.
-
Ensure the System assigned Status is On.
-
Copy the Object (Principal) ID for later use. It will be required in step 6 of Assign scope and permissions to the account
Assign scope and permissions to the account
-
In the Microsoft Entra ID portal, select Cloud Shell.
-
Select Upload from the file management drop-down menu and navigate to the permissions script.
-
Select MSGraphPermissionToManagedIdentity.ps1.
The system saves the file in /home/username.
-
On the PowerShell command line, enter Connect-AzureAD to connect to Microsoft Entra ID.
-
Enter ./MSGraphPermissionToManagedIdentity.ps1.
-
Enter the Object (Principal) ID, copied from step 5 of Assign a managed identity to the account.
-
The system assigns the scope and permission required for Managed Identity to access Microsoft Graph.
Monitor the installation process
You can monitor the progress of the script by viewing the Microsoft Entra ID logs.
-
Open the runbook on Microsoft Entra ID that updates the Microsoft Entra ID users:
- Go to the Microsoft Entra ID portal and login.
-
Search for Automation Accounts and then select automation account.
-
Open the Runbook to see the status (running, completed or failed) for each run.
-
Select a run to see detailed logs.
- Completed - it means run has finished and runbook is waiting for next trigger
- Failed - it means run is finished and execution failed because of some reason
- Queued or Running - run is running or going to start run and status will be updated eventually to completed or failed. For any other status please contact your administrator.
- Open each run to display detailed logs.
-
Select the run and then select the Output tab to see what happened during this run.
Other tabs can be navigated for more information. Ideally the Errors and Exception tabs are blank. If you see messages please consult the troubleshooting section.
Troubleshooting
Issue | Reason | Solution |
---|---|---|
The deployment failed with an error message. Or, no progress or history details display in Runbooks. | One or more components failed to deploy because of permissions or configuration issues. | Redeploy the template. If the problem persists, contact your administrator. |
Runbook logs record that there are insufficient privileges to complete the operation. | A managed identity is not assigned to the account. | Ensure that you manually assigned a managed identity to the account after the custom template was deployed. |
Runbook execution is in "Running" state for a very long time or set to "Suspended". | Execution can take up to 3 hours if a lot of users are missing their ImmutableId. If the state is "Suspended", the execution may have run out of allocated Microsoft Entra ID resources. | On the Microsoft Entra ID portal, search for and open the Logic App ("AzureADImmutableIdSchedulerLogicApp"). Cancel the current run and start a new run. |