Microsoft Active Directory Integration Management

/ Uncategorized / By

Warning: This document contains instructions for adjusting app synchronization settings that can adversely affect your device data, user data, and/or user mapping settings in Incident IQ. As such, only qualified personnel should proceed with making adjustments to the settings outlined in this document.

 

Guide Overview

The Microsoft Active Directory Integration App allows administrators to facilitate logins through Microsoft Active Directory in Incident IQ. This also allows districts the ability to automatically populate and update user data in iiQ based on information from your local active directory server. The following guide is designed to provide an in-depth overview on how to manage the Microsoft AD App in iiQ.

Not what you were looking for? Perhaps one of these other guides will help:

Guide Index

You can use the following links below to quickly navigate to a specific section in this document. To quickly return to this index simply use the Return to Index link located at the end of any section.

    1. Accessing the Microsoft AD App Management
    2. Overview Tab
    3. Identity Provider Settings Tab
    4. User Mappings Tab
    5. Location Mappings Tab
    6. Role Mappings Tab
    7. Sync History Tab
    8. User History Tab
    9. Sync Executable Tab

Accessing the Microsoft AD App Management

Navigate to the Apps Management page and select Options on the Microsoft AD App.

This will take you to the Microsoft AD App management page where you will be able to select the following tabs:

  • Overview tab where you can view basic user and group data, reset your authentication status or run a manual sync with your active directory.
  • Identity Provider Settings tab allows you to configure your Microsoft AD metadata, SAML attribute mappings, miscellaneous logic used during login attempts, as well as your login button.
  • Login History tab where you can review both successful and unsuccessful login attempts made by your district users.
  • User Mappings tab where you can update your filter settings and email translations.
  • Location Mappings tab where you can change the default location users will automatically map to if they do not have an existing mapping in the system.
  • Role Mappings tab where you can change the role users will automatically map to if they do not have an existing mapping in the system.
  • User History tab where you can look up individual users data coming in from Microsoft AD.
  • Sync Executable tab allows you to setup, update, and download your sync executable file.
[Return to index]

Overview Tab

This tab provides you with a brief summary of your current users, groups, and changes made to users in Incident IQ during the last sync with Microsoft AD.

In the General Settings tab you may enable the following settings:

  • Enable User Login: This allows users to log into Incident IQ through the Microsoft AD. If this option is disabled, then all accounts authenticated through Microsoft AD will be unable to log in.
  • Enable User Sync: This option allows Incident IQ to update user accounts with data provided by the iiQconnectors app. Without this option, the ability to run nightly or manual user syncs will become disabled.

Aside from user and group data, you also have the option of forcing a manual sync with your active directory by selecting Re-Sync. Please note that this import will only update user data based on the last data sent to Incident IQ through the connectors app. If you are running a manual sync during the day you will first want to manually run the connectors app to send over a new batch of user data.

[Return to index]

Identity Provider Settings

The Identity Provider Settings tab allows you to customize the text on the login button. This can be used to alleviate confusion on what credentials a user should use when logging in.

[Return to index]

User Mappings Tab

From here, you can change your email filter and translation information, as well as your user creation, updating, and deletion settings. The filters section allows you to sort out users being imported based on their email or OU group.

The filters section allows you to sort out users being imported based on their email or OU group.

  • Example Email Filter: If you set a filter for “@iiq.k12.ga.us” in the email section, Incident IQ will automatically ignore these email addresses containing this string during a sync.
  • Example OU Filter: Setting a OU Filter of “OU=Guests” will ensure that all users that belong to this particular OU will not import during a sync.

  • Email Translation: This enables Incident IQ to translate email addresses pulled from Microsoft AD into a uniform format when storing in iiQ. This is useful, and often necessary when using Incident IQ in conjunction with programs such as Infinite Campus.
    • Example: Setting a translation to find “@k12.us.com” and replace it with “@iiq.k12.ga.us” will ensure that all “@k12.us.com” addresses are updated and stored as “@iiq.k12.ga.us” in iiQ only. This will not make any changes to the addresses stored within Microsoft AD itself.
  • Create User: When this box is checked, a new user will be created in Incident IQ for any new users found during the initial import from Microsoft AD, as well as any new users found when a sync is run.
  • Update User: When this box is checked, a user will be updated in Incident IQ when any changes are found during a sync.
  • Delete User: When this box is checked, a user will be deleted in Incident IQ when a user is found to have been removed in Microsoft AD during a sync.

At the bottom of this tab, you can map fields of data pulling in from Microsoft AD to default or custom user fields in Incident IQ using the Map custom values from localAdSso section.

Please note, any custom field added here will need to also be setup in the sync executable as well in order for Incident IQ to pull this data field during a sync. Please refer to the Sync Executable tab for additional information on making changes to connectors executable.

[Return to index]

Location Mappings Tab

This tab allows you to select or modify your current location mappings between Incident IQ and Microsoft AD. The default location acts as a fallback for user accounts that do not match any of your other custom location mappings. Please note that if no custom role mappings are set, then all users brought into the system will default to this location.

When mapping to locations, you may use groups, OU fragments, location name, or any combination of the three.

The custom mappings section allows you to specify your user groups or OUs you wish to utilize for mapping users to their respective locations. Please note, when using OUs you will want to structure them in the same format as the examples below:

  • OU=Cold Harbor
  • OU=Class of 2024
  • OU=CHMS

[Return to index]

Role Mappings Tab

This tab allows you to select or modify which user groups are assigned to which role in Incident IQ. The default location acts as a fallback for user accounts that do not match any of your other custom role mappings. Please note that if no custom role mappings are set, then all users brought into the system will default to this role.

When mapping to locations, you may use groups, OU fragments, location name, or any combination of the three.

The custom mappings section allows you to specify your user groups or OUs you wish to utilize for mapping users to their respective locations. Please note, when using OUs you will want to structure them in the same format as the examples below:

  • OU=Staff and Faculty
  • OU=Students
  • OU=IT Staff

[Return to index]

Sync History Tab

This tab allows you to view your sync history between Microsoft AD and Incident IQ. Every sync, whether it completed successfully or not, is logged for reference purposes.

Clicking on particular sync will bring up the sync details which include the total number of users, groups, as well as the number of users add, updated and skipped. Clicking on the CreatedUpdated, or Skipped options below the overview will pull up all users affected by this change during the sync.

[Return to index]

User History Tab

This tab allows you to search for any user’s Microsoft AD information. This includes their Microsoft AD ID, email addresses, Group Membership, and their sync history. This information is useful in quickly determining if the user is affected by any email translations, establishing their group mappings, and identifying if syncing between the systems is being suppressed.

[Return to index]

Sync Executable Tab

This tab allows you to configure your sync executable file used to access and send data to Incident IQ. Please note that if you make any changes to this page after initial setup, you will need to redownload a new executable file and replace your old one in order for these changes to take affect during syncs.

At least one profile should be setup on this page with the following data provided:

  • AD Username
  • AD Password
  • AD Domain
  • AD Server IP

You may also setup specific OUs to search for during syncs so the system only pulls user data from those. However, we recommend leaving the filters blank.

Also, you may also pull in additional attributes through the executable during syncs if needed. Please note, if you have any custom fields mapped in the Users Mapping tab, you will need to ensure they are properly setup here as well.

[Return to index]
Scroll to Top