When it comes to provisioning users, groups, or anything on Microsoft Teams, it can be a long and drawn-out process.
Multiply that by the number of times you find yourself adding a new user or making a change to an existing user, and you’ve lost a lot of time to trivial tasks that could have been automated.
So, what if we told you that you could automate all your Teams provisioning using nothing but your Azure AD / Entra ID attribute?
Sounds too good to be true, right?
We promise it’s not.
Read on to find out how…
1 – Prepare your Active Directory
Most companies use hybrid identities with Microsoft 365 rather than cloud-only identities. With hybrid identities, the source of authority of the user account is hosted in your on-premises Active Directory Services (AD). You connect your AD to Azure AD / Entra ID using Microsoft’s identity synchronization tool, Azure AD / Entra ID Connect.
Azure AD Connect is responsible for detecting changes to your on-prem AD, e.g., a new user account or updated account information then synchronizing that user object to Azure AD so that the user can sign-in to Microsoft 365 services, like Teams.
As the source of authority is your on-prem AD, many attributes in Azure AD / Entra ID cannot be edited directly in the cloud. Instead, they must be edited in your AD and synched up to Azure AD / Entra ID.
With over 250 different attributes available in on-prem AD, not all can be synchronized to Azure AD / Entra ID. For a comprehensive list of attributes that can be synched, please read: Attributes synchronized by Azure AD Connect – Microsoft Entra | Microsoft Learn
Why is all this important?
Callroute’s automated provisioning feature relies on Azure AD / Entra ID user attribute data to match the provisioning rules you create in the platform. For example, you can create a rule that triggers if a user’s city matches ‘London’.
If your user attribute data is incorrect, you could be provisioning the wrong settings to users, causing increased support tickets and loss of business productivity.
Therefore, it is best practice to ensure that your AD user attributes correctly match each person’s job role and function within your organization.
One important thing to check when preparing your AD attribute data is that you are syncing that attribute to Azure AD / Entra ID. Out of the box, Azure AD / Entra ID Connect will sync all the attributes it can to Azure AD / Entra ID.
However, some organizations will filter attributes. It’s best to check with your identity team for any potential issues before running Callroute’s auto provisioning tool.
Is your attribute data inaccurate?
Yes?
You are not alone. In many companies, AD attribute data is neglected.
Information that was once accurate degrades over time due to personnel moves and changes and as you are busier than ever, this type of administration gets overlooked.
However, in today’s cloud-connected world, having accurate attribute data is essential for business communication and collaboration.
Microsoft Teams relies heavily on accurate attribute data to build user contact cards, team memberships, and organization charts. Ignoring stale attribute data is no longer an option.
Need help with this? We can help you understand the source of the problems, remedy them, and implement new processes to ensure that your Azure AD / Entra ID remains up to date.
2 – Understanding your user personas
Having accurate user attribute data is the foundation for provisioning. But, to make it successful, you must understand how to use that data to provide the right settings to the right users.
This begins with understanding the different departments and job functions within your organization and how those needs translate into Microsoft Teams features and settings.
This task is non-technical and starts with talking to each of your department managers and end users about the type of work they perform and what technology features they feel is important for them to work efficiently in Microsoft Teams.
You then use this information to build policies for each component of Microsoft Teams specifically tailored to each user type.
What you end up building is a user persona. A user persona is a collection of Teams policies that applied as a part of a package to a user that meets a specific business criterion.
Once you have all your settings defined for each Teams policy, you need to create them in the Teams Admin Center. When your policies are created, you then create your user personas in Callroute.
Creating a persona is easy.
Sync your Teams policies to Callroute using the ‘Sync Policies’ button. Once complete, you can create a new persona.
Give your persona an easy to remember name and optional description to provide more information to your co-workers.
Then, from the drop-down under each of the Teams policies, select which policy to apply to users who get assigned this persona.
Optionally, should these users require a phone number, select the required phone number range to select a free number from. For more information on our number management, click here.
Now you have completed the persona, save it. Create other personas as needed, there is no limit.
3 – How to use your AD attributes effectively
Now that you have successfully organized your Azure AD / Entra ID attribute information and defined your user personas, you can now start to build your automations.
Generally, most of your users will fall into one of your user personas based on the value of a handful of Azure AD / Entra ID attributes.
For instance, users in your Finance department could be identified using the Azure AD / Entra ID attribute ‘department’ = ‘Finance’.
If your finance department is spread over multiple office locations, you can target finance users in a specific location by using the ‘office’ or ‘city’ Azure AD / Entra ID attribute.
In this example for targeting finance users in the London office, you can use the following Azure AD / Entra ID attributes:
- Department = “Finance”
- City = “London”
Perhaps you need to assign the same user persona to users in both the Finance and HR departments?
You don’t need to create a separate rule for each department. Instead, you can use condition groups along with the OR condition.
For example:
Group 1: Finance
- Department = “Finance”
- City = “London”
OR
Group 2: HR
- Department = “HR”
- City = “Birmingham”
You can use any and all Azure AD / Entra ID attributes to define the conditions of your automations to make them as granular as you need.
4 – Ordering and executing your automations
Callroute uses a rule hierarchy system where rules that appear highest on the automation list are executed first. A user is applied the user persona from the first matching rule in the automation list.
Automations are executed automatically every hour. You can manually trigger automations by running a user synchronization task in the Callroute portal.
5 – Safety is built-in
Callroute’s automated provisioning for Teams is a very powerful admin tool when used correctly.
But what if someone configures the wrong automation that applies the wrong settings to a group of users?
We have you covered on that eventuality.
Prior to any automation being executed, a snapshot of each affected user is taken. This copies all assigned Teams policies and phone number and stores it in our change history.
If an automation applies the incorrect settings, roll back to the previous state can be performed in one click of a button.
In addition, when automations are run manually, Callroute will show you a preview of all impacted users and what will be changed. You can even test run the automation before committing to the change.
Conclusion
Automating your Microsoft Teams provisioning tasks is simple when you use Callroute to do all the heavy lifting.
As long as your data is accurate, you can feed it into Callroute and start provisioning users automatically.
Sounds like something you need in your life? Click here to learn more about auto-provisioning.