Table of Contents

Sync Entra Groups

Niamh Ferns Updated by Niamh Ferns

Sync Entra Groups Solution Demonstration

The Sync Entra Groups solution provides a simple way for you to automatically keep your DeskDirector Contact Groups in line and updated with your groups in Entra. This functions by automatically syncing contacts, and optionally contact groups, to DeskDirector based on users in Entra groups.

Below, you'll find a demonstration of the Asset Manager Solution in action:

[LOOM DEMO]

What does it do?

In DeskDirector, the standard way for handling departments or groups of people is through Contact Groups. Contact groups allow you to assign a specific Service Catalogue and scope approvals based on the area a person works in.

One problem people run into is managing groups between Microsoft 365 and DeskDirector. To eliminate any overhead/repeated work in assigning users to specific groups, we've implemented the Sync Entra Groups Solution.

This solution will sync groups between your Microsoft 365 environment and set groups of your choosing within DeskDirector.

Deployment

The Service Orchestartor Library, IECB ServOrg Library and IECB CustOrg Library solutions must be deployed and fully configured before proceeding.

If you are unsure whether these prerequisites are met, please visit our PowerPlay Deployment Quickstart Guide

In this section, we'll cover how to go through the deployment process for the Sync Entra Groups Solution.

For the deployment to work, you will need to deploy the solution library, then deploy either the ALM or self-service Power Automate solution.

Solution Marketplace Deployment

  1. Log in to the DeskDirector Support Portal
  2. Select the Tokity PowerPlay Apps menu item
  3. Locate the Sync Entra Groups solution, and select Download Solution
  4. Select Request ALM Deployment
  5. A support ticket will be logged to track the progress of the solution's deployment
  6. From the Tickets menu, select the recently created PowerPlay App Deployment Request: Sync Entra Groups ticket
  7. You can proceed to the remaining configuration steps once the Sync Entra Groups solution is deployed to both your ServOrg and CustOrg environments:
  8. To validate this step, log in to Power Apps as your Onboarding Administrator
  9. From the top right corner, select your ServOrg environment:
  10. Under Solutions > Managed, confirm the IECB-ServOrg-App-Sync User Group solution is available:
  11. Repeat this process for your CustOrg environment
In this guide, we go through the steps with the ALM version of this solution. If you want to discuss the self-service version, please reach out to the DeskDirector support team.

Solution Library Deployment

Open your Admin Portal and head to Integrations > Solution Library.

  1. Select the Managed Solutions tab and open the Sync Entra Groups solution.
    On this page, you can also see a version history as well as a list of features that will be deployed.
  2. Select Deploy
  3. Follow the on-screen prompts to select a board/queue
  4. Confirm your deployment by selecting Deploy, and wait until the Deployment of solution ... has finished message is displayed

ServOrg Configuration Steps

Connection References

  1. Log in to Power Apps as your Onboarding Administrator
  2. From the top right corner, select your ServOrg environment
  3. From the Solutions menu, select Unmanaged > Default Solution:
  4. Select the Connection References menu
  5. For each DeskDirector solution Connection Reference:
    1. Select the Connection Reference
    2. Select the Connection drop-down
    3. Select the relevant Connection created during the PowerPlay Post-Deployment Steps
    4. Select Save and Save Changes
ServOrg Connection Reference List:
  • IECB SyncUserGroup - DeskDirector
  • IECB SyncUserGroup - Office 365 Outlook

Environment Variables

In the above video demonstration, we configure the default value for each variable. Changing the default means that when new solution versions are released, the default value will be overwritten, meaning you will need to re-add these values after an update.

When you set your environment variables, please instead add a custom value and do not edit the default.
  1. Still within our Default Solution, select Environment variables from the Objects panel
For each variable, it is important to add a New Value instead of updating the Default Value
  1. Update the following environment variables:
    1. IECB SyncUserGroup - Approval Required: An optional value if approval is required for the submission of the Sync User Group configuration form
    2. IECB SyncUserGroup - Board ID: id of the board or queue that the Sync User Group configuration form will be submit on
    3. IECB SyncUserGroup - Closed Status ID: id of a closed status on the referenced IECB SyncUserGroup - Board ID board or queue
    4. IECB SyncUserGroup - Email Recipients: Email address(es) who will receive a daily sync report:
    5. IECB SyncUserGroup - Event ID: The id value of the Sync User Group Event event from your Admin Console
      1. If this event is not yet in an Enabled state, select More Options > Enable
    6. IECB SyncUserGroup - In Progress Status ID: id of an in progress status on the referenced IECB SyncUserGroup - Board ID board or queue

Flow Enablement

  1. Log in to Power Apps as your Onboarding Administrator
  2. From the top right corner, select your ServOrg environment
  3. Navigate to your ServOrgs Managed Solutions and open the IECB-ServOrg-App-Sync User Group
  4. Select Cloud flows in the Objects panel
The flows for this solution must be enabled in a particular order, with dependent child flows being enabled before the referenced parent flows.
  1. Tier 1
    1. [DynamicContent] Requestor Account and Sync Modes
    2. [HttpReq] Entra users mails, UPN clean up
    3. [HttpReq] Extract Entra Groups with Members or Owners
    4. [Httpreq] Removal - Non-Entra member in Account (child)
    5. [Httpreq] Removal - Non-Entra member in Contact Group (child)
    6. [Httpreq] Removal - Non-Entra member in Service Group (child)
    7. [HttpReq] Sync Checking - Send Email Update (child)
    8. [HttpReq] SyncUsers - Add Contacts to Contact Group (Child)
    9. [HttpReq] SyncUsers - Create or Activate DD Contacts (Child)
    10. [HttpReq] SyncUsers - Get DD Contacts (Child)
    11. [HttpReq] SyncUsers - Link Service Group to Contacts (Child)
    12. [Manual] Update Sync Mode Dynamic List
    13. [Schedulde] Update IECB CustOrgs Dynamic List
    14. [Scheduled] Update CustOrg's Entra Groups Table
  2. Tier 2
    1. [HttpReq] Sync Checking
    2. [HttpReq] Sync Mode 1 - Sync contacts
    3. [HttpReq] Sync Mode 2, 5 - Contact group for Entra Members
    4. [HttpReq] Sync Mode 3 - Service Groups
    5. [HttpReq] Sync Mode 4 - Entra Groups as Accounts
    6. [HttpReq] Sync Mode 5 - Contact group for Entra Owners
  3. Tier 3
    1. [HttpReq] Process Sync Request for a CustOrg
  4. Tier 4
    1. [DDEvent] Process Sync Users Request
    2. [Scheduled] SyncUsers - Process Requests

CustOrg Configuration Steps

Connection References

  1. Log in to Power Apps as your Onboarding Administrator
  2. From the top right corner, select your CustOrg environment
  3. From the Solutions menu, select Unmanaged > Default Solution:
  4. Select the Connection References menu
  5. Select the IECB CustOrg App SyncUserGroup HTTP With Microsoft Entra ID Connection Reference, select the Connection drop-down, select the relevant Connection created during the PowerPlay Post-Deployment Steps, select Save and Save Changes

Flow Enablement

  1. Log in to Power Apps as your Onboarding Administrator
  2. From the top right corner, select your CustOrg environment
  3. Navigate to your ServOrgs Managed Solutions and open the IECB-CustOrg-App-Sync User Group
  4. Select Cloud flows in the Objects panel
  5. Enable the following flows in order:
    1. [DDCommand] Get Entra Groups - sync
    2. [DDCommand] Get Groups and Members for Sync
    3. [DDCommand] Update Entra ID Groups Table
    4. Reset Entra ID Groups List table

CustOrg Library: Enumerate Command Offers

  1. Log in to Power Apps as your Onboarding Administrator
  2. From the top right corner, select your CustOrg environment
  3. Navigate to your CustOrgs Managed Solutions and open the IECB Custorg Library
  4. Select Cloud flows in the Objects panel
  5. Load into [Scheduled] Enumerate Command Offers and Run the flow
  6. As an output of the flow, you can expect the IECBCommandOffer table to populate with supporting commands for the Sync Entra Groups solution:

ServOrg: Manual Flow Runs

  1. Log in to Power Apps as your Onboarding Administrator
  2. From the top right corner, select your ServOrg environment
  3. Navigate to your ServOrgs Managed Solutions and open the IECB-ServOrg-App-Sync User Group
  4. Select Cloud flows in the Objects panel
  5. Load into each of the following and Run the flow
    1. Run [Manual] Update Sync Mode Dynamic List
    2. Run [Schedulde] Update IECB CustOrgs Dynamic List

Sync Configuration Form Access and Submission

As part of our Solution Library Deployment step a Sync User Group form was deployed to our DeskDirector instance

  1. Log in to your DeskDirector instance as a Master Admin
  2. Browse to Portal > Service Catalogue > Service Type Configuration
  3. Search and select the Sync User Group service catalogue item
  4. Grant your Onboarding Administrator contact access to the service catalogue item using:
    1. The Access tab on the service catalogue item
    2. Include the service catalogue item in a Service Group the contact can access
  5. Browse to Client Portal > Contacts, and then search and select the Onboarding Administrator contact
  6. From the Profile menu, Impersonate the contact using Diagnose Client portal
  7. Contact Support > New Ticket > IECB Sync Solutions > Sync User Group
  8. Search and select your CustOrg Account/Company from the dynamic list, followed by Next
  9. Select your preferred sync mode:
    1. Sync contacts only: Synchronizes Entra group users as contacts under the selected account, without assigning them to any Contact Groups or Service Groups
      1. For your initial sync, it is recommended to use the Sync contacts only configuration
    2. Add contacts to Contact Group: Adds the synchronized contacts to the appropriate Contact Group
      1. Note: Contact Groups are automatically created based on Entra group names
    3. Link contacts to Service Group: Links the synchronized contacts to a Service Group.
      1. Important: Ensure that the Service Groups with the same name as the Entra groups already exist before running the sync
    4. Sync Entra groups as Accounts: Synchronizes Entra groups as DeskDirector accounts.
      1. Important: Ensure that Accounts are properly tagged to match their corresponding Entra groups before running the sync (e.g. the account for 'IT Support Team' should be tagged as 'it-support-team'). You may choose any name for the account.
    5. Add Entra group owners and members to Contact Group: Adds both owners and members of an Entra group to the appropriate Contact Group, assigning different roles to each
      1. Note: Contact Groups are automatically created based on the Entra group names
  10. Submit your details to complete the configuration form:

Entra Groups Sync Manager

  1. Log in to Power Apps as your Onboarding Administrator
  2. From the top right corner, select your CustOrg environment
  3. Navigate to your CustOrgs Managed Solutions and open the IECB-CustOrg-App-Sync User Group
  4. Select Cloud flows in the Objects panel
  5. Load into [Manual] Update Entra Groups Table, and then run the flow
  6. As an output of the flow, you can expect the Entra ID Groups List table to populate with Group information from your CustOrg tenant's Microsoft Entra:
  7. Still within our IECB-CustOrg-App-Sync User Group solution, select Apps from the Objects panel
  8. For the Entra Groups Sync Manager, select More Options and Share
  9. Search and select your Onboarding Adminstrator user, followed by Share
    1. A PowerApps Premium license will be required to access PowerApps
    2. Additional access can be granted to other users within your organisation
  10. Once shared, Play the PowerApp:
  11. Within the Entra Groups Sync Manager PowerApp, enable any relevant groups using the Sync to Desk Director column
  12. Once enabled:
    1. To expedite a sync and confirm the solution is working as expected, complete the Sync User Group form submission again outlined in the Sync Configuration Form Access and Submission section
    2. Alternatively, these groups will be included as part a daily scheduled sync task

Troubleshooting & Common Issues

Lists/Tables Not Populating

Under the IECB CustOrg solution and under both the ServOrg and CustOrg solutions for Sync Entra Groups, there is a set of manual flows that need to be run. You can see a list of these below, and when these need to be run. If you run into issues after deployment has finished and you're trying to test, these are usually the culprit.

  • CustOrg > IECB CustOrg Library > [Scheduled] Enumerate Command Offers
    If this flow is not run manually (or given a chance to run on its daily schedule), your ServOrg will not see your CustOrg as a registered option in any of the dynamic lists that allow you to select a CustOrg. To resolve this, simply run the flow manually.
  • CustOrg > IECB-CustOrg-App-Sync User Group > [Manual Update Entra Groups Table]
    If this flow is not run manually, your Groups Table will not be correctly populated. This will usually result in you not having any groups to select from in your Sync Entra Groups PowerApp.
  • ServOrg > IECB-ServOrg-App-Sync User Group > [Manual] Update Sync Mode Dynamic List
    This Flow generates the DD dynamic list for sync modes. You typically only need to run this once when deploying the solution or if any changes are made to this dynamic list.

How did we do?

Problem Management Solution

Sync Licensing Report Solution

Contact