The on-premise Active Directory (AD) integration is different than cloud-based applications like Okta, OneLogin and G Suite. This integration automatically creates and uploads a CSV from your on-premise AD instance. To do this, we will provide you with a powershell script that your IT team will need to schedule in order to run it on your AD server.
- To run an Active Directory sync, please make sure you are running Powershell version 3.0 or greater.
1. Prepare to Enable Automated Provisioning
- Create Access Groups - You can grant permissions to specific access groups in Sequr based upon your AD employee attributes. Please create the appropriate Access Groups in Sequr based upon your specific office needs (this could reflect your AD organizational unit structure). For example, Employees, Contractors, and IT Admin access groups.
- Single Location vs. Multiple Locations - If you have multiple office locations enabled with Sequr, decide whether you’d like to sync all users to all locations, or to sync specific users per location. This will affect how you set up the integration.
- Mobile Key - Decide whether you would like to assign mobile keys to all newly boarded users by default or if you want to assign them later.
- Enable or Disable User Updates - If you are going to update user attributes (access group, role etc..) after they get synced from AD to Sequr, please disable the "User Updates Syncing" option so that your changes don't get overridden.
2. Enable AD Integration
- Login to the Sequr Web application and go to Integrations.
- Find Active Directory and click 'Install.’
- Once installed, please make a note of your AD integration api key and download the powershell script
3. Configure Provisioning Rules
The very first thing you need to configure is your provisioning rules. Employee syncing will not work unless you have defined at least one rule. We have a very powerful and flexible rule engine to cater to your provisioning needs.
With provisioning rules, you can decide:
- What "door access group" each employee should be assigned to
- What "role" each employee should be assigned in Sequr.
- Whether newly on-boarded employees should automatically receive mobile keys.
- The office locations to which an employee is granted access.
Simple Provisioning Rule :
You can have just one default simple rule where every employee being synced is granted common door access and a regular user role.
For example, you can define a rule where every employee being synced from AD gets assigned to the "Employee" access group and to the "User" role. Later Sequr admin can modify any of these user attributes by logging into their Sequr admin web portal.
As you can see in the following image, you don't need to provide any conditions to define such a simple default rule.
Advanced Provisioning Rules
If need be, you can get more advanced with the rule engine so that you do not have to worry about updating any of the user attributes manually in Sequr.
As shown below, based upon your "Organizational Units," you can sync specific employees to specific locations. You can also assign different door access groups based upon your departments. And so on...
Additionally, you can also drag these rules up or down which sets its rule priority.
You can add various conditions in a single rule as shown below. You can either choose the "match all" conditions or "match any" condition option.
You can choose any of the following AD user attributes to define your rule's conditions.
USER UPDATE FLAGS
While setting up your integration, you may choose to enable or disable certain user updates from Active Directory to Sequr.
If your integration set-up includes a few basic and/or broad rules, or if you plan on changing user attributes manually within Sequr after users have been synced via Active Directory, we recommend disabling the ‘Override Roles on Update’ and ‘Override Access Groups on Update’ update flags. If enabled, these User Update flags may override manual changes made to your users’ roles and/or access groups in Sequr.
Delete User If No Rules Match: if changes have been made to a user’s profile within Active Directory that no longer qualify them for any of your integration rules, the user will be deactivated within Sequr. IMPORTANT NOTE: This flag will only come into play during directory updates. If you deactivate or suspend a user within your directory, the user will automatically be deactivated within Sequr, regardless of whether this User Update flag is enabled or not.
IMPORTANT NOTE: If your integration does not include a specialized rule for provisioning system administrators, we recommend disabling the ‘Override Roles on Update’ flag as system administrator privileges may be revoked for existing administrators during updates. To avoid losing administrative privileges while keeping this flag enabled, we recommend creating a specialized rule within your integration that will provision system administrators. Ensure that this rule is placed first within your rule priority list so that system administrators will be provisioned first, then remaining users will be matched to the following rules accordingly.
5. Setting up the script to run via Task Scheduler
- Download Sequr powershell script, and copy the folder on your Active Directory machine.
Understanding the folder structure :
export_ad_to_sequr.ps1 - This teh main script that needs to scheduled to run perodocally
configs - This the configuration file where you need to specify your Sequr inregartion API key and the list of OUs
last_run_time - This holds the last run time of the export script. Usually you do not have to modify anything in here
modules - This folder has set of helper scripts. You do not have to modify anything here.
- Open the configuration file 'configs’. Please update your AD integration API key as noted down in previous step. Please provide the target list of Organizational Units (OUs). Script will only consider this list of OUs for syncing.
- If you wish to sync only the users that were created, updated or deleted from today onwards, please do not modify anything in last_run_time file and leave the value empty. But if you intend to sync all the current users from AD to the Sequr, please provide a past date to the timestamp in the following format “M/D/YYYY hh:mm ss A"
- Run the script via powershell to verify that the script is running correctly. You may need to open the shell as Administrator. Right click and select Run As Administrator
Note: You may have to update or allow an exception on the script execution policy on your AD box. You can run poweshell command "Unlock-File" which unlocks the powershell scripts that were downloaded from internet.
> Unblock-file .\export_ad_to_sequr.ps1
> Unblock-file .\modules\fetch_group_information.ps1
> Unblock-file .\modules\upload_to_sequr.pas1
Now, you’re ready to schedule the script to run automatically.
- Open Task Scheduler on the AD machine with the script.
- Open Task Scheduler Library and select “Create Task.”
- Adjust settings accordingly. It’s important that the user account that is set to run this task is able to read OU’s and user accounts in your Active Directory environment.
- Set a schedule for the script to run. Do this by creating a new trigger. Here, it runs every 1 hour.