Azure Multi-Tenant User Synchronization

Azure Function App that synchronizes AD users between two tenants.

Table of Contents

1. About The Project
   • Built With
2. Getting Started
   • Prerequisites
   • Running Locally
   • Running on Azure
3. Contributing
4. License

About The Project

The repository contains an Azure Serveless Function that synchronizes AD users between two tenants.

Motivation:

• The need to sync users between two tenants.
• Currently, an open source solution that solves the multi-tenant user synchronization problem is inexistent.
• It's a prerequesite to implement an Azure Entreprise-Scale Landing Zone.

(back to top)

Built With

The main frameworks used to develop the synchronization app are described below:

• Azure Serveless Functions
• dotnet core 3.1

(back to top)

Getting Started

Below you will find the installation process for running the function locally or on an Azure tenant.

Prerequisites

Running Locally

1. Install the Azure Functions Core Tools

2. Configure an Azure Storage Account Emulator

3. Create an Azure App Registration and save the client ID and client secret. NOTE: the app registration needs the correct permissions on both tenants to be able to read/write groups and send invitations (Directory.ReadWrite.All and User.Invite.All).

4. Configure the local.settings.json file on the root folder

   {
     "IsEncrypted": false,
     "Values": {
       "AzureWebJobsStorage": "<LOCAL_STORAGE_CONNECTION_STRING>",
       "ScheduleTrigger": "0 */5 * * * *",
       "FUNCTIONS_WORKER_RUNTIME": "dotnet",
       "SRC_TENANT_ID": "<THE_SOURCE_TENANT_ID>",
       "SRC_GROUP_ID": "<THE_SOURCE_GROUP_ID>",
       "DST_TENANT_ID": "<THE_DESTINATION_TENANT_ID>",
       "DST_GROUP_ID": "<THE_DESTINATION_GROUP_ID>",
       "CLIENT_ID": "<THE_APP_REGISTRATION_ID>",
       "CLIENT_SECRET": "<THE_APP_REGISTRATION_SECRET>",
       "REQUEST_MAX_RETRIES": "5",
       "INVITE_BASE_URL": "https://portal.azure.com"
     }
   }

5. Start the function

   func start

Running on Azure

1. Install the Azure CLI

2. Install the Terraform CLI

3. Login to your Azure Tenant

   az login --tenant <YOUR_AZURE_TENANT>

4. Create a Service Principal for Terraform automation with the correct permissions to interact with Azure Resources.

5. If you want, create an alias to export the environment variables for your Service Principal

   alias export-terraform-for-azurerm="export ARM_CLIENT_ID=<YOUR_SPN_ID> && export ARM_CLIENT_SECRET=<YOUR_SPN_SECRET> && export ARM_SUBSCRIPTION_ID=<YOUR_SUBSCRIPTION_ID> && export ARM_TENANT_ID=<YOUR_TENANT_ID>"

6. Add the necessary app_settings in the terraform/func.tf file

7. Deploy the Azure Resources using Terraform

   cd terraform/
   terraform init
   terraforn plan -out plan.tfplan
   terraform apply plan.tfplan

8. Create an Azure App Registration and store the client secret on the key vault created via terraform. NOTE: the app registration needs the correct permissions on both tenants to be able to read/write groups and send invitations. (Directory.ReadWrite.All and User.Invite.All)

9. Deploy the function using the Azure Functions Core Tools or by creating a new tag on the main branch (the code will be deployed using Github Actions)

   az account set --subscription <YOUR_DESTINATION_SUBSCRIPTION_ID>
   func azure functionapp publish users-sync

   or

   git tag vx.x.x
   git push --tags

NOTE: for the Github Actions to work you need to get the Azure Function Publish Profile and store it as a github secret with the name AZURE_FUNCTIONAPP_PUBLISH_PROFILE.

(back to top)

Contributing

Contributions are what make the open source community awesome! Any contributions you make are greatly appreciated.

1. Fork the Project

2. Create your Feature Branch

   git checkout -b feature/my-feature

3. Commit your Changes

   git commit -m 'Add some feature'

4. Push to the Branch

   git push origin feature/my-feature

5. Open a Pull Request

(back to top)

License

Distributed under the MIT License. See LICENSE for more information.

(back to top)