Skip to main content

Migrating from the existing Azure Active Directory connectivity to Entra ID

Use the following section to migrate from the Azure Active Directory to the new Microsoft Entra ID connectivity package. We recommend conducting a dedicated onboarding process for Microsoft Entra ID to ensure the comprehensive creation of all properties, attributes, attribute sets, resource types, and other necessary objects. Alternatively, you can also perform these tasks manually - the essential steps are provided in this section.

note

Omada doesn't support automatic resource type changes. You need to update the resource types manually for all existing resources within the Omada Identity.

important

If you have Microsoft Exchange Online/Hybrid systems already onboarded in Omada, ensure that you use either the Omada Identity Cloud October 2024 update or Omada Identity 15.0.2 before migrating to Entra ID. Entra ID requires the updated RoPE ExchangeIntegrationExtension for correct functioning. See RoPE Exchange Integration extension not working with latest Entra ID Collector release note for details.

Upgrading the collector

To upgrade the Microsoft Azure Active Directory collector, perform the following operations:

  1. Go to Setup --> Administration --> Data management --> Data object types.

  2. Select the System categories object type. Open Properties.

  3. Edit the Collector property. Deselect the Immutable option.

  4. Go to Setup --> Master Data --> More --> System Categories.

  5. Select the Microsoft Azure Active Directory-based system category and click the Edit button.

  6. Replace the collector with the new Microsoft Entra ID version and save the changes.

  7. Go to Setup --> Master Data --> Systems and select your Azure AD system.

  8. In the Queries and mappings section, remove the queries specified below:

    Object typeMicrosoft Azure Active Directory objectDefault selected fields
    Resourcegroupsid, displayName, description
    Resource assignmentgroupsid, memberdelta_ids
    Resource ownergroupsid, owners_mailNickname

  9. Delete the query for the old accounts and move the new account query to the very top.

Creating new queries, properties, and values

Create a new value to store the user's role within a group

  1. Go to Setup --> Administration --> Properties. Click New.

  2. Click Set Property. Enter the following details:
    Name: MSEntraIDGroupRole
    System name: C_MSENTRAIDGROUPROLE

  3. Click Apply. In the top left side of the screen, click Value.

  4. Click New and create two values: member and owner. Click OK.

Create a new property to store the user's membership ID within a group

  1. Go to Setup --> Administration --> Properties. Click New.
  2. Click Value property. Enter the following details and click OK:
    Name: MS Teams Membership ID
    System name: C_MSTEAMSMEMBERSHIPID

Create a new attribute and add it to an attribute set (Role)

  1. Go to Setup --> Master Data --> Attributes. Click New.
  2. Enter the following details and click OK:
    Name: Microsoft Entra ID – Role
    Definition: C_MSENTRAIDGROUPROLE
    Display name: Select owner for an owner, or member for a regular user
    Requires value: (select the checkbox)

Create a new attribute and add it to an attribute set (Teams membership ID)

  1. Go to Setup --> Master Data --> Attributes. Click New.
  2. Enter the following details and click OK:
    Name: MS Teams Membership ID
    Definition: C_MSTEAMSMEMBERSHIPID
    Hidden attribute: (select the checkbox)

Create an attribute set

  1. Go to Setup --> Master Data --> Attribute sets. Click New.
  2. Enter the following details and click OK:
    Name: MS Entra ID – Groups
    Attributes: : Include both attributes created earlier: Microsoft Entra ID – Role and MS Teams Membership ID

Create a new resource type for Security Groups Resources

  1. Go to Setup --> Master Data --> Resource types. Click New.
  2. Enter the following details and click OK:
    Name: Microsoft Entra ID Security Group
    Resource category: Permission
    Allow attributes: (select the checkbox)
    Attribute set: MS Entra ID - Groups

Create the queries specified below.

Security Groups as Resource query

Add a new query that imports Security Groups as Resource. Edit the values following the table below:

FieldValue
URLgroups?$filter=onPremisesSyncEnabled eq null and mailEnabled eq false and securityEnabled eq true and NOT(groupTypes/any(s:s eq 'Unified'))&$count=true&$select=id,displayName,description,mailNickname
DescriptionSecurity Groups (requires Group.Read.All application permission)
Use deltaNo

Security Groups Members as Resource Assignment

Add a new query that imports Security Groups Members as Resource Assignment. Edit the values following the table below:

FieldValue
URLgroups?$filter=onPremisesSyncEnabled eq null and mailEnabled eq false and securityEnabled eq true and NOT(groupTypes/any(s:s eq 'Unified'))&$count=true
DescriptionSecurity Groups Assignments - Members
Use deltaNo

Security Groups Owners as Resource Assignment

Add a new query that imports Security Groups Owners as Resource Assignment. Edit the values following the table below:

FieldValue
URLgroups?$filter=onPremisesSyncEnabled eq null and mailEnabled eq false and securityEnabled eq true and NOT(groupTypes/any(s:s eq 'Unified'))&$count=true
DescriptionSecurity Groups Assignments - Owners
Use deltaNo

Security Groups Owners as Resource Owners

Add a new query that imports Security Groups Owners as Resource Owners. Edit the values following the table below:

FieldValue
URLgroups?$filter=onPremisesSyncEnabled eq null and mailEnabled eq false and securityEnabled eq true and NOT(groupTypes/any(s:s eq 'Unified'))&$count=true
DescriptionResources Owners - Security Groups (requires GroupMember.Read.All application permission)
Use deltaNo

Creating new resource types for distribution groups

  1. Go to Setup --> Master Data --> Resource types. Click New.
  2. Enter the following details and click OK:
    Name: Microsoft Entra ID Distribution Group
    Resource category: Permission
  3. Click OK.

Create the queries specified below.

Distribution Groups as Resource

Add a new query that imports Distribution Groups as Resource. Edit the values following the table below:

FieldValue
URLgroups?$filter=onPremisesSyncEnabled eq null and mailEnabled eq true and securityEnabled eq false and NOT(groupTypes/any(s:s eq 'Unified'))&$count=true&$select=id,displayName
DescriptionDistribution Groups (requires Group.Read.All application permission)
Use deltaNo

Distribution Groups Members as Resource Assignment

Add a new query that imports Distribution Groups Members as Resource Assignment. Edit the values following the table below:

FieldValue
URLgroups?$filter=onPremisesSyncEnabled eq null and mailEnabled eq true and securityEnabled eq false and NOT(groupTypes/any(s:s eq 'Unified'))&$count=true
DescriptionDistribution Group Assignments - Members (requires GroupMember.Read.All application permission)
Use deltaNo

Distribution Groups Owners as Resource Assignment

Add a new query that imports Distribution Groups Owners as Resource Assignment. Edit the values following the table below:

FieldValue
URLgroups?$filter=onPremisesSyncEnabled eq null and mailEnabled eq true and securityEnabled eq false and NOT(groupTypes/any(s:s eq 'Unified'))&$count=true
DescriptionDistribution Group Assignments - Owners requires GroupMember.Read.All application permission)
Use deltaNo

Distribution Groups Owners as Resource Owners

Add a new query that imports Distribution Groups Owners as Resource Owners. Edit the values following the table below:

FieldValue
URLgroups?$filter=onPremisesSyncEnabled eq null and mailEnabled eq true and securityEnabled eq false and NOT(groupTypes/any(s:s eq 'Unified'))&$count=true
DescriptionResources Owners - Distribution Groups (requires GroupMember.Read.All application permission)
Use deltaNo

Creating new resource types for mail-enabled security group resources

  1. Go to Setup --> Master Data --> Resource types. Click New.
  2. Enter the following details and click OK:
    Name: Microsoft Entra ID Mail-enabled Security Group
    Resource category: Permission

Create the queries specified below.

Mail-enabled Security Groups as Resource

Add a new query that imports Mail-enabled Security Groups as Resource. Edit the values following the table below:

FieldValue
URLgroups?$filter=onPremisesSyncEnabled eq null and mailEnabled eq true and securityEnabled eq true and NOT(groupTypes/any(s:s eq 'Unified'))&$count=true&$select=id,displayName,description,mail
DescriptionMail-enabled Security Group (requires Group.Read.All application permission)
Use deltaNo

Mail-enabled Security Groups Members as Resource Assignment

Add a new query that imports Mail-enabled Security Groups Members as Resource Assignment. Edit the values following the table below:

FieldValue
URLgroups?$filter=onPremisesSyncEnabled eq null and mailEnabled eq true and securityEnabled eq true and NOT(groupTypes/any(s:s eq 'Unified'))&$count=true
DescriptionMail-enabled Security Group Assignments – Members (requires GroupMember.Read.All application permission)
Use deltaNo

Mail-enabled Security Groups Owners as Resource Assignment

Add a new query that imports Mail-enabled Security Groups Owners as Resource Assignment. Edit the values following the table below:

FieldValue
URLgroups?$filter=onPremisesSyncEnabled eq null and mailEnabled eq true and securityEnabled eq true and NOT(groupTypes/any(s:s eq 'Unified'))&$count=true
DescriptionMail-enabled Security Group Assignments – Owners (requires GroupMember.Read.All application permission)
Use deltaNo

Mail-enabled Security Groups Owners as Resource Owners

Add a new query that imports Mail-enabled Security Groups Owners as Resource Owners. Edit the values following the table below:

FieldValue
URLgroups?$filter=onPremisesSyncEnabled eq null and mailEnabled eq true and securityEnabled eq true and NOT(groupTypes/any(s:s eq 'Unified'))&$count=true
DescriptionResource Owner - Mail-enabled Security Group Assignments (requires GroupMember.Read.All application permission)
Use deltaNo

Creating new resource types for Sharepoint group resources

  1. Go to Setup --> Master Data --> Resource types. Click New.
  2. Enter the following details and click OK:
    Name: Microsoft Entra ID Sharepoint
    Resource category: Permission
    Allow attributes: (select the checkbox)
    Attribute set: MS Entra ID – Groups

Create the queries specified below.

Sharepoint Groups as Resource

Add a new query that imports Sharepoint Groups as Resource. Edit the values following the table below:

FieldValue
URLgroups?$filter=onPremisesSyncEnabled eq null and mailEnabled eq true and (groupTypes/any(s:s eq 'Unified')) and NOT(resourceProvisioningOptions/any(s:s eq 'Team'))&$count=true
DescriptionSharepoint Sites (requires Sites.Read.All and Group.Read.All application permission)
Use deltaNo

Sharepoint Groups Members as Resource Assignment

Add a new query that imports Sharepoint Groups Members as Resource Assignment. Edit the values following the table below:

FieldValue
URLgroups?$filter=onPremisesSyncEnabled eq null and mailEnabled eq true and (groupTypes/any(s:s eq 'Unified')) and NOT(resourceProvisioningOptions/any(s:s eq 'Team'))&$count=true
DescriptionSharepoint Groups Assignments – Members (requires GroupMember.Read.All application permission)
Use deltaNo

Sharepoint Groups Owners as Resource Assignment

Add a new query that imports Sharepoint Groups Owners as Resource Assignment. Edit the values following the table below:

FieldValue
URLgroups?$filter=onPremisesSyncEnabled eq null and mailEnabled eq true and (groupTypes/any(s:s eq 'Unified')) and NOT(resourceProvisioningOptions/any(s:s eq 'Team'))&$count=true
DescriptionSharepoint Groups Assignments – Owners (requires GroupMember.Read.All application permission)
Use deltaNo

Sharepoint Groups Owners as Resource Owners

Add a new query that imports Sharepoint Groups Owners as Resource Owners. Edit the values following the table below:

FieldValue
URLgroups?$filter=onPremisesSyncEnabled eq null and mailEnabled eq true and (groupTypes/any(s:s eq 'Unified')) and NOT(resourceProvisioningOptions/any(s:s eq 'Team'))&$count=true
DescriptionResource Owners – SharePoint (requires GroupMember.Read.All application permission)
Use deltaNo

Creating a new resource type for Teams group resources

  1. Create a new Resource Type for Teams Groups Resources. Go to Setup --> Master Data --> Resource types and click New.
  2. Enter the following details and click OK:
    Name: Microsoft Entra ID Teams
    Resource category: Permission
    Allow attributes: (select the checkbox)
    Attribute set: MS Entra ID – Group

Create the queries specified below.

Teams Groups as Resource

Add a new query that imports Teams Groups as Resource. Edit the values following the table below:

FieldValue
URLteams
DescriptionTeams Groups (requires Team.ReadBasic.All application permission)
Use deltaNo

Teams Groups as Resource Assignment

Add a new query that imports Teams Groups as Resource Assignment. Edit the values following the table below:

FieldValue
URLteams
DescriptionResources Assignmets - Teams Groups (requires TeamMember.Read.All application permission)
Use deltaNo

Teams Groups Owners as Resource Owners

Add a new query that imports Teams Groups Owners as Resource Owners. Edit the values following the table below:

FieldValue
URLteams
DescriptionResources Owners - Teams Groups (requires GroupMember.Read.All application permission)
Use deltaNo

Creating a new resource type for Teams channel resources

  1. Create a new Resource Type for Teams Groups Resources. Go to Setup --> Master Data --> Resource types and click New.
  2. Enter the following details and click OK:
    Name: Microsoft Entra ID Teams Channel
    Resource category: Permission

Create the queries specified below.

Teams Channel as Resource

Add a new query that imports Teams channels as Resource. Edit the values following the table below:

FieldValue
URLteams
DescriptionTeams Channels (requires Channel.ReadBasic.All application permission)
Use deltaNo
FilterdisplayName != "General"

Teams and Channels as Resource parent/child

Add a new query that imports teams and channels as Resource parent/child. Edit the values following the table below:

FieldValue
URLteams
DescriptionParent/child between Teams and Channels (requires Channel.ReadBasic.All application permission)
Use deltaNo
FilterdisplayName != "General"

Account

Add a new query that imports Account. Edit the values following the table below:

FieldValue
URLusers?$expand=manager($levels=max;$select=id,displayName,mailNickname)&$select=id,userPrincipalName,displayName,accountEnabled,lastPasswordChangeDateTime,mail,givenName,surname,businessPhones,signInActivity
DescriptionAccounts for Microsoft Entra ID Users (requires User.Read.All application permission)

Ensuring the the correct functioning of manager provisioning

  1. Go to Setup --> Master data –-> Attributes. Click New.
  2. Enter the following details and click OK: Name: Microsoft Entra ID – Manager
    Definition : MANAGER
    Hide attribute: (select the checkbox)

Ensuring the the correct functioning of business phone provisioning

  1. Go to Setup --> Master data –-> Attributes. Click New.
  2. Enter the following details and click OK: Name: Microsoft Entra ID - Phone
    Definition : CELLPHONE
    Hide attribute: (select the checkbox)

Business phone attribute set

  1. Go to Setup --> Master data –-> Attribute sets. Click New.
  2. Enter the following details and click OK: Name: MS Entra ID User Attribute
    Attributes : Email, First name, Last name, Initial password, Microsoft Entra ID – Manager, Microsoft Entra ID – Phone

Performing manager reconciliation between Microsoft and Omada

  1. Go to Setup --> Master data --> Resource types.
  2. Search for <your system name> Account.
  3. Add a new attribute map in the Reconciliation attribute map field: MANAGER=entramanager;.
  1. Change the Attribute set field: MS Entra ID User attributes
  2. Change the Provisioning attribute set field: MS Entra ID User attributes
  3. Click OK.

Creating new resource types for Directory Role Resources

  1. Go to Setup --> Master data --> Resource types. Click New.
  2. Enter the following details and click OK:
    Name: Microsoft Entra ID Directory Role
    Resource category: Permission

Resource (directoryRoles)

Edit the query that imports Resource (directoryRoles). Edit the values following the table below:

FieldValue
DescriptionResources for Microsoft Entra ID Directory Roles (requires RoleManagement.Read.Directory application permission)

Creating new resource types for SKU Resources

  1. Go to Setup --> Master data --> Resource types. Click New.
  2. Enter the following details and click OK:
    Name: Microsoft Entra ID SKU
    Resource category : Permission

Resource (subscribedSkus?$select=skuId,skuPartNumber)

Edit the query that imports Resource (subscribedSkus?$select=skuId,skuPartNumber). Edit the values following the table below:

FieldTypeValue
TypeConstantMicrosoft Entra ID SKU

Creating new resource types for Service Plans Resources

  1. Go to Setup --> Master data --> Resource types. Click New.
  2. Enter the following details and click OK:
    Name: Microsoft Entra ID Service
    Resource category: Permission

Resource (subscribedSkus?$select=servicePlans)

Edit the query that imports Resource (subscribedSkus?$select=servicePlans). Edit the values following the table below:

FieldTypeValue
TypeConstantMicrosoft Entra ID Service

Running the import

Perform the following steps before running the import:

  1. Change the Resource Type on Resources. Go to Setup -> Master data -> Resources.
  2. Find for the Resource that needs to be changed.
  3. Change the Resource Type as specified below and click OK.
  1. Go to Setup -> All systems. Click the system and in the system view, click Start data import.
  2. In the Start import window, select the Reset source system high-water marks and Reset internal high-water marks options.
  3. Click OK.

Upgrading the connector

To upgrade the Microsoft Azure Active Directory connector, perform the following operations:

  1. Create a backup of the existing Microsoft Azure Active Directory Connector data model - copy it to a file.

  2. Go to Setup --> Master Data --> Systems and select your Microsoft Azure Active Directory system.

  3. Select Enable provisioning and choose the new Microsoft Entra ID connector. Select the Use default configuration option.

  4. Click OK.

  5. Add the usageLocation property to the task mappings for MSEntraIDUser - Assignment. Enter the correct country code.

    ParameterOperatorValue
    usageLocationConstantCountry code (examples: US, ES, GB)

RoPE Configuration

Perform the following steps to ensure the correct functioning of manager provisioning and deleting assignments between Teams groups and users:

  1. Open the RoPE configuration file:
    On-prem: \Omada Identity Suite\Role and Policy Engine\Service\ConfigFiles
    Cloud: Management Portal --> RoPE configuration

  2. Under the Attribute Value Resolver extension, add the following lines (change the key value in case you already have that specific key defined):

<add key="MSEntraID_Manager" name="MANAGER" extraInfo="Type:ReferencePath" value="/#IDENTITY/OUREF/MANAGER/IDENTITYREF:[IDENTITYID]"></add>

  1. Under the Map Attributes From Actual Data extension, add the following lines (change the key value in case you already have that specific key defined):

<add key="3" extraInfo="Microsoft Entra ID Teams" name="C_MSTEAMSMEMBERSHIPID" value="C_MSTEAMSMEMBERSHIPID" />

Events definition

Establish event definitions that trigger create, update, and delete operations for resource provisioning (Teams groups, SharePoint groups, and Security groups). To create event definitions, implement a code method to GenerateGUID in the logical key field:

  1. Go to Setup --> Administration --> Process configuration --> Event definitions. Click New.
  2. Enter the following details:
    Name: Trigger Microsoft Entra ID Groups – Create
    Description: Microsoft Teams, Microsoft SharePoint, Microsoft Security
    Event is triggered when: A new object is created
    Triggers on objects of type: Resources
  3. Click Apply.
  4. Click New and create two Execute code method entries.
    1. Code method 1
      Assembly: Omada.OE.UtilityCodeAssembly.dll
      Class Name: Omada.OE.UtilityCodeAssembly.Main
      Name of method: GenerateGUID
      Name: result
      Map to property: Logical key
    2. Code method 2
      Assembly: Omada.OE.Solution.OIM.Assembly.dll
      Class Name: Omada.OE.Solution.OIM.Assembly.OPS.ResourceLifeCycleManager
      Name of method: SubmitPrioritizedProvisioningJob
      Name: operationEnum
      Map to value: create
  5. Click OK.
  6. In the event definition setup view, click Filter.
  7. Create a new filter. Enter the following details and click OK:
  1. To save the new event definition, click OK.
note

Create event definitions to trigger update and delete actions in the Resources object. For the update and delete operations, you don't need to create a code method to GenerateGUID.

You can only update the group's name.